The ADSI Edit tool (Active Directory Service Interface Editor) is a special mmc snap-in. It allows you to connect to various Active Directory database partitions (NTDS.dit) or to the LDAP server via Active Directory Service Interfaces. The ADSI Edit tool allows you to create, modify, and delete objects in Active Directory, edit attributes, perform searches, and so on.
In Windows Server 2003, the ADSIEdit.msc snap-in was a part of the Windows Server 2003 Support Tools. You had to download and install it manually. To register snap-ins, the command regsvr32 adsiedit.dll was used.
Modern Windows versions have ADSIEdit.msc included in RSAT. It is installed as a part of the AD DS Snap-ins and Command Line Tools feature. Go to Remote Server Administration Tools > Role Administration Tools > AD DS and AD LDS Tools.
To install the ADSI Edit Console on desktop OS versions (Windows 10 and Windows 11), open the PowerShell console as an administrator and install the Active Directory Administrative Tools from RSAT:
Add-WindowsCapability –online –Name Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0
After installing the component, press Win+R and type adsiedit.msc to start ADSI Edit. Or you can run ADSI Edit from Control Panel\System and Security\Administrative Tools.
Important note. The ADSI Edit snap-in in Active Directory editing features resembles the Windows registry editor. Not all Windows settings can be changed through the graphical GUI or Group Policies. Sometimes, to solve a complex problem, the administrator has to make changes directly to the Windows registry.
Similarly, Active Directory Users and Computers snap-in or PowerShell cmdlets could be not enough when solving complex problems in Active Directory. You can directly make changes to the AD database through the ADSI Edit. However, ADSI Edit bypasses all common safeguard AD mechanisms. It means you can damage or destroy your AD database with incorrect AD changes using adsiedit.msc. That’s why it’s recommended to back up Active Directory before using this tool.
Right-click on the root in the ADSI Edit and select Connect to.
Here you can choose which Connection Point, Naming Context, or remote computer with LDAP database you want to connect to.
If you do not know the exact Connection Point Distinguished Name or Naming Contexts, you can select one of the known Naming Context:
- Default naming context;
- Configuration;
- RootDSE;
- Schema.
If your LDAP server (or domain controller) is secured with an SSL certificate, then you must check the Use SSL-based Encryption option to use the LDAPS protocol.
To open the ADUC-like AD view, select the Default naming context and press OK. A new root partition will appear in the left pane, which you can expand. As you can see, in this mode the ADSI Edit console displays all containers and Active Directory OUs in AD in a hierarchical tree view.
Note that the Default Naming Context and other levels of the hierarchy in ADSI Edit are not displayed until a node is clicked on.
There are also hidden AD service containers in the console that are not displayed by default in ADUC. You can navigate in the AD hierarchy, select modify, move, delete, rename any objects (computers, users, groups).
For example, we will navigate to the OU with users, select a user and display a list of available actions in the context menu. As you can see, in addition to typical operations with an AD object (Move, New, Delete, Rename), you can reset Active Directory user password. Also, note that the CN (Canonical Name) and Distinguished Name are displayed instead of the object name.
To edit object properties through ADSI Edit, go to the desired container and open the properties of the Active Directory object you need.
On the Attribute Editor tab, you can view or edit any user properties in AD.
By default, the ADSI Editor console displays all of the object’s attributes in Active Directory (according to the object’s class). ADSI Edit displays all attributes of an object, even those that do not appear in the Active Directory user and computer interface.
Both filled and empty attributes are displayed (with the value <not set>). You can use the Filter button to customize the display options for object attributes.
The following filter options are available:
- Show only attributes that have values — if you enable this option, all attributes with empty values will be hidden;
- Show only writable attributes — allows you to display only those attributes that can be edited by the user who launched the ADSIEdit snap-in (depending on the permissions delegated to the user account in Active Directory);
- Show mandatory attributes;
- Show optional attributes;
- Show read-only attributes (Constructed, Backlinks, or System-only).
Info. This tab is identical to the Attribute Editor tab in ADUC console user properties.
To change the value of any attribute of an object, you need to double click on it, set a new value, and save the changes.
Please note that among the attributes of objects there are different data types (Integer, String, MultiString, Time, etc). The values of the attributes containing the time/date in the ADSI Object Attribute Editor console are displayed in their normal form, but if you try to edit them, you will see that they are stored in the Active Directory database in the Timestamp format.
ADSI Edit allows you to set AD settings that cannot be configured in any other way. For example, any domain user (even without Domain Admin rights) can join up to ten computer accounts to the domain. This is defined by the LDAP attribute ms-DS-MachineAccountQuota, which can only be edited via ADSI Edit (in the domain properties).
Next, we will look at examples of actions that can be performed using the ADSIEdit console.
Hide OU in Active Directory
For example, you want to hide OU (one of the AD containers) in the ADUC snap-in. To do this, you need to open the OU properties and change the showInAdvancedViewOnly attribute from False (or Not Set) to True.
To check the current AD schema version via ADSI Edit:
- Select Schema as well-known Naming Context;
- Expand Schema, right-click CN=Schema,CN=Configuration,DC=theitbros,DC=com, and select Properties;
- Check the objectVersion value;
- In our case, it is 69. This number corresponds to the AD Schema version in Windows Server 2012 R2.
Adding Additional Columns to the ADUC Console
By default, only a specific list of attributes is displayed in the Active Directory Users and Computers console. A complete list of attributes that can be displayed in ADUC is available in the View > Add/Remove Columns menu. But there is no operatingSystem attribute in this list. You can add the operatingSystem attribute to the list of available columns in the ADUC console via ADSIEdit.
- Run the AdisEdit.msc and connect to Configuration Naming Context;
- Navigate to CN=DisplaySpecifiers > CN=409 and open the properties of the CN=organizationalUnit-Display object;
- Find the extraColumns property in the attribute editor ad add the value: operatingSystem,Operating System,0,150,0
Hint. The format is used used: <ldapDisplayName>,<Column Title>,<Displayed by default>,<Column Width>,<unused>
- Save the changes in ADSI, go to ADUC and check if the operatingSystem attribute is now displayed in the console.
Manage AD Using ADSI Adapter for PowerShell
PowerShell allows you to connect to an LDAP AD using an ADSI adapter. This is not the easiest way to manage AD (features compared to the PowerShell Active Directory module), but sometimes you need to use it. For example, in logon scripts or external tools.
In order to retrieve information about an AD object via the ADSI interface, you need to specify the LDAP path to it:
[adsi]'LDAP://CN=M-DC02,OU=Domain Controllers,DC=contoso,DC=com'
List all object attributes:
[adsi]'LDAP://CN=M-DC02,OU=Domain Controllers,DC=contoso,DC=com' | Format-List *
You can get the value of a specific object attribute, for example, ms-DS-MachineAccountQuota (described above):
[adsi]"LDAP://DC=contoso,DC=com" | Format-List ms-DS-MachineAccountQuota
Use the ConvertLargeIntegerToInt64 function to convert the timestamp attribute value to normal date/time format:
$user = [adsi]"LDAP:// CN=Administrator,CN=Users,DC=contoso,DC=com" [PSCustomObject] @{ name = $user.name.Value pwdLastSet = [datetime]::FromFileTime($user.ConvertLargeIntegerToInt64($user.pwdLastSet.value)) }
You can use LDAP search filters to find objects in AD via ADSI. For example, we need to find all domain controllers running Windows Server 2019 OS:
([adsisearcher]'(&(objectCategory=computer)(operatingSystem=Windows Server 2019*)(primaryGroupID=516))').FindAll()
Find users with “Password Never Expires” set:
([adsisearcher]'(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=66048))').FindAll()
List all disabled user accounts in AD:
([adsisearcher]'(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=2))').FindAll()
The ADSI interface also allows you to modify and create AD objects. For example, to create a new OU:
$TargetOU = [adsi]'LDAP://DC=contoso,DC=com' $NewOU =$TargetOU.Create('organizationalUnit','ou=NewYork') $NewOU.SetInfo()