Wednesday, August 1, 2012

How to Use ADSI Edit (adsiedit.msc)?


 
ADSI Edit (adsiedit.msc)

Applies To: Windows SBS 2008, Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2, Windows Server 2008, Windows Server 2008 R2
Active Directory® Service Interfaces Editor (ADSI Edit) is a Lightweight Directory Access Protocol (LDAP) editor that you can use to manage objects and attributes in Active Directory. ADSI Edit (adsiedit.msc) provides a view of every object and attribute in an Active Directory forest. You can use ADSI Edit to query, view, and edit attributes that are not exposed through other Active Directory Microsoft Management Console (MMC) snap-ins: Active Directory Users and Computers, Active Directory Sites and Services, Active Directory Domains and Trusts, and Active Directory Schema.
This topic includes the following sections:
noteNote
Another LDAP editor that Microsoft provides is Ldp. To learn more about Ldp, see Ldp Overview (http://go.microsoft.com/fwlink/?LinkId=143517). For an example of Ldp being used, see article 224543 in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkID=23064).

Installing ADSI Edit

To install ADSI Edit on computers running Windows Server® 2003 or Windows® XP operating systems, install Windows Server 2003 Support Tools from the Windows Server 2003 product CD or from the Microsoft Download Center (http://go.microsoft.com/fwlink/?LinkId=100114). For more information about how to install Windows Support Tools from the product CD, see Install Windows Support Tools (http://go.microsoft.com/fwlink/?LinkId=62270).
On servers running Windows Server 2008 or Windows Server 2008 R2, ADSI Edit is installed when you install the Active Directory Domain Services (AD DS) role to make a server a domain controller. You can also install Windows Server 2008 Remote Server Administration Tools (RSAT) on domain member servers or stand-alone servers. For specific instructions, see Installing or Removing the Remote Server Administration Tools Pack (http://go.microsoft.com/fwlink/?LinkId=143345).
To install ADSI Edit on computers running Windows Vista® with Service Pack 1 (SP1) or Windows 7, you must install RSAT. For more information and to download RSAT, see article 941314 in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkID=116179).
noteNote
  • Adsiedit.msc will not run unless the Adsiedit.dll file is registered. This happens automatically if the support tools are installed. However, if the support tool files are copied instead of installed, you must run the regsvr32 command to register Adsiedit.dll before you run the Adsiedit.msc snap-in. To register adsiedit.dll, type the following command (you must navigate to the directory containing the adsiedit.dll file):

    regsvr32 adsiedit.dll
  • You can run ADSI Edit from a client computer or server. The computer does not have to be a member of a domain. However, to see domain objects using Adsiedit.msc, you must have the rights to view the Active Directory domain that you connect to. By default, members of the Domain Users group have these rights. To modify objects using ADSIEdit, you must have at least the Edit permission on the Active Directory objects that you want to change. By default, members of the Domain Admins group have this permission.

Using ADSI Edit

ADSI Edit (Adsiedit.msc) is an MMC snap-in. You can add the snap-in to any .msc file through the Add/Remove Snap-in menu option in MMC, or just open the Adsiedit.msc file from Windows Explorer. The following figure illustrates the ADSI Edit interface. In the console tree on the left, you can see the major partitions Domain, Configuration, and Schema. The figure shows the Builtin container of the Contoso.com domain selected. In the details pane on the right, you can see the Builtin groups of Active Directory.
noteNote
Adsiedit.msc automatically attempts to load the current domain to which the user is logged on. If the computer is installed in a workgroup or otherwise not logged on to a domain, the message "The specified domain does not exist" displays repeatedly. To resolve this issue, you may want to open an MMC, add the ADSI Edit snap-in, make connections as appropriate, and then save the console file.
ADSIEdit

ADSI Edit Node

To view the following commands, in the console tree click the ADSI Editnode, click the Action menu, and then click one of the following:

Connect To

The Connection Settings dialog box appears. You can use theConnection Settings dialog box to create a connection point to an object in Active Directory. The following text boxes are located in the Connection Settings dialog box:
Name. You should not change the text in this box because it might cause an error when you attempt to make a connection. The text in this box is updated automatically, if necessary, when you configure or select a Connection Point.
Path. Displays the URL for the selected object. It cannot be edited. If the path is not correct, click Cancel, and then select the correct object.
Connection Point Section
Click either Select or type a Distinguished Name or Naming Context orSelect a well known Naming Context.
  • If you click the Select or type a Distinguished Name or Naming Context radio button, type the distinguished name of the object that will be the connection point in Active Directory. For example, if your domain name is contoso.com and you want to connect to the Users container, typecn=users,dc=contoso,dc=com.
  • If you click the Select a well known Naming Context radio button, select the directory partition that will be the connection point in Active Directory in the list of partitions in the selection menu.
TipTip
Previous LDAP connections are remembered by the ADSI Edit tool. In versions earlier than Windows Server® 2008, the tool automatically attempts to load the current domain to which the user is logged on. If the computer is installed in a workgroup or otherwise not logged on to a domain, the message "The specified domain does not exist" appears repeatedly. To avoid these issues, open Mmc.exe, add the ADSI Edit snap-in manually, make any connections that are appropriate for you with whatever credentials are necessary, and then save the console file. This gives you your own default console that works with ADSI Edit.
Computer Section
Specifies whether you connect to the local computer or a remote computer. Click either Default (domain or server that you are logged in to) orSelect or type a domain or server. You can enter the domain name or computer name in Domain Name System (DNS) format or NetBIOS format, or you can enter an IP address.
Advanced Button
Click the Advanced button to specify alternate credentials or alternate port numbers or to change the protocol that is used to connect to Active Directory. The Advanced dialog box contains the following text boxes:
Specify Credentials. Use this box to specify alternate credentials. Unless otherwise specified, the currently logged-on user's credentials are used.
Port Number. Type a port number if you do not want to use the default port for the LDAP or the LDAP Global Catalog protocol. The default LDAP port is 389. The default port for the Global Catalog is 3268.
Protocol Section
Click either LDAP or Global Catalog. The URL in Path might change, based on your selection. LDAP is used by default. To view the Path box, on theAdvanced tab, click OK or Cancel.

Refresh

To update the object from Active Directory, right-click an object, and then click Refresh. The Refresh command removes the current objects in the container and repopulates the container with updated information from Active Directory.

Directory Partition Node

To view the following commands, select the directory partition node that you want to manage (that is, DomainConfiguration, and Schema), click theAction menu, and then click one of the following:

Settings

The Connection Settings dialog box appears, which provides the same configuration options as previously discussed in the Connect To section.

Remove

Removes the connection point that connects ADSI Edit to a directory partition or container within Active Directory. This command affects only what is shown in the ADSI Edit console. To remove objects from Active Directory, use theDelete command.

Update Schema Now

Reloads the schema information from Active Directory into the local computer's cache.

New

Click Query to create a new query. For more information about creating LDAP queries, see LDAP Query Basics (http://go.microsoft.com/fwlink/?LinkId=143553).

Refresh

To update the object from Active Directory, right-click an object, and then click Refresh. The Refresh command removes the current objects in the container and repopulates the container with updated information from Active Directory.

Object Node

To view the following commands, click an object in the details pane (for example, Account Operators is an object in the previous figure), click theAction menu, and then click one of the following:

Move

Moves the object to another container in Active Directory. Opens a dialog box that you can use to select the destination container.

New Connection From Here

Creates a new connection point node and adds it to the console.

New

The New menu command reveals another menu that contains the Objectcommand, which creates a new child object in the selected container. This command opens a set of chained dialog boxes that begins with the class of the object. If you do not have the appropriate permissions to create an object in the selected container, no classes will be listed. After you select a class, a dialog box opens for each required attribute. In the final dialog box, clickMore to view and edit any optional attributes.

Delete

Deletes the selected object from Active Directory. A dialog box appears asking you to confirm the deletion. This command does not appear in the menu if you do not have permissions to delete an object from Active Directory. 

Rename

Changes the name of the object in Active Directory.

Refresh

To update the object from Active Directory, right-click an object, and then click Refresh. The Refresh command removes the current objects in the container and repopulates the container with updated information from Active Directory.

Adding ADSI Edit to MMC


If you are running ADSI Edit on a computer that is not logged on to a domain or if you want to create a customized MMC, you may want to add the ADSI Edit snap-in to the console.

To add the ADSI Edit Snap-in to MMC

  1. Open your existing console or create a new console. To create a new console, click Start, click Run, type mmc, and click OK, or at a command line, type mmc, and then press ENTER.
  2. Click Add/Remove Snap-in, and then click Add.
  3. In the Add Standalone Snap-in dialog box, click ADSI Edit in the list. If ADSI Edit does not appear here, see Installing ADSI Edit at the beginning of this topic.
  4. Click Add, click Close, and then click OK

Missing Commands

The Action menus in MMC are context sensitive. If you do not have permission to perform an action, the action might not appear in the menu.

Other Topics with ADSI Edit Usage Scenarios

Although ADSI Edit is not intended for regular management of your Active Directory environment, there are instances in which you may need to use it. The following topics include procedures that use ADSI Edit.

No comments:

Post a Comment