Home
Windows Server 2003 – ADSI Edit

Windows Server 2003 – ADSI Edit

August 23, 2010 No Comments Utilities, w2k3

Windows Server 2003 – ADSI Edit

ADSI Edit (Active Directory Services Interface) is the best Windows 2003 Server tool for combining learning with troubleshooting.  The number of configuration tasks that require ADSI Edit is on the increase; therefore take the time to install ADSI Edit and explore Active Directory’s properties and values.  Incidentally, some call this Microsoft utility adsiedit.

In your Windows Active Directory career you will find dozens of occasions where the only cure to your problem is editing the Domain or Configuration partition with ADSI Edit.  On this page, it is not my intention to cure a specific Windows Server 2003 problem, I merely chose the examples to give you a good grounding in the utility.

Tutorial Topics for ADSI Edit

  ‡

Examples of ADSI Edit

  1. VBScript – Researching the LDAP properties of user objects.  If you have to bulk import users into Active Directory, then you need to know the LDAP names corresponding to Last Name (sn) and First Name (givenName).

  2. Active Directory Users and Computers – Display Names.  The default display in both Exchange GAL and ADUC is First Name then Last Name.  Larger companies may wish to reverse the display because they find it easier to search on Last Name.

  3. Security – Editing security permissions for object that have no other interface. For example, Exchange 2003 Anonymous access to the Address Lists.

  4. Restoring old Backups – Learning how to extend the useful life of a backup tape by increasing the tombstoneLifetime attribute.

  5. TechNet – Following through on TechNet’s suggested solutions.  For example, Raise Forest Level with msDS-Behavior-Version.

  6. Replication – Active Directory theory talks of Topology, KCC, Domain replication and Forest replication, with ADSI Edit you can see these different containers and imagine how they could be replicated separately.

Guy Recommends: Permissions Analyzer – Free Active Directory ToolFree Permissions Analyzer for Active Directory

I like thePermissions Monitor because it enables me to see quickly WHO has permissions to do WHAT.  When you launch this tool it analyzes a users effective NTFS permissions for a specific file or folder, takes into account network share access, then displays the results in a nifty desktop dashboard!

Think of all the frustration that this free utility saves when you are troubleshooting authorization problems for users access to a resource.  Give this permissions monitor a try – it’s free!

Download Permissions Analyser – Free Active Directory Tool

Installing ADSI Edit – Windows Server 2003

ADSI Edit (adsidedit) is one of Windows Server 2003’s support tools.  My advice is to install the whole support tools package from the Server CD:  \support\tools\supptools.msi.  Once the two programs files adsiedit.dll and adsiedit.msc are installed, you also get a shortcut on the Start, Programs menu, however I prefer to add ADSI Edit as a snap-in to my MMC.ADSI Edit Domain and Configuration partitions

Alternatively,you can download ADSIEdit here

Note:  If you copy adsiedit.dll manually then you need to paste into the ‘path’ for example C: \windows\adsiedit.dll.  Then you need to register the dll with:
regsvr32 adsiedit.  (If you install from supptools.msi there is no need for this extra step)

Installing ADSI Edit – Windows Server 2008

Good news, with Windows Server 2008, or R2, ADSI Edit is installed automatically when you promote a domain controller.  Alternatively, if you are running a member or stand-alone server you can intall RSAT (Remote Server Administraton Tools).

Getting Started – Launch the ADSI Edit Tool

Once ADSI Edit launches, the secret is connecting to the correct naming context.  If you are following a TechNet instruction then pay close attention to whether it says connect to the ‘Domain’ or connect to the ‘Configuration’ container.  In the diagram opposite you will also see Schema and RootDSE, they are only rarely used for ADSI Editing.  Sorry to harp on, but the classic beginners mistake is connecting to the wrong Naming Context and as a result, being unable to find the required objects and properties.

Once you have installed ADSI Edit notice how the layout is similar to Active Directory Users and Computers, especially the Domain container.  Also notice how the Configuration container is like the Windows Server 2003 Sites and Services snap-ins.  The big difference is that with the ADSI Edit tool you see many more properties, moreover, each property has dozens of attributes.  In fact there are so many obscure attributes that I often tick the box: Show only attributes that have values.

Unlike command line tools such as DCDiag and NTDSUTIL, ADSI Edit has a GUI, which means its easier to appreciate the scale of Active Directory and easier to navigate the various branches of the configuration containers.

Guy Recommends:  A Free Trial of the Network Performance Monitor (NPM)Review of Orion NPM v12 v12

SolarWinds’ Network Performance Monitor will help you discover what’s happening on your network.  This utility will also guide you through troubleshooting; the dashboard will indicate whether the root cause is a broken link, faulty equipment or resource overload.

Perhaps the NPM’s best feature is the way it suggests solutions to network problems.  Its second best feature is the ability to monitor the health of individual VMware virtual machines.  If you are interested in troubleshooting, and creating network maps, then I recommend that you give this Network Performance Monitor a try.

Download your free trial of SolarWinds Network Performance Monitor.

ADSI Edit Example – To Change the Display Name

This example has all the ingredients for learning about ADSI Edit namely, planning, attention to detail and a real life scenario where there is no other way of configuring the settings.  Our objective is to change the display from: First Name, Last Name to: Last Name, First Name.  From the outset, let us be clear which field we are changing.

Our mission is to change the first field in Active Directory Users and Computers, the column called ‘Name’ and not the ‘Display Name’ or ‘Description’ column.  (Although you could change those too, but that would be a separate project.)  The above diagram shows the final result, let us see how we achieve this goal.

ADSI Edit Example - To change the Display Name

  1. Launch ADSI Edit and make sure you start at the Configuration container.  ADSI Edit user-display createDialog
  2. Next it’s CN=Configuration, Display Specifies.  CN=409 means English sort order (not Spanish or Arabic).
  3. What we want is the user-Display Properties, the crucial attribute is createDialog (not description).
  4. Now it took me four tries before I perfected the string value:
    %<sn>, %<givenName>

ADSI Edit createDialog Windows 2003 download

Here are my mistakes:

Learn from what I did wrong, or you will be destined to suffer my frustration: 

%<sn>, %    <givenName>.  I exaggerated the gap, but please note that there should be no space between the % and the smaller than bracket <.  My most infuriating mistake was troubleshooting <givenname>  At first, I had no idea that Active Directory required the case sensitive <givenName>.

Learning Points

1) As ADSI Edit uses ‘raw’ mode there is no error checking, therefore, do remember what I said about paying attention to detail.  My point is that ADSI Edit is not a tool for a beginners in general, and gung-ho beginners in particular.

2) The good news is that if you go back to Active Directory Users and Computer and create another user, you will see immediately the effect of editing createDialog.

3) Do experiment with other settings, for example, user-display properties, description attribute.

Would like more examples of ADSI Edit?  See here

Download ADSI Edit

Guy Recommends: SolarWinds Network Topology Mapper (NTM)SolarWinds Network Topology Mapper

NTM will produce a neat diagram of your network topology.  But that’s just the start;Network Topology Mapper can create an inventory of the hardware and software of your machines and network devices.  Other neat features include dynamic update for when you add new devices to your network.  I also love the ability to export the diagrams to Microsoft Visio.

Finally, Guy bets that if you test drive the Network Topology Mapper then you will find a device on your network that you had forgotten about, or someone else installed without you realizing!

Download your 14 day free trial ofSolarWinds Network Topology Mapper

Good News

If you are upset that existing users are not affected by this change, then get a copy of ADModify and with a few clicks you can display the ‘Name’ column as LastName, Firstname.

Summary of ADSI Edit

Nobody wins their Active Directory spurs without knowing where to find ADSI Edit.  No-one gets to be a top Windows Server 2003 techie before they have explored the Domain and Configuration partitions with ADSI Edit.  Without ADSI Edit experience, many TechNet articles will be beyond your skill level.  While ADSI Edit is not Microsoft’s most difficult tool, you have to be careful as there is no error checking.

If you like this page then please share it with your friends

 

See more Windows tools

ADSI Edit Tool   • Authoritative Restore   • Windiff Compare Folders

Eseutil Commands for Exchange 2010 Server  •ESEutil   •NTDSUtil

About The Author

Guy Thomas

Related Posts