ADSI Edit: How To Edit Active Directory Using ADSI Edit. Firstly, ADSI (Active Directory Service Interface Editor) Edit allows access and modifies the underlying and unexposed directory service data through ADUC (Active Directory Users and Computers). In this article, we discuss the usage of ADSI Edit, including how to access the tool, primary navigation, and everyday use cases for making changes to Active Directory objects and attributes. Whether we are seasoned system administrators or just starting, understanding how to use ADSI Edit helps to take Active Directory management skills to the next level.
ADSI: How To Edit Active Directory Using ADSI Edit
Secondly, the ADSI (Active Directory Service Interface Editor) Edit Tool is an MMC snap-in. We use Active Directory Service Interfaces to connect to other Active Directory database partitions (NTDS.dit) or the LDAP server. The ADSI Edit tool also enables us to edit attributes, perform searches, and create, modify, and delete items in Active Directory.
Prerequisites
Importantly, current Windows versions include ADSIEdit.msc in Remote Server Administration Tools (RSAT). The ADSI tool is a part of the ADDS Snap-ins and Command Line Tools package. Check out this article for instructions on installing RSAT and more information.
Therefore, after installing the feature, press Win+R to bring up the Run window and type adsiedit.msc to open ADSI Edit. Alternatively, we access Administrative Tools under the Control Panel’s System and Security section.
Note: The ADSI Edit snap-in in AD editing functionality resembles the Windows registry editor. As a result, we cannot alter some Windows settings using Group Policies or the graphical user interface. As a result, the administrator occasionally needs to make changes directly to the Windows registry to resolve a complicated issue.
Overview of the ADSI Tool
Similarly, more tools are required to solve complex Active Directory issues than only the Users and Computers snap in or PowerShell cmdlets. For example, via ADSI Edit, we directly alter the AD database. But ADSI Edit, gets beyond all standard AD safety measures. In turn, this process means that by using adsiedit.msc to make erroneous AD modifications, we risk damaging or erasing our AD database. Hence, we advise backing up Active Directory before using this tool because of this.
To start, right click the ADSI tool and select Connect. We select a remote machine with an LDAP database or a Connection Point, Naming Context, from this menu. If we do not know the exact Connection Point Distinguished Name or Naming Contexts, we select one of the known Naming Contexts:
- Default naming context
- Configuration
- RootDSE
- Schema
We must select the Use SSL-based Encryption option if our LDAP server (or domain controller) has an SSL certificate to use the LDAPS protocol.
Additionally, please choose the default naming context to open the ADUC-like AD view and hit OK. The left pane now displays a brand new root partition that we can extend. As we see, the ADSI Edit terminal in this mode shows the hierarchical tree view of all containers and Active Directory OUs in AD.
Remember that after we click on the node, the Default Naming Context and the different levels of the hierarchy in ADSI Edit are only visible. Moreover, there are console based AD service containers that we conceal and that ADUC, by default, cannot show. In the AD hierarchy, for instance, we select, modify, move, remove, and rename any objects (computers, users, groups).
For illustration, we’ll go to the OU with users, choose a user, and show a context menu with a list of available actions. As we see, we reset the Active Directory user password in addition to the usual activities with an AD object (Move, Create, Delete, Rename). Moreover, observe that the DN (Distinguished Name) and CN (Canonical Name) are shown rather than the object name.
Go to the desired object and open the properties of the required Active Directory object to edit object properties using ADSI Edit.
Improve your Active Directory Security & Azure AD
Try us out for Free, Access to all features. – 200+ AD Report templates Available. Easily customise your own AD reports.
Importance of ADSI
Here are some reasons why we need ADSI:
- Deeper Access and Control: While the Active Directory Users and Computers (ADUC) tool provides a user friendly interface to manage Active Directory, it only provides access to some necessary functionality.
- Automation: We use ADSI to automate everyday administrative tasks, such as creating and deleting user accounts, resetting passwords, and modifying group memberships. This process is cost efficient, saves time and reduces likelihood of human errors caused by manual data entry.
- Scripting: ADSI is used with scripting languages such as VBScript and PowerShell to automate repetitive tasks or perform complex operations. This process makes managing large Active Directory environments with many objects easier.
- Integration: ADSI integrates Active Directory with other directory services or applications, such as LDAP directories, DNS servers, and Exchange Server. This process helps organizations to achieve better interoperability and streamline their IT infrastructure.
Viewing and Editing ADSI Attributes
The Attribute Editor tab in AD allows us to examine or modify any user properties. According to the object’s class, the ADSI Editor console, by default, shows every attribute the object has in Active Directory. In ADSI Edit, even attributes of an object do not appear in the ADUC interface.
With the value “not set,” we show both filled and empty attributes. The Filter button allows us to choose how to show object properties.
The following filter options are available:
- Show only attributes that have values — this option, once enabled, hides all attributes with empty values;
- Show only writable attributes —displays only those attributes that we can edit;
- Show mandatory attributes;
- Show optional attributes;
- Show read-only attributes (Constructed, Backlinks, or System only).
Note:
The Attribute Editor tab in the ADUC console user properties is similar to this tab.
After, we change any attribute by double clicking on it, entering a new value, and then saving the changes.
Please be aware that there are several data types among the characteristics of objects (Integer, String, MultiString, Time, etc.). For instance, AD shows the values of the time/date-related properties in the ADSI Object Attribute Editor console in their conventional form. We see that they are still stored in the Active Directory database in Timestamp format if we attempt to modify them.
Next, we configure AD settings with ADSI Edit that we cannot configure in any other method. For instance, any domain user adds up to 10 computer accounts to the domain (even without Domain Admin rights). The LDAP attribute ms-DS-MachineAccountQuota, which we may only modify using ADSI Edit, serves as our definition for this (in the domain properties).
After that, we examine some illustrations of activities we take with the ADSIEdit console.
Hide OU in Active Directory
For instance, we could use the ADUC snap-in to hide OU (one of the AD containers). Then, open the OU properties and alter the attribute from False (or Not Set) to True. To check the latest version of the AD schema using ADSI Edit:
- Select Schema as a well known Naming Context;
- Expand Schema, right click the schema;
- Check the objectVersion value
4. The value corresponds to the AD Schema version in Windows Server 2012 R2.
We can not only manage ADSI in GUI but also approach them programmatically in PowerShell, which we discuss in the next section.
Manage AD Using ADSI Adapter for PowerShell
We use ADSI adapter in PowerShell to establish a connection to an LDAP AD. Although there are better ways to administer AD (than the PowerShell Active Directory module), there are occasions when we must use it, such as via external tools or logon scripts. We must specify the LDAP path to an AD object to receive information about it using the ADSI interface:
[ADSI]'LDAP://CN=DC01,OU=Domain Controllers,DC=infrasos,DC=com'
List all object attributes:
[ADSI]'LDAP://CN=DC01,OU=Domain Controllers,DC=infrasos,DC=com' | Format-List *
We get the value of a specific object attribute:
[ADSI]"LDAP://DC=infrasos,DC=com" | Format-List ms-DS-MachineAccountQuota
We use LDAP search filters to find objects in AD via ADSI:
([ADSISearcher]'(&(objectCategory=computer)(operatingSystem=Windows Server 2019*)(primaryGroupID=516))').FindAll()
Find users with “Password Never Expires” set:
([ADSISearcher]'(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=66048))').FindAll()
The ADSI interface also allows us to modify and create AD objects:
$TargetOU = [adsi]'LDAP://DC=infrasos,DC=com'
$NewOU =$TargetOU.Create('organizationalUnit','ou=NewYork')
$NewOU.SetInfo()
ADSI Edit: How To Edit Active Directory Using ADSI Edit Conclusion
In conclusion, ADSI Edit is a powerful tool that gives system administrators deeper access and control over Active Directory objects and attributes. While ADUC delivers a user friendly interface for managing Active Directory, it may only sometimes provide access to all necessary functionality. With ADSI Edit, administrators makes low level changes to objects and attributes that are generally invisible, allowing for advanced troubleshooting and fixing complex issues.
Try InfraSOS for FREE
Invite your team and explore InfraSOS features for free
- Free 15-Days Trial
- Easy Setup
- Full Access to Enterprise Plan
