Get-QADUser -ProxyAddress needs the address type or a wildcard

The wonderful colleague who has succeeded me as the main ActiveRoles Server admin here at Awesome German Auto Parts Manufacturer ( ran into trouble last week while trying to find out which user had a proxy address that she was trying to assign. is not quite as unique as one might think, even in a country with loads of rather long family names, and when a holder of a leaves, there’s possibly another who would like to have it, and who outsiders are trying to reach at that address.

So my successor cleverly noticed that Get-QADUser has a -ProxyAddress parameter, so tried this on the stubborn address:

Get-QADUser -ProxyAddress ""


She tried it on her own address, as she was quite sure that one was in there.


Resourceful lady that she is, she started Googling.

Nothing beyond this old Dmitry Sotnikov post:

His example shows the address type (in this case, x400) prefix on the searched-for address, but doesn’t state that this is necessary for this parameter to work properly.

Because I’d hit my own wall on Lync emergency calling configuration, I experimentally tried:

Get-QADUser -ProxAddress ""


Just to check, I tried it without whispering “smtp:“, and…


My colleague verified this, and then reminded me that there was this Exchange quota data-gathering script I’d promised to help with a few weeks ago…

Fun facts about the ProxyAddresses Active Directory attribute and Get-QADUser -ProxyAddress:

ProxyAddresses is a multi-valued attribute, and -ProxyAddress will search each value in all the ProxyAddresses attributes of ActiveRoles-managed AD objects until it finds all matches.

– Wildcards (“*“) take longer (20 seconds here) than exact matches like “” (less than a second), but do work. Get-QADUser always returns user objects, and it will return the object only once per query, even if there are several matches within a user’s ProxyAddresses attribute. A wildcard in the middle of the search (“sip:*“) will also work, but takes AGES (2.5 minutes in my environment).

– Since the ProxyAddresses attribute also contain EUM (Exchange UM) and SIP addresses (Lync or other Unified Communications platform), Get-QADUser -ProxyAddress is also useful for finding the source of a collision there. The wildcard is particularly useful here: “*” will find all the objects that contain that address, regardless of type.

– It is case-insensitive. That means that it will match both “” (a secondary proxy address) and “” (the user’s current primary email address).

Get-QADUser -PrimaryProxyAddress is picky in exactly the same way: Get-QADUser -PrimaryProxyAddress "" didn’t work; Get-QADUser -PrimaryProxyAddress "" did. The performance differences between wildcard and exact match searches were in line with -ProxyAddress as well.

The following one-liner finds all the users with * proxy addresses, no matter what type, and makes a flat (String) MatchingAddresses attribute for the ones with more than one match (for example, and

Get-QADUser -ProxyAddress "*" | select name, @{n="MatchingAddresses";e={($_.proxyaddresses | where { $_ -like "*"}) -join ';' }}


Write your own memo:

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s