Using Attribute Editor in Active Directory Users and Computers

The Active Directory Attribute Editor is a built-in graphical tool to manage the properties of AD objects (users, computers, groups). It is the Attribute Editor where you can view and change the values of AD object attributes that are not available in the object properties shown in the ADUC console.

Attribute Editor in ADUC

In order to use the AD Attribute Editor you must install the dsa.msc snap-in (ADUC — Active Directory Users and Computers).

Try to open the properties of any user in AD. As you can see, some tabs with the user attributes are available. Here are the main of them:

• General – the basic user properties that are set when an AD account is created (first name, last name, phone number, email address, etc.).
• Address
• Account – the account name (samAccountName, userPrincipalName). Here you can specify the list of computers a user can log on to (LogonWorkstations), the options are: password never expires, user cannot change password, enabled/disabled account, the account expiration date, etc.
• Profile – you can set a path to a user profile (in the scenario of roaming profiles), a logon script, a home folder, a mapped network folder.
• Telephones
• Organization – job title, department, company, manager name.

Only the basic set of user properties is available to you in this window, but the User class in AD contains much more attributes (200+).

In order to display the advanced Attribute Editor, enable the option Advanced Features in the ADUC  View menu.

Then open the user properties again and note that a separate Attribute Editor tab has appeared. If you switch to it, the AD user Attribute Editor will open. You can see the list of all user attributes and their values in the table form. You can click any attribute to change its value. For example, if you change the value of the department attribute, you will see that the name of the department in the Organization tab of user properties has also changed.

In the Attribute Editor, you can copy the distinguishedName value (in this format: CN=Jon Brion,OU=Users,OU=California,OU=USA,DC=woshub,DC=com — a unique object name in AD), find the date when the account was created (whenCreated), etc.

There is the Filter button at the bottom of the AD Attribute Editor. By default, empty object attributes are not displayed in the attribute window (the Show only attributes that have values option is checked). If you uncheck it, all attributes of the User class will be shown in the editor console. Please note the Show only writable attributes option. If you enable it, only the attributes you are delegated the edit permissions on will be shown (if you do not have the modify permissions on the attributes of this user, the list of attributes will be empty).

Most AD attributes have the integrated value decoding feature. For example:

• You can view the user last logon time in a domain in the lastLogonTimestamp attribute (as you can see, time is displayed normally in the Attribute Editor, but if you click it, you will see that in fact time is stored as timestamp value);
  
• The account status is stored in the userAccountControl attribute. You see a more convenient view instead of a bitmask. For instance, 0x200 = (NORMAL_ACCOUNT) instead of the number 512;
  
• However, an AD user photo (thumbnailPhoto attribute) is not displayed and is stored in the binary format.

Missing Attribute Editor Tab in Active Directory Search Results

The main disadvantage of the AD Attribute Editor is that it won’t open in the object properties if you have found it using Active Directory search. To use the Attribute Editor, must expand the OU that contains the object you need in the AD tree, find the object and open its properties (it is very inconvenient).

I have found a lifehack that allows to open the Attribute Editor for the user if you found an account through a search in the ADUC console.

So:

1. Use the search to find the user you need;
2. Go to the tab with the list of user groups (Member of);
3. Open one of the groups (it is better that it contained as few users as possible);
4. In the group properties, go to the Members tab and close (!) the user properties window;
   
5. Then click the user you need in the list of group members and the user properties window with the Attribute Editor tab will appear.
   

You can also open the Attribute Editor using the Active Directory saved queries. For example, you can use the following query to find a user: (objectcategory=person)(samaccountname=*andrey*)

Or you can use the new Active Directory Administrative Center where the Attribute Editor tab of a user (or a computer) is available even for the search results (check the Extension tab).

To view and edit all attributes of users, groups or computers in AD you can use PowerShell cmdlets from RSAT-AD-PowerShell module instead of the Attribute Editor.

To view the values of all object attributes:

• of a user: Get-ADUser username -Properties *
• of a computer: Get-ADComputer computername -Properties *
• of a group: Get-ADGroup groupname -Properties *

To change object attributes in AD, the Set-ADUser, Set-ADComputer and Set-ADGroup cmdlets are used respectively.