ADSIEdit

ADSI Edit: How to View and Change Active Directory Object Properties?


The ADSI Edit tool (Active Directory Service Interface Editor) is a special mmc snap-in that allows you to connect to various Active Directory database partitions (NTDS.dit) or to the LDAP server. The ADSI Edit tool allows you to create, modify, and delete objects in Active Directory, perform searches, and so on.

In Windows Server 2003, the ADSIEdit.msc snap-in was a part of the Windows Server 2003 Support Tools, which must be downloaded and installed manually. To register snap-ins, the command “regsvr32 adsiedit.dll” was used.

In modern Windows versions, ADSIEdit.msc is included into RSAT and installed as a part of AD DS Snap-ins and Command Line Tools feature (Remote Server Administration Tools > Role Administration Tools > AD DS and AD LDS Tools).

adsi edit

After installing the component, to start ADSI Edit press Win+R and type adsiedit.msc (or you can run ADSI Edit from Control Panel\System and Security\Administrative Tools).

adsi edit windows 10

Important note! The ADSI Edit snap-in in Active Directory editing features resembles the Windows registry editor. Not all Windows settings can be changed through the GUI or Group Policies. Sometimes, to solve a complex problem, the administrator has to make changes directly into the Windows registry.

Similarly, in order to solve some complex problems in Active Directory, Active Directory Users and Computers or PowerShell cmdlets may not be enough for you, you can directly make changes to the AD database through the ADSI Edit. However, ADSI Edit bypasses all common safeguard AD mechanisms and you can damage or destroy your AD database by incorrectly AD changes with adsiedit.msc.This is why it is advisable to back up Active Directory before using this tool.

Right-click on the root in the ADSI Edit and select Connect to.

adsi edit download

Here you can choose which Connection Point, Naming Context, or remote computer with LDAP database you want to connect to.

If you do not know the exact Connection Point Distinguished Name or Naming Contexts you can select one of the known Naming Context:

  • Default naming context;
  • Configuration;
  • RootDSE;
  • Schema.

If your LDAP server (or domain controller) secured with SSL certificate you must to check the option “Use SSL-based Encryption” to use the LDAPS protocol.

adsi edit tool

To open the ADUC-like AD view, select Default naming context and press OK. A new root partition will appear in the left pane, which you can expand. As you can see, in this mode the ADSI Edit console displays all containers and OUs in AD. There are also hidden AD service containers in the console that are not displayed by default in ADUC. You can navigate in the AD hierarchy, select modify, move, delete, rename any objects (computers, users, groups).

adsi edit configuration

To edit user properties through ADSI Edit, go to the desired location and open the properties of the Active Directory object you need.

On the Attibute Editor tab, you can view or edit any user properties in AD.

open adsi edit

For example, you want to hide one of the AD containers in the ADUC snap-in. To do this, you need to open the OU properties and change the showInAdvancedViewOnly attribute from False (or Not Set) to True.

Note. If you need an attribute that does not appear in the list, click on the Filter button and disable the option Show only attributes that have values.

adsiedit tool

To check current AD schema version via ADSI Edit:

  1. Select Schema as well known Naming Context;
  2. Expand Schema, right click CN=Schema,CN=Configuration,DC=theitbros,DC=com and select Properties;
  3. Check the objectVersion value;
    adsiedit windows 10
  4. In our case it is 69. This number corresponds to a Schema level: Windows Server 2012 R2.

You may also like:

AD Account Keeps Locking Out Sometimes there are situations when AD account keeps locking out, this happen when you try to log on to a domain computer and getting an error on the ...
Installing Active Directory Users and Computers MM... One of the main Active Directory domain management tools is the MMC snap-in Active Directory Users and Computers (ADUC). The ADUC snap-in is used to p...
Store BitLocker Recovery Keys using Active Directo... In a domain network, you can store the BitLocker recovery keys for encrypted drives in the Active Directory Domain Services (AD DS). This is one of th...
How to transfer FSMO Roles From a Failed Domain Co... In case domain controller, which owns FSMO (Flexible Single Master Operation) roles, is fail (virus attack, fatal software problems or catastrophic ha...
Change Default OU permissions in Active Directory By default, each newly created organizational unit (OU) in the access list includes read permission for the group Authenticated Users (built-in group)...

Add Your Comment