Windows Server 2003 – ADSI Edit
ADSI Edit (Active Directory Services Interface) is the best Windows 2003 Server tool for combining learning with troubleshooting. The number of configuration tasks that require ADSI Edit is on the increase; therefore take the time to install ADSI Edit and explore Active Directory’s properties and values. Incidentally, some call this Microsoft utility adsiedit.
In your Windows Active Directory career you will find dozens of occasions where the only cure to your problem is editing the Domain or Configuration partition with ADSI Edit. On this page, it is not my intention to cure a specific Windows Server 2003 problem, I merely chose the examples to give you a good grounding in the utility.
Tutorial Topics for ADSI Edit
- Scenarios for ADSI Edit
- Installing ADSI Edit
- Getting Started – Launch ADSI Edit
- ADSI Edit Examples – To change the Display Name
- Download ADSI Edit
- Summary of ADSI Edit
VBScript – Researching the LDAP properties of user objects. If you have to bulk import users into Active Directory, then you need to know the LDAP names corresponding to Last Name (sn) and First Name (givenName).
Active Directory Users and Computers – Display Names. The default display in both Exchange GAL and ADUC is First Name then Last Name. Larger companies may wish to reverse the display because they find it easier to search on Last Name.
Security – Editing security permissions for object that have no other interface. For example, Exchange 2003 Anonymous access to the Address Lists.
Restoring old Backups – Learning how to extend the useful life of a backup tape by increasing the tombstoneLifetime attribute.
TechNet – Following through on TechNet’s suggested solutions. For example, Raise Forest Level with msDS-Behavior-Version.
Replication – Active Directory theory talks of Topology, KCC, Domain replication and Forest replication, with ADSI Edit you can see these different containers and imagine how they could be replicated separately.
I like thePermissions Monitor because it enables me to see quickly WHO has permissions to do WHAT. When you launch this tool it analyzes a users effective NTFS permissions for a specific file or folder, takes into account network share access, then displays the results in a nifty desktop dashboard!
Think of all the frustration that this free utility saves when you are troubleshooting authorization problems for users access to a resource. Give this permissions monitor a try – it’s free!
Installing ADSI Edit – Windows Server 2003
ADSI Edit (adsidedit) is one of Windows Server 2003’s support tools. My advice is to install the whole support tools package from the Server CD: \support\tools\supptools.msi. Once the two programs files adsiedit.dll and adsiedit.msc are installed, you also get a shortcut on the Start, Programs menu, however I prefer to add ADSI Edit as a snap-in to my MMC.
Alternatively,you can download ADSIEdit here
Note: If you copy adsiedit.dll manually then you need to paste into the ‘path’ for example C: \windows\adsiedit.dll. Then you need to register the dll with:
regsvr32 adsiedit. (If you install from supptools.msi there is no need for this extra step)
Installing ADSI Edit – Windows Server 2008
Good news, with Windows Server 2008, or R2, ADSI Edit is installed automatically when you promote a domain controller. Alternatively, if you are running a member or stand-alone server you can intall RSAT (Remote Server Administraton Tools).
Once ADSI Edit launches, the secret is connecting to the correct naming context. If you are following a TechNet instruction then pay close attention to whether it says connect to the ‘Domain’ or connect to the ‘Configuration’ container. In the diagram opposite you will also see Schema and RootDSE, they are only rarely used for ADSI Editing. Sorry to harp on, but the classic beginners mistake is connecting to the wrong Naming Context and as a result, being unable to find the required objects and properties.
Once you have installed ADSI Edit notice how the layout is similar to Active Directory Users and Computers, especially the Domain container. Also notice how the Configuration container is like the Windows Server 2003 Sites and Services snap-ins. The big difference is that with the ADSI Edit tool you see many more properties, moreover, each property has dozens of attributes. In fact there are so many obscure attributes that I often tick the box: Show only attributes that have values.
Unlike command line tools such as DCDiag and NTDSUTIL, ADSI Edit has a GUI, which means its easier to appreciate the scale of Active Directory and easier to navigate the various branches of the configuration containers.
SolarWinds’ Network Performance Monitor will help you discover what’s happening on your network. This utility will also guide you through troubleshooting; the dashboard will indicate whether the root cause is a broken link, faulty equipment or resource overload.
Perhaps the NPM’s best feature is the way it suggests solutions to network problems. Its second best feature is the ability to monitor the health of individual VMware virtual machines. If you are interested in troubleshooting, and creating network maps, then I recommend that you give this Network Performance Monitor a try.
ADSI Edit Example – To Change the Display Name
This example has all the ingredients for learning about ADSI Edit namely, planning, attention to detail and a real life scenario where there is no other way of configuring the settings. Our objective is to change the display from: First Name, Last Name to: Last Name, First Name. From the outset, let us be clear which field we are changing.
Our mission is to change the first field in Active Directory Users and Computers, the column called ‘Name’ and not the ‘Display Name’ or ‘Description’ column. (Although you could change those too, but that would be a separate project.) The above diagram shows the final result, let us see how we achieve this goal.
- Launch ADSI Edit and make sure you start at the Configuration container.
- Next it’s CN=Configuration, Display Specifies. CN=409 means English sort order (not Spanish or Arabic).
- What we want is the user-Display Properties, the crucial attribute is createDialog (not description).
- Now it took me four tries before I perfected the string value:
Here are my mistakes:
Learn from what I did wrong, or you will be destined to suffer my frustration:
%<sn>, % <givenName>. I exaggerated the gap, but please note that there should be no space between the % and the smaller than bracket <. My most infuriating mistake was troubleshooting <givenname> At first, I had no idea that Active Directory required the case sensitive <givenName>.
1) As ADSI Edit uses ‘raw’ mode there is no error checking, therefore, do remember what I said about paying attention to detail. My point is that ADSI Edit is not a tool for a beginners in general, and gung-ho beginners in particular.
2) The good news is that if you go back to Active Directory Users and Computer and create another user, you will see immediately the effect of editing createDialog.
3) Do experiment with other settings, for example, user-display properties, description attribute.
Would like more examples of ADSI Edit? See here
NTM will produce a neat diagram of your network topology. But that’s just the start;Network Topology Mapper can create an inventory of the hardware and software of your machines and network devices. Other neat features include dynamic update for when you add new devices to your network. I also love the ability to export the diagrams to Microsoft Visio.
Finally, Guy bets that if you test drive the Network Topology Mapper then you will find a device on your network that you had forgotten about, or someone else installed without you realizing!
Download your 14 day free trial ofSolarWinds Network Topology Mapper
If you are upset that existing users are not affected by this change, then get a copy of ADModify and with a few clicks you can display the ‘Name’ column as LastName, Firstname.
Nobody wins their Active Directory spurs without knowing where to find ADSI Edit. No-one gets to be a top Windows Server 2003 techie before they have explored the Domain and Configuration partitions with ADSI Edit. Without ADSI Edit experience, many TechNet articles will be beyond your skill level. While ADSI Edit is not Microsoft’s most difficult tool, you have to be careful as there is no error checking.
If you like this page then please share it with your friends