Introduction to LDAP* Properties with ADSI Edit
There are two main reasons for turning to Microsoft’s ADSI Edit (Active Directory Services Interface). In each case Active Directory User and Computers does not provide sufficient detail on the object’s properties.
- When you need to script user account attributes, what you want is the precise spelling of the LDAP* property. For example, Active Directory Users and Computers displays First Name, but you need to know that the underlying LDAP attribute is called givenName.
- You are troubleshooting a problem and TechNet gives you the solution, which is to amend an LDAP property. However, Active Directory Users and Computers does not display the attribute, so you launch ADSI Edit because it gives low level access to the object’s attributes.
* LDAP is the Lightweight Directory Access Protocol.
Topics for LDAP Properties with ADSI Edit
- Where do you get ADSI Edit?
- What do you need to run ADSI Edit
- A classic job for ADSI Edit – LDAP Attributes of Users properties
- Excel Spreadsheets and Active Directory Users and Computers
- More examples of ADSI Edit
- Summary of ADSI Edit
Where Do You Get ADSI Edit?
When ever you discover a useful utility such as ADSI Edit, always make a note of where it comes from. The best place to get ADSI Edit is from the support folder of the Windows Server 2003/8 CD. You can also find the executable in many of Microsoft’s Resource Kits. Failing all else you can download ADSI Edit here
What Do You Need to Run ADSI Edit
You need very little to get started with ADSI Edit. I love the MMC (Microsoft Management Console), so I just add ADSI Edit as extra Snap-in to my console. Here is a sure way to launch ADSI Edit, Start, run MMC. File (Menu) Add Remove Snap-in, ADSI Edit.
Once ADSI Edit launches you need to decide on the Naming Context. For scripting, and Active Directory Users and Computers properties, you normally select Domain. However, with TechNet pay close attention as to whether you need the Configuration or Domain naming context. After a while I expect that you will add both contexts to the snap-in.
A Classic Job for ADSI Edit – LDAP Attributes of Users Properties.
The situation is that you wish to bulk import users. Not only do you wish to create an account, but also you want that account to have numerous values pre-configured in the properties pages.
This is a classic job for multi-tasking. Open Active Directory Users and Computers in one window, and ADSI Edit in the other. When you put a value in one window, you can discover which field it appears in the other window. The reason for this experiment is that when you script user’s properties you need to know the LDAP name for each attribute or box in Active Directory Users and computers.
Here are a few comparisons between ADUC Properties and ADSI Edit. Beware there is no consistency, some are identical, some are near, whilst others bear no resemblance.
ADUC Properties – ADSI Edit Attributes
First Name – givenName
Last Name – sn
Office – physicalDeliveryOfficeName
City – L
Department – Department (See screen shot)
Display Name – DisplayName
Description – Description
ADSI Edit has the added bonus in that you can display attributes that do not display in the Active Directory User’s and Computers interface. For example, badPwdCount or logonCount.
The diagram opposite is taken from Active Directory Users and Computers.
Observer how the Department property on the Organization tab is the same as the Department attribute in ADSI edit. However, more often than not, the LDAP names differ from the property sheet names.
Excel Spreadsheets and Active Directory Users and Computers
If ADSI Edit is unavailable, you could use CSVDE -f filename.csv to export the LDAP attributes. If you opened filename.csv in Excel then you could see all the LDAP attributes in the first row. The only problem with this technique is that it’s not always obvious which field in the spreadsheet corresponds to which field in Active Directory Users and Computers.
One useful technique is to add values in the boxes, then export using CSVDE, finally open the file in Excel and search for the value.
Guy Recommends: SolarWinds’ Free Bulk Import Tool
Import users from a spreadsheet. Just provide a list of the users with their fields in the top row, and save as .csv file. Then launch this FREE utility and match your fields with AD’s attributes, click and import the users.
Optionally, you can provide the name of the OU where the new accounts will be born. Download your FREE bulk import tool.
If you need more comprehensive software, download a free trial of SAM (Server & Application Monitor)
More examples of ADSI Edit.
In Exchange, if you wish to change the way names are displayed in the global address book, then employ ADSI Edit to alter the user-Display, createDialog. This is a job for the Container naming context, not the Domain naming context. See more here on customizing the display name.
My point is that as soon as you start investigating ADSI Edit, you will suddenly discover more and more opportunities to apply the LDAP techniques in other situations.
Summary of ADSI Edit
Trust me, Microsoft’s ADSI Edit will become a utility that you turn to more and more. Not only is ADSI Edit useful for spelling the LDAP properties, but also it will help when you need to find and then configure, hidden Active Directory properties. So, waste no time, get a copy of ADSI Edit and add it to your MMC console.
• ADSI Edit – Getting Started • ADSI Edit – More Settings • Free CSV Tool
