Contents for Ezine 93 - ADSI Edit
ADSI Edit is one of my favourite Windows 2003 utilities. I was pondering the philosophical question: Is a utility such as ADSI Edit naturally versatile
because of its brilliant design? Alternatively, does a utility become versatile because of our skill in finding lots of tasks and applications? For example, ADSI Edit can be used for configuring Exchange, learning
about the Schema as well as mastering LDAP properties.
My conclusion was that it's a bit of both. Some utilities have multiple capabilities, but it's up to us to get the most out of a tool such as ADSI Edit.
In my opinion, VBScript and Spreadsheets are also versatile utilities, whereas LDIFDE is limited to Active Directory.
This week I want to show you how ADSI Edit helps with scripting Active Directory in general and
identifying LDAP properties in particular. Our goal is to
investigate the correct LDAP names so that we can script values for the boxes that appear in the Active Directory Users and Computers property sheets. Here are some LDAP examples, but rather than teaching
you the names parrot fashion, I want to persuade you to investigate for your self.
Active Directory LDAP
First name givenName
Last name sn
Display name displayName
The point is this, when you are scripting a field, how do you know whether its LDAP name is Description or displayName? How do you know that it's called physicalDeliveryOfficeName and not Street or plain 'o'? The answer is deceptively
simple, call for Active Directory Users and Computers. Enter a value in the property sheet box of your test user, then call for ADSI Edit to see which LDAP attribute corresponds to the value that you just set. It reminds me of my old Biology
research, where we tagged a moth, let it go, searched different habitats until we caught it again.
Without this technique, you have to rely on guesswork, or you have to research the internet. The
trouble is that for scripting, you need a specific name for example, for office you need the LDAP physicalDeliveryOfficeName. It's no good trying physicalOfficeLocation, you have to get the name right and
it is hard to research the name until you know what it is. Searching in Google for 'Office and LDAP' produces too broad a set of results.
Guy Recommends: SolarWinds' Free Bulk Import Tool
Import users from a spreadsheet. Just provide a list of the
users with their fields in the top row, and save as .csv file.
Then launch this FREE utility and match your fields with AD's
attributes, click and import the users.
Optionally, you can
provide the name of the OU where the new accounts will be born.
Download your FREE bulk import tool.
If you need more comprehensive software,
download a free trial of SAM (Server & Application Monitor)
The most difficult part of the whole procedure, is getting a
copy of ADSI Edit. This is one of saying that once you have got the idea then this is an easy technique. In my opinion, ADSI Edit is intuitive and you need no instructions to find the LDAP properties.
However, if my opinion is wrong, this is what you do.
Breakout the Windows Server 2003 CD (Not XP, not ResKit)
Navigate to the Support Folder,
install all the Support Tools including ADSI Edit.
Important. Once ADSI Edit launches, look out for: Select a well-known Naming Context: Choose Domain (Not Configuration or Schema).
to the OU or CN and find your test user. right-click your leaf object (CN=TestUser) and select properties. Now you will be overwhelmed with LDAP Attributes, but scroll down to find the values of
Trick. Tick the box that says Show only attributes that have values.
Trap. ADSI Edit gains live access to data in Active Directory. There is no read only mode and no confirmation
message such as 'Do you really want to change this value?'
Another technique to display the LDAP properties is to execute CSVDE in export mode, then examine the first row of the resulting CSV file. Alternatively, you can call for
ADSI Edit to investigate these same LDAP properties, which are vital for scripting changes to Active Directory users (or other objects).
Tip. If possible master the CSVDE -d switch to export one OU. Example CSVDE -d "OU=Newport,DC=cp,dc=com" -f Newport.csv.
ADSI Edit is a brilliant and versatile utility. We have concentrated on its role in identifying LDAP fields for scripting, however
ADSI Edit is also used for configuring Exchange and for investigating the Schema. The crucial technique involves setting a value in Active Directory Users and Computers, then finding the correct LDAP name
with ADSI Edit.
If you need a copy of ADSI Edit, just remember that it comes from the support folder on the Windows Server 2003 CD.
See More Active Directory VBScripts to Create Users
• User Spreadsheet • Ezines •
LDAP Properties • Create
Solarwinds User Import Tool
• Ezine 13 Create Users • Ezine 21
Create Users •
Ezine 23 Enable Accounts
• Ezine 42 Modify Users •
Ezine 93 ADSIEdit • Ezine
• Ezine 134 Delete Users •
PowerShell 3 Workflow •
PowerShell Get Users •
PowerShell Create Users