Changing the Object Properties in Active Directory
Objects in Active Directory are entities that are used to represent entities such as users and devices that make up the Active Directory network. Examples of objects include users, computers, printers, folders, and groups. Objects may be classified into two types namely container and leaf objects. As the name suggests, container objects hold or contain other objects within them. These include groups and organizational units. On the other hand, leaf objects are used to represent entities and cannot hold other objects. These include resources such as users and devices.
Each object can be defined by a set of attributes, which store information about the configuration and characteristics of the object. These are defined by the object class. Sometimes, attributes are also referred to as properties. Attributes are generally stored as a set of values, which may be unique. An object can contain multiple attributes. For instance, in an organization, each employee may be represented by a user object. This user object in turn is defined by attributes such as Name, Department, Employee ID, Contact Information, etc.
The attributes or properties of objects might need to be viewed and changed by IT administrators for several purposes. For instance, the contact information of an employee might need to be updated or the properties of a computer might need to be changed. This can be done using:
- Active Directory Service Interface (ADSI) Editor tool
- Active Directory Users and Computers (ADUC)
- PowerShell commands to view and change object attributes
1. Using ADSI Edit to View and Change Object Properties
The ADSI Edit tool is an MMC snap-in that can be used to connect to several Active Directory database partitions or to the LDAP server. In addition to these, this tool can be used to create, manage and delete objects and to view and change their properties.
How to Install ADSI Edit
The ADSI Edit tool can be installed on Windows Server 2008 and 2008 R2 using the instructions given below.
- Click on Start and open the Control Panel.
- Select Programs> Programs and Features >Turn Windows Features on or off.
- From the left pane of the Server Manager dialog box, select Features and click on Add Features.
- Navigate to Remote Server Administration Tools > Role Administration Tools.
- Select the AD DS and AD LDS Tools option.
- Click on Next to proceed to confirmation.
- Click on Install to finish setting up ADSI Edit.
- The ADSI Edit tool can be installed on Windows Server 2012 and later versions using the instructions given below.
- Click on Start and open the Control Panel.
- Select Programs > Programs and Features >Turn Windows Features on or off.
- From the left pane of the Add Roles and Features Wizard, proceed to Features.
- Navigate to Remote Server Administration Tools > Role Administration Tools.
- Select the AD DS and AD LDS Tools option.
- Click on Next to proceed to confirmation.
- Click on Install to finish setting up ADSI Edit.
How to Use ADSI Edit to Change Object Properties
Once ADSI Edit is installed, it can be run by opening Command Prompt and typing adsiedit.msc and can be used to change the object attributes. This can be done by following the instructions given below.
- Select the Connect to option by right-clicking on the root in ADSI Edit.
- This provides the options for the Connection Point, Naming Context, or a remote computer with LDAP database to which the user desires to connect.
- The user can also choose from the following Naming Contexts namely Default Naming Context, Configuration, RootDSE and Schema.
- To connect to a local machine, click OK. The name need not be specified.
- Expand the domain and Organizational Unit containing the object.
- Right click on the desired object and select Properties.
- The Attribute Editor tab displays the list of attributes and values of the selected object.
- The necessary changes can be made under the Attribute Editor tab.
- Click OK once the properties have been viewed and changed.
2. Using Active Directory Users and Computers to View and Change Object Properties
The object properties can be viewed and changed by enabling the Advanced Features option in Active Directory Users and Computers.
- Open Active Directory Users and Computers.
- From the View tab, select the Advanced Features option.
- Select the object for which the properties need to be viewed or changed.
- Right-click on the object and select Properties.
- This opens the Attribute Editor tab as seen while using ADSI Edit.
- The Attribute Editor tab displays the list of attributes and values of the selected object.
- The necessary changes can be made under the Attribute Editor tab.
- Click OK once the properties have been viewed and changed.
- The Attribute Editor tab can also be accessed by using Active Directory Administrative Center (ADAC).
3. Using PowerShell Commands to View and Edit Object Properties
Besides the Attribute Editor tab, the properties of an object can be viewed and modified using PowerShell commands.
The following commands are used to view the attributes of an object.
i) Get-ADUser username –Properties *
This command can be used to view and list the attributes of a user object.
ii) Get-ADComputer computername –Properties *
This command can be used to view and list the attributes of a computer object.
iii) Get-ADGroup groupname –Properties *
This command can be used to view and list the attributes of a group.
Similarly, the Set-ADUser, Set-ADComputer, and Set-ADGroup PowerShell commands can be used to change the attributes of a user, computer, or group respectively.