Recently I got a request to find a way to let managers or Human Resources the ability to modify basic user attributes in Active Directory. Like anyone else, I presented the idea of using RSAT to let them modify users in ADUC or ADAC. This was not an ideal solution because ADUC can become overwhelming to someone that isn’t technical. They wanted something that was extremely basic, easy to follow and work in without any guidance or instructions, and did not show the user anything else that they could not modify or needed to see.

The decision was made to create a custom program with the pre-requisite of having RSAT installed so we could use the AD modules underneath the hood. We could then control permissions on the Active Directory side.

Improvements from ADUC

Because I built this with a specific audience in mind, I was able to make some UI experience changes over the traditional ADUC UI.

Speed

When the UI first is loaded, it loads zero AD items with it. No users are cached, and nothing is stored in memory. You can search for a user at the top which does a PowerShell filter against Active Directory.

$filter = "Name -like ""*$($textbox_searchUsers.Text)*"""
$Global:Users = Get-ADUser -Filter $filter -Properties *

Friendly User Info

At the top of the UI, when you select a user, you can see some quick basic information so you know which user you are working on. This includes Name, Email, and Phone Number. Since our core audience is basic end-users, I wanted them to be able to quickly glance and ensure they are modifying the correct user.

Modify Direct Reports

With traditional ADUC, if you want to add or remove a direct report you have to go to that user and modify their Manager. Now you can just right click and add a direct report or remove a direct report. Keeping everything in a single pane reduces the time it takes to modify a user and streamlines the entire process.

You can also right-click a user and quickly view that user’s properties so you always know which direct report you are working with.

Easier Group Filtering and Modification

When adding a user to a group, or removing a user from a group, you can see all your groups available to you in a System.Windows.Forms.ListBox. You can forward and reverse filter the dataset to quickly find a specific group you are looking for. By default, the program hides certain AD Groups. The following groups will never be shown and therefore cannot be modified in this program.

“Schema Admins”,
“Key Admins”,
“Enterprise Admins”,
“Domain Admins”,
“Administrators”,
“Schema Admins”,
“Hyper-V Administrators”,
“Domain Controllers”,
“Domain Computers”,
“Cert Publishers”,
“Certificate Service DCOM Access”,
“RDS Remote Access Servers”,
“RDS Endpoint Servers”,
“RDS Management Servers”,
“Access Control Assistance Operators”,
“Storage Replica Administrators”,
“Cert Publishers”,
“RAS and IAS Servers”,
“Pre-Windows 2000 Compatible Access”,
“Pre-Windows 2000 Compatible Access”,
“Incoming Forest Trust Builders”,
“Windows Authorization Access Group”,
“Terminal Server License Servers”,
“Allowed RODC Password Replication Group”,
“Denied RODC Password Replication Grroup”,
“Read-only Domain Controllers”,
“Enterprise Read-only Domain Control”,
“Cloneable Domain Controllers”,
“DnsAdmins”,
“DnsUpdateProxy”,
“Enterprise Key Admins”,
“Enterprise Read-only Domain Controllers”

Exportable Run-Time Logs

Without having to parse the Event Viewer, the program will display a log window that is exportable so you can quickly copy and paste it into a ticket or email to have a historical record of what was changed. Information regarding who ran the program and made the changes are also added by default to the top.

To export an entire log to a log file, go to File > Export Logs

Custom Configuration & Branding

Sometimes, a company may want to re-brand something or add information on how their end-user might be able to get help if they encounter a problem or have questions. Currently, you can change three items

• Change Help > About page
• Hide users from being shown
• Change the program Name

Hiding the users from being shown shouldn’t be used as a way to not allow users from modifying that user. You should always manage your permissions on the AD side.

Change Help

You can change the text shown in Help > About by creating a txt file called “customhelp” at C:\ProgramData\TheLazyAdministrator\UserEditor\ (Note: You may not have these folders and will have to create them manually).

By default, the About page shows Author Name, Build Date, and version information.

But, by placing that text file there, we can make the message say whatever we would like.

Hide Users

You can hide users from being shown by adding a txt file called hideusers at C:\ProgramData\TheLazyAdministrator\UserEditor\ (Note: You may not have these folders and will have to create them manually). Each line will have the UPN of the user you don’t want to be shown.

Remember, this should never replace AD permissions to not allow a user to modify another user.

Change Program Name

You can change the program name by adding a txt file called programname at C:\ProgramData\TheLazyAdministrator\UserEditor\ (Note: You may not have these folders and will have to create them manually).

Other Program Features

User Search

If you are searching for users and the search finds a single user, it will be loaded automatically. But if there is 1 or more results returned, it will prompt another form that will show you the attributes of each item and even let you continue searching.

General Tab

The General Tab allows you to edit the following attributes

• First Name
• Initials
• Last Name
• Description
• Office
• Phone
• Email
• Webpage

Organization

The Organization tab allows you to edit the following attributes

• Job Title
• Department
• Manager
• Direct Reports (Add and Remove)

Address

The Address tab allows you to edit the following attributes

• Street
• PO Box
• City
• State
• Zip Code
• Country

Groups

The Groups tab allows you to add a user to a group or remove them from a group.

Download and Source Code

You can download an exe and run it at will, or you can download an MSI and install it. The exe and msi both have a SHA256 hash you can view on GitHub. All source code is kept in GitHub, you can download it all, make changes, add or remove items, and then compile it again. It was created using PowerShell Studio 2021.

Links

• GitHub
• EXE Download
• MSI Download

Requirements 

• Your user must be allowed to manage other users in AD, keep in mind a regular user won’t be able to manage a Domain Admin
• RSAT must be installed so they have access to the AD Modules

Brad Wyatt

My name is Bradley Wyatt; I am a 5x Microsoft Most Valuable Professional (MVP) in Microsoft Azure and Microsoft 365. I have given talks at many different conferences, user groups, and companies throughout the United States, ranging from PowerShell to DevOps Security best practices, and I am the 2022 North American Outstanding Contribution to the Microsoft Community winner.