Best Practice Ezine #59 ADSI Edit

Best Practice Ezine.  Computer Performance. Advertise

Best Practice Ezine #59 ADSI Edit

I never waste a chance to explore with ADSI Edit (Active Directory Services Interface).  Not only is ADSI Edit useful for undertaking TechNet solutions, but also it helps me learn about Active Directory.  The learning effect is rather like going into a large church, not only do you see the beauty of the windows, but also you absorb the atmosphere and ethos of the building.  So it is with ADSI Edit, as you troubleshoot a problem, you cannot fail to take in Active Directory’s overall structure as well as some of its thousands of attributes.

Guy Recommends: Tools4ever’s UMRAUMRA The User Management Resource Administrator

Tired of writing scripts? The User Management Resource Administrator solution by Tools4ever offers an alternative to time-consuming manual processes.

It features 100% auto provisioning, Helpdesk Delegation, Connectors to more than 130 systems/applications, Workflow Management, Self Service and many other benefits. Click on the link for more information onUMRA.

As someone who writes VBScripts, ADSI Edit provides the correct LDAP names when I am scripting user’s properties.  Only last week the mailNickName attribute helped solve an Exchange problem.  For you, I have a challenge to experiment with a property called createDialog.  Before we start a word of warning, some people call me Gung-ho Guy. The good news about Gung-ho Guy is that you don’t get 7 pages of disclaimers before you start; instead my aim is to have fun and get you started.  The bad news about Gung-ho Guy is that I may lure you to try something you should not do on a production network.  For Example, last week I was rightly brought to task for not emphasising that you should not start Seizing FSMO roles with NTDSutil on a business network.

So here are a few words of warning; best of all use a test network, if you must use a real network, undo your actions at the end of the experiment.  Let me describe the task.  You are a large organization, and when you view the ‘Name’ column in Active Directory Users and Computers, you see users ordered by First Name then Last Name.  The boss says he wants the order to be: Last Name, First Name.  Just to confirm, I am Not talking about the column called Display, or the column called Description, we are going to experiment with the column called Name.  Research reveals that the key Attribute is called createDialog.  Here is how find that setting with ADSI Edit, and add a command to alter the sort order.

Guy Recommends: The Free IP Address Tracker (IPAT) IP Tracker

Calculating IP Address ranges is a black art, which many network managers solve by creating custom Excel spreadsheets.  IPAT cracks this problem of allocating IP addresses in networks in two ways:

For Mr Organized there is a nifty subnet calculator, you enter the network address and the subnet mask, then IPAT works out the usable addresses and their ranges. 

For Mr Lazy IPAT discovers and then displays the IP addresses of existing computers. Download the Free IP Address Tracker

If you prefer to see the instructions online check here

1) Install ADSI Edit from the \support\tools folder of the Windows Server 2003 CD.

2) Once ADSI Edit launches, select the Configuration partition (not the Domain).

3) Next it’s CN=Configuration, Display Specifies.  CN=409 means English sort order (not Spanish or Arabic).

4) What we want is the user-Display Properties, then the crucial Attribute is createDialog.

5) Ever heard of ‘slow down I am in hurry’?  Well I rushed this next command and it took me four re-tries before I perfected the string value:
%<sn>, %<givenName>.

The error that incensed me the most was when I tried givenname.  It was particularly galling as I had previously preached that LDAP was not case sensitive. Wrong, Guy you need precisely %<givenName>

6) Go to Active Directory Users and Computer and create a test user.  If their name displayed, Last Name, comma, First Name then you have succeeded.  If not re-read the instructions.  With ADSI Edit and LDAP, learn from my mistakes and pay attention to detail.

7) I am afraid there is one more horror story, editing createDialog does not affect existing users only new ones. So, I advise you to reverse the instructions and set back to how the default. First Name Last Name. Of course there is a hidden message here, plan and test before you roll-out a live domain.

Confession time.  A reader kindly sent in a script which WOULD change the Name display of all existing names, but I lost it.  So, if you know of such a script please send it in.  Talking of sending in ideas, please send me your favourite ADSI Edit ‘hacks’.  Meanwhile here are some more of mine.

  1. tombstoneLifetime – To be able to restore backups older than 60 days.
  2. Address Lists Container – Exchange 2003 setting to control security for the Anonymous User.
  3. msDS-Behavior-Version – Cures a problem with Raising Forest Level.


See more interesting permissions and Active Directory articles

E 63 Catalog  • E 60 ADModify  • E 59 ADSIEdit  • E 58 FSMO  •Free CSV Import Utility

E 52 Wins  • E 46 Logs   •E 45 LDAP Tips  •E 26 MMC  • E 21 Users Template  • E 17 CACLS  • Ezines

E 12 SQL  • E 8 Security Permissions  •Review of Solarwinds Permissions Monitor for AD