How to View and Change Active Directory Object Properties with ADSI edit

Configurare noua (How To)

Situatie

The ADSI Edit tool (Active Directory Service Interface Editor) is a special mmc snap-in that allows you to connect to various Active Directory database partitions (NTDS.dit) or to the LDAP server. The ADSI Edit tool allows you to create, modify, and delete objects in Active Directory, perform searches, and so on.

In Windows Server 2003, the ADSIEdit.msc snap-in was a part of the Windows Server 2003 Support Tools, which must be downloaded and installed manually. To register snap-ins, the command “regsvr32 adsiedit.dll” was used. In modern Windows versions, ADSIEdit.msc is included into RSAT and installed as a part of AD DS Snap-ins and Command Line Tools feature (Remote Server Administration Tools > Role Administration Tools > AD DS and AD LDS Tools).

After installing the component, to start ADSI Edit press Win+R and type adsiedit.msc (or you can run ADSI Edit from Control Panel\System and Security\Administrative Tools).

Solutie

Important note! The ADSI Edit snap-in in Active Directory editing features resembles the Windows registry editor. Not all Windows settings can be changed through the GUI or Group Policies. Sometimes, to solve a complex problem, the administrator has to make changes directly into the Windows registry.

Similarly, in order to solve some complex problems in Active Directory, Active Directory Users and Computers or PowerShell cmdlets may not be enough for you, you can directly make changes to the AD database through the ADSI Edit. However, ADSI Edit bypasses all common safeguard AD mechanisms and you can damage or destroy your AD database by incorrectly AD changes with adsiedit.msc.This is why it is advisable to back up Active Directory before using this tool.

Right-click on the root in the ADSI Edit and select Connect to.

Here you can choose which Connection Point, Naming Context, or remote computer with LDAP database you want to connect to.

If you do not know the exact Connection Point Distinguished Name or Naming Contexts you can select one of the known Naming Context:

  • Default naming context;
  • Configuration;
  • RootDSE;
  • Schema.

If your LDAP server (or domain controller) secured with SSL certificate you must to check the option “Use SSL-based Encryption” to use the LDAPS protocol.

To open the ADUC-like AD view, select Default naming context and press OK. A new root partition will appear in the left pane, which you can expand. As you can see, in this mode the ADSI Edit console displays all containers and OUs in AD. There are also hidden AD service containers in the console that are not displayed by default in ADUC. You can navigate in the AD hierarchy, select modify, move, delete, rename any objects (computers, users, groups).

To edit user properties through ADSI Edit, go to the desired location and open the properties of the Active Directory object you need.

On the Attibute Editor tab, you can view or edit any user properties in AD.

Tip solutie

Permanent

Voteaza

(25 din 36 persoane apreciaza acest articol)

Despre Autor

Leave A Comment?