Edit gPCMachineExtensionNames Attribute via Powershell

Question

I have to modifiy the gPCMachineExtensionNames Attribute string from a group policy in active directory with powershell. For this, I first want to read the existing string, modify this and replace the old with the modified.

The attribute is defined in the policy container under: CN={POLICY GUID}, CN=Policies, CN=System, DC=[DOMAIN], DC=[COM]

When I browse the attribute with ADSI Edit, the value of the gPCMachineExtensionNames is correctly shown as [{827D319E-6EAC-11D2-A4EA-00C04F79F83A}{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}]

I try to pick out the value with ldap query:

'(objectClass=groupPolicyContainer)' 
 ([adsisearcher]'(objectCategory=groupPolicyContainer)').FindAll() | ForEach-Object {
      New-Object -TypeName PSCustomObject -Property @{
      abc = $_.Properties.gPCMachineExtensionNames -join ''
      }
  }

But the result is emtpy. I can only query other attributes like name, cn, USNCreated, displayname,.. There are displayed correctly. Why it's not possible to return the value of the attribute gPCMachineExtensionNames?

Can I make another LDAP Query or is there another method to query or modify the attribute on Windows Server 2008 R2?

Thanks for your support!

Answer 1

Check the case of the name:

$allGPOs = ([adsisearcher]'(objectCategory=groupPolicyContainer)').FindAll()

# this returns nothing
$allGPOs | % { $_.Properties.gPCmachineExtensionNames }

# this returns what you expect
$allGPOs | % { $_.Properties.gpcmachineextensionnames }

$allGPOs | ForEach-Object {
    New-Object -TypeName PSCustomObject -Property @{
        abc = $_.Properties.gpcmachineextensionnames -join ''
    }
}

I'm making an assumption here that as $allGPOs.GetType() is SearchResultCollection, and $allGPOs[0].Properties.GetType() is SearchResultCollection, they behave slightly different than "regular" name/value pairs.