Skip to main content

Cloud

Editing Custom AD attributes

I got a query from a colleague today about how to edit custom AD attributes. The default ADUC (dsa.msc) will not display these attributes. A small caveat here; if you have the new Vista compatible Server 2008 based Remote Server Administration Tools (RSAT) you can edit these properties, and any other property in the directory directly from ADUC. I’ll let the other bloggers out there talk about that and all of its glory.

Now, back to the issue at hand; multiple tools exist, from the basic ldp.exe to the highly complex (writing your own DLL to plug into ADUC), and all places in between. Most of the tools are free, but some offer you the ability to purchase a upgraded piece if you so desire.

I’ll try to compare them here for your edification.

LdapBrowser by Softerra can be downloaded at http://download.softerra.com/files/ldapbrowser26.msi. Softerra describes it as "LDAP Browser is a lightweight version of LDAP Administrator with limited functionality."

Sysinternals (Microsoft) AD Explorer can be found at http://technet.microsoft.com/en-us/sysinternals/bb963907.aspx. It is described as "Active Directory Explorer (AD Explorer) is an advanced Active Directory (AD) viewer and editor. You can use AD Explorer to easily navigate an AD database, define favorite locations, view object properties and attributes without having to open dialog boxes, edit permissions, view an object’s schema, and execute sophisticated searches that you can save and re-execute" by Bryce Cogswell and Mark Russinovich.

ADSIEdit.msc also by Microsoft is provided as part of the install of Windows Server 2003 Support Tools. Download can be found http://www.microsoft.com/downloads/details.aspx?FamilyID=96a35011-fd83-419d-939b-9a772ea2df90&DisplayLang=en. It is described as "This GUI tool is a Microsoft Management Console (MMC) snap-in that acts as a low-level editor for Active Directory. Network administrators can use Active Directory Service Interfaces (ADSI) for common administrative tasks such as adding, deleting, and moving objects with a directory service. Attributes for each object viewed can be changed or deleted."

If you are capable at command line scripting a tool like ADMod from www.joeware.net is invaluable. It would allow you to, once paired with ADFind, locate and modify just about any attribute you like. Great for bulk changes, great in general.

Not last, not least, but also not as user friendly as the rest and the last in my review here is LDP.exe. Microsoft says it best "Ldp.exe is a Windows 2000 Support Tools utility you can use to perform Lightweight Directory Access Protocol (LDAP) searches against the Active Directory for specific information given search criteria. This also allows administrators to query data that would otherwise not be visible through the Administrative tools included in the product. All data that is returned in LDP queries, however, is subject to security permissions."

With all of these tools you are beginning to get an unfiltered view into the raw LDAP structure that is underlying what most Administrators know as Active Directory. You can use these tools to view the structure and if you have permission, edit the same structure. I’ll assume for the rest of the blog that when I say, edit, I mean edit if you have permission.

For one-off changes and editing I tend to like the newest of the bunch the best. Mark and Bryce have done a great job with AD Explorer. It is as GUI as you need, has great capabilities, and extends beyond simple AD Editing. It also has a great utility to back up the entire AD domain for roll-back possibilities.

That’s all for now, I hope you enjoy my finds and please comment if you find more that I should know about.

Cheers.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

PointBridge Blogs

More from this Author

Follow Us