Table of Contents
Recently I got a request to find a way to let managers or Human Resources the ability to modify basic user attributes in Active Directory. Like anyone else, I presented the idea of using RSAT to let them modify users in ADUC or ADAC. This was not an ideal solution because ADUC can become overwhelming to someone that isn’t technical. They wanted something that was extremely basic, easy to follow and work in without any guidance or instructions, and did not show the user anything else that they could not modify or needed to see.
The decision was made to create a custom program with the pre-requisite of having RSAT installed so we could use the AD modules underneath the hood. We could then control permissions on the Active Directory side.
Improvements from ADUC
Because I built this with a specific audience in mind, I was able to make some UI experience changes over the traditional ADUC UI.
When the UI first is loaded, it loads zero AD items with it. No users are cached, and nothing is stored in memory. You can search for a user at the top which does a PowerShell filter against Active Directory.
$filter = "Name -like ""*$($textbox_searchUsers.Text)*"""
$Global:Users = Get-ADUser -Filter $filter -Properties *
Friendly User Info
At the top of the UI, when you select a user, you can see some quick basic information so you know which user you are working on. This includes Name, Email, and Phone Number. Since our core audience is basic end-users, I wanted them to be able to quickly glance and ensure they are modifying the correct user.
Modify Direct Reports
With traditional ADUC, if you want to add or remove a direct report you have to go to that user and modify their Manager. Now you can just right click and add a direct report or remove a direct report. Keeping everything in a single pane reduces the time it takes to modify a user and streamlines the entire process.
You can also right-click a user and quickly view that user’s properties so you always know which direct report you are working with.
Easier Group Filtering and Modification
When adding a user to a group, or removing a user from a group, you can see all your groups available to you in a System.Windows.Forms.ListBox. You can forward and reverse filter the dataset to quickly find a specific group you are looking for. By default, the program hides certain AD Groups. The following groups will never be shown and therefore cannot be modified in this program.
“Certificate Service DCOM Access”,
“RDS Remote Access Servers”,
“RDS Endpoint Servers”,
“RDS Management Servers”,
“Access Control Assistance Operators”,
“Storage Replica Administrators”,
“RAS and IAS Servers”,
“Pre-Windows 2000 Compatible Access”,
“Pre-Windows 2000 Compatible Access”,
“Incoming Forest Trust Builders”,
“Windows Authorization Access Group”,
“Terminal Server License Servers”,
“Allowed RODC Password Replication Group”,
“Denied RODC Password Replication Grroup”,
“Read-only Domain Controllers”,
“Enterprise Read-only Domain Control”,
“Cloneable Domain Controllers”,
“Enterprise Key Admins”,
“Enterprise Read-only Domain Controllers”
Exportable Run-Time Logs
Without having to parse the Event Viewer, the program will display a log window that is exportable so you can quickly copy and paste it into a ticket or email to have a historical record of what was changed. Information regarding who ran the program and made the changes are also added by default to the top.
To export an entire log to a log file, go to File > Export Logs
Custom Configuration & Branding
Sometimes, a company may want to re-brand something or add information on how their end-user might be able to get help if they encounter a problem or have questions. Currently, you can change three items
- Change Help > About page
- Hide users from being shown
- Change the program Name
Hiding the users from being shown shouldn’t be used as a way to not allow users from modifying that user. You should always manage your permissions on the AD side.
You can change the text shown in Help > About by creating a txt file called “customhelp” at C:\ProgramData\TheLazyAdministrator\UserEditor\ (Note: You may not have these folders and will have to create them manually).
By default, the About page shows Author Name, Build Date, and version information.
But, by placing that text file there, we can make the message say whatever we would like.
You can hide users from being shown by adding a txt file called hideusers at C:\ProgramData\TheLazyAdministrator\UserEditor\ (Note: You may not have these folders and will have to create them manually). Each line will have the UPN of the user you don’t want to be shown.
Remember, this should never replace AD permissions to not allow a user to modify another user.
Change Program Name
You can change the program name by adding a txt file called programname at C:\ProgramData\TheLazyAdministrator\UserEditor\ (Note: You may not have these folders and will have to create them manually).
Other Program Features
If you are searching for users and the search finds a single user, it will be loaded automatically. But if there is 1 or more results returned, it will prompt another form that will show you the attributes of each item and even let you continue searching.
The General Tab allows you to edit the following attributes
- First Name
- Last Name
The Organization tab allows you to edit the following attributes
- Job Title
- Direct Reports (Add and Remove)
The Address tab allows you to edit the following attributes
- PO Box
- Zip Code
The Groups tab allows you to add a user to a group or remove them from a group.
Download and Source Code
You can download an exe and run it at will, or you can download an MSI and install it. The exe and msi both have a SHA256 hash you can view on GitHub. All source code is kept in GitHub, you can download it all, make changes, add or remove items, and then compile it again. It was created using PowerShell Studio 2021.
- Your user must be allowed to manage other users in AD, keep in mind a regular user won’t be able to manage a Domain Admin
- RSAT must be installed so they have access to the AD Modules