ADSI Edit (Active Directory Services Interface) is the best Windows 2003
Server tool for combining learning with troubleshooting. The number of configuration tasks that require ADSI Edit is on the increase; therefore take the time to install ADSI Edit and explore Active
Directory's properties and values. Incidentally, some call this Microsoft utility adsiedit.
In your Windows Active Directory career you will find dozens of occasions where the only cure to your
problem is editing the Domain or Configuration partition with ADSI Edit. On this page, it is
not my intention to cure a specific Windows Server 2003 problem, I merely chose the examples to give you a good grounding in the utility.
VBScript - Researching the LDAP properties of user objects.
If you have to bulk import users into Active Directory, then you need to know the LDAP names corresponding to Last Name (sn) and First Name (givenName).
Active Directory Users and Computers - Display Names. The default display in both Exchange GAL and ADUC is First Name
then Last Name. Larger companies may wish to reverse the display because they find it easier to search on Last Name.
Replication - Active Directory theory talks of Topology, KCC, Domain replication and Forest replication, with ADSI Edit you can see these different containers
and imagine how they could be replicated separately.
Guy
Recommends: Permissions Analyzer - Free Active Directory Tool
I like the
Permissions Monitor because it enables me to see quickly WHO has permissions
to do WHAT. When you launch this tool it analyzes a users effective NTFS
permissions for a specific file or folder, takes into account network share
access, then displays the results in a nifty desktop dashboard!
Think of all the frustration that this free utility saves when you are
troubleshooting authorization problems for users access to a resource.
Give this permissions monitor a try - it's free!
ADSI Edit (adsidedit) is one of Windows Server 2003's support tools. My advice is to install the whole support tools package from the Server CD: \support\tools\supptools.msi. Once the two programs files adsiedit.dll and adsiedit.msc are installed, you also get a shortcut on the Start, Programs menu, however I prefer to add ADSI Edit as a snap-in to my MMC.
Note: If you copy adsiedit.dll manually then you need to paste into the 'path' for example C: \windows\adsiedit.dll.
Then you need to register the dll with: regsvr32 adsiedit. (If you install from supptools.msi there is no need for this extra step)
Installing ADSI Edit - Windows Server 2008
Good news, with Windows Server 2008, or R2, ADSI Edit is installed
automatically when you promote a domain controller. Alternatively, if
you are running a member or stand-alone server you can intall RSAT (Remote
Server Administraton Tools).
Once ADSI Edit launches, the secret is connecting to the correct naming context. If you are following a TechNet instruction then pay close attention to whether it says connect to
the 'Domain' or connect to the
'Configuration' container. In the diagram opposite you will also see Schema and RootDSE, they are only rarely used for ADSI Editing. Sorry to harp on, but the classic beginners mistake is connecting to
the wrong Naming Context and as a result, being unable to find the required objects and properties.
Once you
have installed ADSI Edit notice how the layout is similar to Active Directory Users and
Computers, especially the Domain container. Also notice how the Configuration container is like the Windows Server 2003 Sites and Services snap-ins. The big difference is that with
the ADSI
Edit tool you see many more properties, moreover, each property has dozens of attributes. In fact there are so many obscure attributes that I often tick the box: Show only attributes that have values.
Unlike
command line tools such as DCDiag and NTDSUTIL, ADSI Edit has a GUI, which means its easier to appreciate the scale of Active Directory and easier to navigate the various branches of the configuration containers.
Guy Recommends: A Free Trial of the Network Performance Monitor
(NPM)
SolarWinds'
Network Performance Monitor
will help you discover what's happening on your network. This
utility will also guide you through troubleshooting; the dashboard will
indicate whether the root cause is a broken link, faulty equipment or
resource overload.
Perhaps the NPM's best feature is the way it suggests solutions to network
problems. Its second best feature is the ability to monitor the health of individual VMware
virtual machines. If you are interested in troubleshooting, and creating network maps, then I recommend that you
give this Network Performance Monitor a try.
This example has all the ingredients for learning about ADSI Edit namely, planning, attention to detail and a real life scenario where there is no other way of configuring the settings. Our objective is to
change the display from: First Name, Last Name to: Last Name, First Name. From the outset, let us be clear which field we are changing.
Our mission is to change the first field in Active Directory Users and Computers, the column called 'Name' and not the 'Display Name' or 'Description' column. (Although you could change those too, but that would
be a separate project.) The above diagram shows the final result, let us see how we achieve this goal.
Launch ADSI Edit and make sure you start at the Configuration container.
Next it's CN=Configuration, Display Specifies. CN=409 means English sort order (not Spanish or Arabic).
What we want is the user-Display Properties, the crucial attribute is createDialog (not description).
Now it took me four tries before I perfected the string value: %<sn>, %<givenName>
Here are my mistakes:
Learn from what I did wrong, or you will be destined to suffer my frustration:
%<sn>, % <givenName>. I exaggerated
the gap, but please note that there should be no space between the % and the smaller than bracket <. My most infuriating
mistake was troubleshooting <givenname> At first, I had no idea that Active Directory required the case sensitive <givenName>.
Learning Points
1) As ADSI Edit uses 'raw'
mode there is no error checking, therefore, do remember what I said about paying attention to detail. My point is that ADSI Edit is not a tool for a beginners in general, and gung-ho beginners in
particular.
2) The good news is that if you go back to Active Directory Users and Computer and create another user, you will see immediately the effect of editing
createDialog.
3) Do experiment with other settings, for example, user-display properties, description attribute.
Guy Recommends: SolarWinds Network Topology Mapper (NTM)
NTM will produce a neat diagram of your network topology. But that's
just the start;
Network Topology Mapper can
create an inventory of the hardware and software
of your machines and network devices. Other neat features include dynamic
update for when you add new devices to your network. I also love the ability to export
the diagrams
to Microsoft Visio.
Finally, Guy bets that if you test drive the Network Topology
Mapper then you will
find a device on your network that you had forgotten about, or someone else
installed without you realizing!
If you are upset that existing users are not affected by
this change, then get a copy of ADModify and with a few clicks you can display the 'Name' column as LastName, Firstname.
Nobody wins their Active Directory spurs without knowing where to find ADSI Edit. No-one gets to be a top Windows Server 2003 techie before they have explored the Domain and Configuration partitions with
ADSI Edit. Without ADSI Edit experience, many TechNet articles will be beyond your skill level. While ADSI Edit is not Microsoft's most difficult tool, you have to be careful as there is no error checking.
If you like this page then please share it with your friends
Guy Recommends:
SolarWinds' NPM - Network Performance Monitor
SolarWinds' performance monitor is designed for detecting network outages,
making it easy to see what's working, and what needs your attention.
This utility guides you through creating network maps; it also helps
identifying whether the
root cause is faulty equipment, or resource overload. Give NPM a try.
