The ADSI Edit tool (Active Directory Service Interface Editor) is a special mmc snap-in that allows you to connect to various Active Directory database partitions (NTDS.dit) or to the LDAP server. The ADSI Edit tool allows you to create, modify, and delete objects in Active Directory, perform searches, and so on.
In Windows Server 2003, the ADSIEdit.msc snap-in was a part of the Windows Server 2003 Support Tools, which must be downloaded and installed manually. To register snap-ins, the command “regsvr32 adsiedit.dll” was used.
In modern Windows versions, ADSIEdit.msc is included into RSAT and installed as a part of AD DS Snap-ins and Command Line Tools feature (Remote Server Administration Tools > Role Administration Tools > AD DS and AD LDS Tools).
After installing the component, to start ADSI Edit press Win+R and type adsiedit.msc (or you can run ADSI Edit from Control Panel\System and Security\Administrative Tools).
Important note! The ADSI Edit snap-in in Active Directory editing features resembles the Windows registry editor. Not all Windows settings can be changed through the GUI or Group Policies. Sometimes, to solve a complex problem, the administrator has to make changes directly into the Windows registry.
Similarly, in order to solve some complex problems in Active Directory, Active Directory Users and Computers or PowerShell cmdlets may not be enough for you, you can directly make changes to the AD database through the ADSI Edit. However, ADSI Edit bypasses all common safeguard AD mechanisms and you can damage or destroy your AD database by incorrectly AD changes with adsiedit.msc.This is why it is advisable to back up Active Directory before using this tool.
Right-click on the root in the ADSI Edit and select Connect to.
Here you can choose which Connection Point, Naming Context, or remote computer with LDAP database you want to connect to.
If you do not know the exact Connection Point Distinguished Name or Naming Contexts you can select one of the known Naming Context:
- Default naming context;
If your LDAP server (or domain controller) secured with SSL certificate you must to check the option “Use SSL-based Encryption” to use the LDAPS protocol.
To open the ADUC-like AD view, select Default naming context and press OK. A new root partition will appear in the left pane, which you can expand. As you can see, in this mode the ADSI Edit console displays all containers and OUs in AD. There are also hidden AD service containers in the console that are not displayed by default in ADUC. You can navigate in the AD hierarchy, select modify, move, delete, rename any objects (computers, users, groups).
To edit user properties through ADSI Edit, go to the desired location and open the properties of the Active Directory object you need.
On the Attibute Editor tab, you can view or edit any user properties in AD.
For example, you want to hide one of the AD containers in the ADUC snap-in. To do this, you need to open the OU properties and change the showInAdvancedViewOnly attribute from False (or Not Set) to True.
Note. If you need an attribute that does not appear in the list, click on the Filter button and disable the option Show only attributes that have values.
To check current AD schema version via ADSI Edit:
- Select Schema as well known Naming Context;
- Expand Schema, right click CN=Schema,CN=Configuration,DC=theitbros,DC=com and select Properties;
- Check the objectVersion value;
- In our case it is 69. This number corresponds to a Schema level: Windows Server 2012 R2.