ADSI Edit (adsiedit.msc) Reference: Syntax, Usage & Examples

adsiedit is the MMC snap-in for low-level Active Directory attribute editing; launch by running adsiedit.msc.

adsiedit.msc

Table of Contents

Syntax

# Launch ADSI Edit from command line
adsiedit.msc

# Alternatively, add to a custom MMC console
mmc.exe
# Then File > Add/Remove Snap-in > ADSI Edit > Add

Tested on Windows Server 2022 with Active Directory Domain Services role installed.

Options and Flags

ADSI Edit is a GUI snap-in; it accepts no command-line flags beyond path-safe invocation. The following table maps logical operations available within the tool.

Action	Menu/Right-Click Path	Dialog Key Field	Description
Connect to a naming context	Right-click ADSI Edit > Connect to…	Naming Context (e.g., DC=contoso,DC=com)	Bind to a specific partition: Domain, Configuration, Schema, or Application.
View an object’s attributes	Right-click object > Properties	Attribute Editor tab	Displays all attributes, including system-only and constructed ones.
Edit an attribute value	Properties > Attribute Editor > select attribute > Edit	Value field	Modify single-valued or multi-valued attributes; values typed directly.
Create a new object	Right-click container > New > Object	Class selection (e.g., user, group)	Create objects of any class; requires schema knowledge of mandatory attributes.
Delete an object	Right-click object > Delete	Confirmation dialog	Permanent deletion — no Recycle Bin bypass unless configured.
Move an object	Drag and drop or right-click > Move	Target container DN	Move objects between OUs; preserves ACL inheritance.

Usage Examples

1. Modify the description of a user object

# Launch ADSI Edit
adsiedit.msc
# Connect to default domain partition:
# Right-click ADSI Edit > Connect to… > Select "Default naming context" > OK
# Navigate: DC=contoso,DC=com > CN=Users > CN=Jane Doe
# Right-click CN=Jane Doe > Properties > Attribute Editor tab
# Select attribute "description" > Edit > Type "Senior DevOps Engineer" > OK > OK

Context: Standard ADUC does not display all attributes. ADSI Edit exposes the description attribute directly, which can also be set via PowerShell Set-ADUser but ADSI Edit is useful when the attribute is not indexed or requires multi-value editing.

2. Add a member to a group using multi-valued attribute

# Connect to domain partition
# Navigate to the group object, e.g., CN=ITAdmins,OU=Groups,DC=contoso,DC=com
# Right-click > Properties > Attribute Editor
# Select attribute "member" > Edit > Add Windows Account…
# Type "jdoe@contoso.com" > Check Names > OK

Context: While Add-ADGroupMember is preferred for single adds, ADSI Edit’s multi-valued editor enables bulk additions via the “Add Windows Account” dialog. Use this when the group has inheritance issues that break PowerShell cmdlets. Always verify the group type (security vs distribution) before adding members.

3. Enable the AD Recycle Bin by modifying the msDS-EnabledFeature attribute

# Connect to the Configuration naming context: CN=Configuration,DC=contoso,DC=com
# Navigate: CN=Services > CN=Windows NT > CN=Directory Service
# Find the optional feature object: CN=Optional Features > CN=Recycle Bin Feature
# Right-click CN=Recycle Bin Feature > Properties > Attribute Editor
# Select attribute "msDS-EnabledFeature" > Edit > Set to "TRUE" > OK

Context: The AD Recycle Bin must be enabled once per forest at a forest functional level of Windows Server 2008 R2 or higher. ADSI Edit exposes this feature more directly than the PowerShell Enable-ADOptionalFeature and is useful when PowerShell is unavailable or in a restricted environment.

Troubleshooting & Common Errors

Error Message/Code	Root Cause	Resolution Command
“Invalid directory path” when connecting	Typed distinguished name (DN) is malformed or naming context does not exist	`# Verify using ldp.exe: Connect to server, Bind, then View > Tree # Correct DN example: DC=contoso,DC=com`
“Access Denied” on attribute edit	User lacks write permission on the attribute or object	`# Grant write on attribute (example for user object "description") dsacls "CN=Jane Doe,CN=Users,DC=contoso,DC=com" /G "CONTOSODomain Admins:WP;description"`
“The attribute syntax does not match the value”	Entered value does not conform to the attribute’s syntax (e.g., integer for a string attribute)	`# Check syntax via Attribute Editor: look at the "Syntax" column # Use correct format: for Integer use decimal, for OctetString use hex with 0x prefix`
“Object cannot be created because it already exists”	Trying to create an object with a CN that already exists in the container	`# Query for existing objects with same name # Use PowerShell: Get-ADObject -Filter "Name -eq 'Jane Doe'"`
“The server is not operational”	Domain Controller unreachable, firewall blocked port 389/636, or AD DS not available	`# Test LDAP port from the machine Test-NetConnection -ComputerName dc1.contoso.com -Port 389`

Closing Tip

Before any ADSI Edit session, export the current object’s attribute set using Get-ADObject -Identity "DN" -Properties * | Export-Csv backup.csv to enable point-in-time attribute restore without full DC recovery.

Frequently Asked Questions

What is the difference between adsiedit.msc and ADUC (dsa.msc)?

Answer: ADSI Edit exposes all raw Active Directory attributes including system objects; ADUC provides a filtered GUI for standard user, group, an….

Use ADSI Edit when you need to view or modify attributes not shown in ADUC, such as canonicalName, objectGUID, or schema properties. ADUC abstracts most technical details. Neither tool modifies objects directly without proper permissions. Launch via:

adsiedit.msc

When should I use the adsiedit.msc snap-in instead of PowerShell ADSI commands?

Answer: For one-off visual inspection or debugging of object attributes, schema changes, or delegation settings without writing scripts.

PowerShell is repeatable and automatable; adsiedit is ideal for ad‑hoc troubleshooting of odd attributes or verifying changes immediately. To connect to a specific naming context from the command line:

adsiedit.msc /connect="LDAP://server/DC=domain,DC=com"

How do I fix ‘Access Denied’ when modifying a schema attribute in adsiedit?

Answer: Ensure your account is a member of Schema Admins.

Without proper membership, write operations fail. Right‑click “ADSI Edit” → “Connect to” → select “Schema” from the dropdown. Run elevated:

runas /user:DOMAINAdministrator "adsiedit.msc"

Does adsiedit.msc work on Windows Server Core or Linux?

Answer: No.

On Server Core, use Windows PowerShell with the ActiveDirectory module or .NET ADSI (System.DirectoryServices). On Linux, use ldapsearch or Apache Directory Studio for raw LDAP queries:

ldapsearch -H ldap://server -x -b "DC=domain,DC=com" "(objectClass=user)"

What is the fastest way to locate a specific object in adsiedit?

Answer: Use Ctrl+F (Find) and search by Common Name (CN) or Distinguished Name, or set a specific path in the connection dialog.

For repeated navigation, connect directly to a container’s DN. Example launch from command line:

adsiedit.msc /connect="LDAP://DC=domain,DC=com/CN=Users,DC=domain,DC=com"

Thomas Heinrich

Command Line Expert & Software Engineer

Welcome! I’m Thomas Heinrich, a software engineer and system administrator with a deep passion for the Command Line Interface (CLI). With years of experience navigating the terminal, building backend architectures, and automating server deployments, I created this space to share practical, real-world terminal knowledge.

Whether you are a beginner taking your first steps in a Linux environment or a seasoned DevOps engineer looking to optimize your deployment scripts, you will find actionable solutions here. My goal is to help you ditch the mouse, speed up your workflow, and harness the full power of the command line.