LDAP is a language that enables Active Directory to find, create and manipulate objects. ADSI Edit will let you examine a user’s properties and display all the LDAP properties. Through knowing the property names, you can bulk import users from a spreadsheet using a rich selection of LDAP attributes. The trick is getting the correct fields in the first row or header of your import file.
Example of ADSI
My tactic is to find a user in ADSI edit, for example Guy Thomas. Then I was able to match the user’s properties in Active Directory Users and Computers (See here) with the LDAP attributes [Right Diagram]
For more detail, right-click a user and select properties, here [below] are two examples:
The mandatory objects are worth noting
You may wish to drill down one more layer. Here is a view of the LDAP attributes for the important DN = distinguishedName. If it were necessary you could use ADSI Edit to actually make changes to the LDAP names.
I like thePermissions Monitor because it enables me to see quickly WHO has permissions to do WHAT. When you launch this tool it analyzes a users effective NTFS permissions for a specific file or folder, takes into account network share access, then displays the results in a nifty desktop dashboard!
Think of all the frustration that this free utility saves when you are troubleshooting authorization problems for users access to a resource. Give this permissions monitor a try – it’s free!
When ever you discover a useful utility such as ADSI Edit, always make a note of where it comes from. The best place to get ADSI Edit is from the support folder of the Windows Server 2003/8 CD. You can also find the executable in many of Microsoft’s Resource Kits. Failing all else you can download ADSI Edit here
You need very little to get started with ADSI Edit. I love the MMC (Microsoft Management Console), so I just add ADSI Edit as extra Snap-in to my console. Here is a sure way to launch ADSI Edit, Start, run MMC. File (Menu) Add Remove Snap-in, ADSI Edit.
Once ADSI Edit launches you need to decide on the Naming Context. For scripting, and Active Directory Users and Computers properties, you normally select Domain. However, with TechNet pay close attention as to whether you need the Configuration or Domain naming context. After a while I expect that you will add both contexts to the snap-in.