The ADSI Edit tool (Active Directory Service Interface Editor) is a special mmc snap-in. It allows you to connect to various Active Directory database partitions (NTDS.dit) or to the LDAP server. The ADSI Edit tool allows you to create, modify, and delete objects in Active Directory, perform searches, and so on.
In Windows Server 2003, the ADSIEdit.msc snap-in was a part of the Windows Server 2003 Support Tools. You had to download and install it manually. To register snap-ins, the command regsvr32 adsiedit.dll was used.
Modern Windows versions have ADSIEdit.msc included in RSAT. It is installed as a part of the AD DS Snap-ins and Command Line Tools feature. Go to Remote Server Administration Tools > Role Administration Tools > AD DS and AD LDS Tools.
After installing the component, to start ADSI Edit press Win+R and type adsiedit.msc. Or you can run ADSI Edit from Control Panel\System and Security\Administrative Tools.
Important note! The ADSI Edit snap-in in Active Directory editing features resembles the Windows registry editor. Not all Windows settings can be changed through the GUI or Group Policies. Sometimes, to solve a complex problem, the administrator has to make changes directly to the Windows registry.
Similarly, Active Directory Users and Computers or PowerShell cmdlets may be not enough when solving complex problems in Active Directory. You can directly make changes to the AD database through the ADSI Edit. However, ADSI Edit bypasses all common safeguard AD mechanisms. It means you can damage or destroy your AD database with incorrectly AD changes using adsiedit.msc. That’s why it’s recommended to back up Active Directory before using this tool.
Right-click on the root in the ADSI Edit and select Connect to.
Here you can choose which Connection Point, Naming Context, or remote computer with LDAP database you want to connect to.
If you do not know the exact Connection Point Distinguished Name or Naming Contexts, you can select one of the known Naming Context:
- Default naming context;
If your LDAP server (or domain controller) secured with SSL certificate, then you must check the Use SSL-based Encryption option to use the LDAPS protocol.
To open the ADUC-like AD view, select the Default naming context and press OK. A new root partition will appear in the left pane, which you can expand. As you can see, in this mode the ADSI Edit console displays all containers and OUs in AD. There are also hidden AD service containers in the console that are not displayed by default in ADUC. You can navigate in the AD hierarchy, select modify, move, delete, rename any objects (computers, users, groups).
To edit user properties through ADSI Edit, go to the desired location and open the properties of the Active Directory object you need.
On the Attribute Editor tab, you can view or edit any user properties in AD.
For example, you want to hide one of the AD containers in the ADUC snap-in. To do this, you need to open the OU properties and change the showInAdvancedViewOnly attribute from False (or Not Set) to True.
Note. If you need an attribute that does not appear in the list, click on the Filter button and disable the option Show only attributes that have values.
To check the current AD schema version via ADSI Edit:
- Select Schema as well known Naming Context;
- Expand Schema, right click CN=Schema,CN=Configuration,DC=theitbros,DC=com and select Properties;
- Check the objectVersion value;
- In our case, it is 69. This number corresponds to a Schema level: Windows Server 2012 R2.