Active Directory management tool clears the clutter

ADSI Edit is a free tool that can repair Active Directory corruption or remove unwanted clutter. But use it incorrectly and it can spell disaster.

Windows Server Active Directory is nothing new. First introduced in Windows 2000 Server, it is a staple of the Windows Server OS. Some organizations have had Active Directory in place for 15 years or more. As Active Directory databases age, they will accumulate clutter and corruption from partially removed user accounts, failed application installations or other administrative mistakes.Problems that aren't specific to Active Directory (AD) can add to the clutter. For example, an organization's Exchange Server could fail catastrophically; due to expenses or other factors, the company may decide to retire that server. But, because the server was not taken offline gracefully, there may be references to it in Active Directory. These lingering references can cause problems with anything from load balancing to Exchange Server version upgrades.Active Directory management tools that are built into the Windows Server OS will display clutter and corruption, but these tools cannot remove unwanted data from Active Directory. This may be due to a broken chain of relational objects, or it could be due to internal safeguards that are designed to protect an Active Directory database against potentially destructive administrative actions.

Clean the Active Directory database with ADSI Edit

Microsoft ADSI Edit is a free tool for cleaning an Active Directory database, even if the usual AD management tools can't. ADSI Edit is essentially a Lightweight Directory Access Protocol (LDAP) editor for the Active Directory database.

ADSI Edit bypasses the safeguards built into the usual management tools, making it very powerful and potentially very destructive. So before using ADSI Edit, it's important to create a backup of the AD database. When used incorrectly, ADSI Edit can destroy Active Directory.

By default, ADSI Edit is included in Windows Server. To access the tool, enter the adsiedit.msc command into a domain controller's Run prompt. You can run ADSI Edit on a member server, but doing so usually requires manually registering the adsiedit.dll file before using it.

After loading ADSI Edit, connect to Active Directory by right-clicking on the ADSI Edit container and choosing Connect to from the shortcut menu (Figure 1).

Figure 1. Connect to Active Directory before using the ADSI Edit tool.

Next, choose the naming context and the server or domain you want to edit. For example, select the default naming context and the default computer (Figure 2). Click OK to load the AD database.

Figure 2. Choose a naming context and a computer.

In Figure 3, ADSI Edit displays the same containers that are available through the standard Active Directory management tools. Click on the container to expand any of containers to access the objects or its sub containers.

Figure 3. High-level containers exposed through ADSI Edit.

The management functions you can perform using ADSI Edit vary by object type. Most repairs involve deleting unwanted objects, but there are other actions available, such as resetting a user's password.

To see the management actions available for an object or a container, right click on that object or container for the context menu (Figure 4). Standard management actions usually include move, delete, rename and properties.

Figure 4. Available management actions vary by object type.

Courtesy: Brien Posey