none
RSAT and the missing Attribute Editor tab [solution]

    General discussion

  •  

    PROBLEM

    When you install RSAT on a Vista workstation or Server 2008 system, that is managing a 2000/2003 based forest, you do not see the Attribute Editor tab when looking at the properties of a User or Computer object in Active Directory Users and Computers(ADUC).

     

     

    MORE INFORMATION

    The Display Specifier is not updated in the Configuration Naming context, because the 2008 schema changes have not been executed on the forest. Part of the upgrade updates the forest Display Specifiers.  The Attribute Editor tab actually uses functions within the ADSIEDIT tool , more specifically the ADSIEDIT.DLL extension. Although the DLL is probably registered on the RSAT system, the ConfigNC need updating, in order to expose the tab in the ADUC interface.

     

    SOLUTION

    Use the ADSIEDIT tool (or other tool of choice...ADexplorer, LDP etc), with a user who has rights to modify the Configuration Naming Context.

    Navigate to cn=<languagepage>, cn=configuration, dc=<domainname>

                 (where <languagepage> is your relevant language...see http://support.microsoft.com/kb/324097)

                 (where <domainname> is your domain dn)

     

    Under the cn=User-Display object, edit AdminPropertyPages and add the line 11,{c7436f12-a27f-4cab-aaca-2bd27ed1b773}

     

    Under the cn=Computer-Display object, edit AdminPropertyPages and add the line 12,{c7436f12-a27f-4cab-aaca-2bd27ed1b773}

     

    Under the cn=Default-Display object, edit AdminPropertyPages and add the line 4,{c7436f12-a27f-4cab-aaca-2bd27ed1b773}

     

    Open ADUC from the Vista or Server 2008 and you should now see the Attribute Editor for the object you selected.  Note: Attribute editor is only shown when ADUC is in Advanced View.

     

    -Stuart Hudman
    Monday, April 21, 2008 3:23 PM

All replies

  • Hi,

     

    Thank you very much for the information shared. As this is a knowledge sharing instead of a post for answer, we will change this issue type from "Question" to "Comment". It will help other community members to find your knowledge sharing easier.
     
    If I misunderstood your concern, please feel free to change the type back to "Question".

     

    Thanks!

    Tuesday, April 22, 2008 6:23 AM
  • I checked these values on our AD and can confirm that all the values are there as you indicated. But though, we are missing attribute editor tab on all objects (e.g user) when an object is viewed after serching from ADUC (from all of our Win2008R2 DCs)

    Attribute editor tab is visible if we see the properties directly in ADUC by clicking on an object, without searching

    Advanced View is turned on.

     Thx, -Bab.

    Monday, September 27, 2010 8:38 AM
  • I checked these values on our AD and can confirm that all the values are there as you indicated. But though, we are missing attribute editor tab on all objects (e.g user) when an object is viewed after serching from ADUC (from all of our Win2008R2 DCs)

    Attribute editor tab is visible if we see the properties directly in ADUC by clicking on an object, without searching

    Advanced View is turned on.

     Thx, -Bab.


    Same exact thing happens to me..

    If I browse the tree and double click a user in the right pane I see the Attribute Editor, if I do a "Find" and open the user I don't see the Attribute Editor

    Thursday, September 30, 2010 9:25 PM
  • I think its "security feature". You cant see all properties from search window.
    Thursday, November 04, 2010 10:49 AM
  • Is it possible to enable it so that you can use the attribute editor when you have done a search for an object? Would make it easier so that we dont have to seach for i.e. a computer object first, then look at the object tab to find its location, then manually browse the computer to get the attribute editor up.
    Tuesday, November 09, 2010 10:16 PM
  • Has anyone ever answered that question?
    Wednesday, August 03, 2011 6:37 PM
  • Bump.... I am looking for this resolution as well.
    Monday, November 14, 2011 5:38 PM
  • Hi All,

    Is there any way to hide Attribute editor tab for all users except domain admins? 

    I don't want to give anyone to see this tab, but it is useful for me. 

     

    Thanks for any idea...

     

    P

     

     

    Friday, November 18, 2011 7:46 AM
  • Any "solution" to this "security feature"? We almost never navigate out to a user but perform a search. To then not be able to update that user from the Attribute Editor seems pretty odd. 
    Thursday, March 29, 2012 1:00 PM
  • "I think it's security feature" is not the same that "it's security feature".

    with ADexplorer you can search an user and modify their attributes.

    Thursday, April 19, 2012 8:50 AM
  • Open ADUC as a domain admin

       -View

       -Choose Advanced Features

    open a user or computer and you should now see the Attribute tab..

    Saturday, August 04, 2012 10:38 PM
  • It's an even-dumber issue.  Installed latest RSAT on my Windows 7 SP1 computer at work, and connect ADUC to one of our 2008 R2 domain controllers, which is 2008 Forest and Domain level.

    Click "View" / and check "Advanced Features".  Now the fun begins...

    • If you go directly to an object and open its Properties, you will see the "Attribute Editor" tab.
    • If you use Find and search for an object, and open its Properties from the search results, you will not see the "Attribute Editor" tab.

    Why this behaves this way is unclear to me.


    Friday, August 17, 2012 4:48 PM
  • I had this problem with a SBS 2011 server (Windows 2008 R2). Those lines were missing on the AdminPropertyPages. I added per your instructions and it fixed the problem. Thank you so much for figuring this out, what wonderful solution!


    Lyle Epstein
    Kortek Solutions
    http://www.korteksolutions.com

    Thursday, November 29, 2012 6:17 AM
  • The ADUC Find dialog, a.k.a. the object picker, does not implement the "Advanced Features" functionality. That's why you don't see the AD property sheet extensions. Yes, a nuisance, but the work-around is to use the saved queries feature. You can do a search similar to the Find dialog but with quite a bit more power (directly compose LDAP query filters). The results of the search show up in the result pane on the right and that affords the ability to use the "Advanced Features" tabs including the Attribute Editor. You can save the queries or delete them.

    Tuesday, March 26, 2013 5:49 PM
  • What about adding the attribute editor tab for security groups? what is the line to add?

    Thursday, April 25, 2013 2:13 PM
  • Never mind, i got it.... the prefix number is irrelevant as long as it is in sequential order... to be able to see the attribute editor tab for groups i just

    Under the cn=group-Display object, edit AdminPropertyPages and add the line 5,{c7436f12-a27f-4cab-aaca-2bd27ed1b773}

    the first number (5,) was my next available number.

    FYI: English is 409. the actual DN would be cn=409, cn=DisplaySpecifiers, cn=configuration, dc=<domainname>

    Thursday, April 25, 2013 2:20 PM
  • click view in the menu bar and select advance features.

    now you should be able to see the attribute editor tab.

    Friday, October 18, 2013 6:20 PM
  • Thank. Sometimes the basics are the answer.
    Friday, January 31, 2014 3:32 PM
  • Ditto; poor functional behavior to only be available in a custom query & not in the standard search.  Anyone find a workaround or response from MS?
    Wednesday, February 19, 2014 1:08 AM