Guy’s Scripting Ezine 93 – ADSI Edit

Contents for Ezine 93 – ADSI Edit


This Week’s Secret

ADSI Edit is one of my favourite Windows 2003 utilities.  I was pondering the philosophical question: Is a utility such as ADSI Edit naturally versatile because of its brilliant design?  Alternatively, does a utility become versatile because of our skill in finding lots of tasks and applications?  For example, ADSI Edit can be used for configuring Exchange, learning about the Schema as well as mastering LDAP properties.

My conclusion was that it’s a bit of both.  Some utilities have multiple capabilities, but it’s up to us to get the most out of a tool such as ADSI Edit.  In my opinion, VBScript and Spreadsheets are also versatile utilities, whereas LDIFDE is limited to Active Directory.

Employing ADSI Edit to Identify LDAP Properties

This week I want to show you how ADSI Edit helps with scripting Active Directory in general and identifying LDAP properties in particular.  Our goal is to investigate the correct LDAP names so that we can script values for the boxes that appear in the Active Directory Users and Computers property sheets.  Here are some LDAP examples, but rather than teaching you the names parrot fashion, I want to persuade you to investigate for your self.

Active Directory    LDAP
Property Sheet     Attribute

First name           givenName
Last name           sn
Display name       displayName
Description         description
Office                physicalDeliveryOfficeName

Crucial Technique

The point is this, when you are scripting a field, how do you know whether its LDAP name is Description or displayName?  How do you know that it’s called physicalDeliveryOfficeName and not Street or plain ‘o’?  The answer is deceptively simple, call for Active Directory Users and Computers.  Enter a value in the property sheet box of your test user, then call for ADSI Edit to see which LDAP attribute corresponds to the value that you just set.  It reminds me of my old Biology research, where we tagged a moth, let it go, searched different habitats until we caught it again.

Without this technique, you have to rely on guesswork, or you have to research the internet.  The trouble is that for scripting, you need a specific name for example, for office you need the LDAP physicalDeliveryOfficeName.  It’s no good trying physicalOfficeLocation, you have to get the name right and it is hard to research the name until you know what it is.  Searching in Google for ‘Office and LDAP’  produces too broad a set of results.

Guy Recommends:  SolarWinds’ Free Bulk Import ToolFree Download Solarwinds Bulk Import Tool

Import users from a spreadsheet.  Just provide a list of the users with their fields in the top row, and save as .csv file.  Then launch this FREE utility and match your fields with AD’s attributes, click and import the users.

Optionally, you can provide the name of the OU where the new accounts will be born. Download your FREE bulk import tool.

If you need more comprehensive software, download a free trial of SAM (Server & Application Monitor)

Instructions for Getting Started with ADSI Edit

The most difficult part of the whole procedure, is getting a copy of ADSI Edit.  This is one of saying that once you have got the idea then this is an easy technique.  In my opinion, ADSI Edit is intuitive and you need no instructions to find the LDAP properties.  However, if my opinion is wrong, this is what you do.

  1. Breakout the Windows Server 2003 CD (Not XP, not ResKit)

  2. Navigate to the Support Folder, install all the Support Tools including ADSI Edit.

  3. Important. Once ADSI Edit launches, look out for: Select a well-known Naming Context:  Choose Domain (Not Configuration or Schema).

  4. Drill down to the OU or CN and find your test user.  right-click your leaf object (CN=TestUser) and select properties.  Now you will be overwhelmed with LDAP Attributes, but scroll down to find the values of interest.

Trick. Tick the box that says Show only attributes that have values.

Trap. ADSI Edit gains live access to data in Active Directory.  There is no read only mode and no confirmation message such as ‘Do you really want to change this value?’

Another technique to display the LDAP properties is to execute CSVDE in export mode, then examine the first row of the resulting CSV file.  Alternatively, you can call for ADSI Edit to investigate these same LDAP properties, which are vital for scripting changes to Active Directory users (or other objects).

Tip. If possible master the CSVDE -d switch to export one OU. Example CSVDE -d "OU=Newport,DC=cp,dc=com" -f Newport.csv.

Summary of ADSI Edit

ADSI Edit is a brilliant and versatile utility.  We have concentrated on its role in identifying LDAP fields for scripting, however ADSI Edit is also used for configuring Exchange and for investigating the Schema.  The crucial technique involves setting a value in Active Directory Users and Computers, then finding the correct LDAP name with ADSI Edit.

If you need a copy of ADSI Edit, just remember that it comes from the support folder on the Windows Server 2003 CD.

See More Active Directory VBScripts to Create Users

• User Spreadsheet  • Ezines  •LDAP Properties  • Create Users  • Solarwinds User Import Tool

Ezine 13 Create Users  • Ezine 21 Create Users  • Ezine 23 Enable Accounts

Ezine 42 Modify Users  •Ezine 93 ADSIEdit  • Ezine 103 SamAccountName 

Ezine 134 Delete Users  • PowerShell 3 Workflow  •PowerShell Get Users  •PowerShell Create Users