Windows OS Hub
  • Windows Server
    • Windows Server 2022
    • Windows Server 2019
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2012
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Active Directory Domain Services (AD DS)
    • Group Policies
  • Windows Clients
    • Windows 11
    • Windows 10
    • Windows 8
    • Windows 7
    • Windows XP
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
    • KVM
  • PowerShell
  • Exchange
  • Cloud
    • Azure
    • Microsoft 365
    • Office 365
  • Linux
    • CentOS
    • RHEL
    • Ubuntu
  • Home
  • About

Windows OS Hub

  • Windows Server
    • Windows Server 2022
    • Windows Server 2019
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2012
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Active Directory Domain Services (AD DS)
    • Group Policies
  • Windows Clients
    • Windows 11
    • Windows 10
    • Windows 8
    • Windows 7
    • Windows XP
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
    • KVM
  • PowerShell
  • Exchange
  • Cloud
    • Azure
    • Microsoft 365
    • Office 365
  • Linux
    • CentOS
    • RHEL
    • Ubuntu

 Windows OS Hub / Active Directory / Using Attribute Editor in Active Directory Users and Computers

April 9, 2020 Active Directory

Using Attribute Editor in Active Directory Users and Computers

The Active Directory Attribute Editor is a built-in graphical tool to manage the properties of AD objects (users, computers, groups). It is the Attribute Editor where you can view and change the values of AD object attributes that are not available in the object properties shown in the ADUC console.

Contents:
  • Attribute Editor in ADUC
  • Missing Attribute Editor Tab in Active Directory Search Results

If I’m not mistaken, the built-in Attribute Editor in Active Directory appeared on Windows Server 2008 R2. Earlier, to edit the hidden properties of AD objects you had to use a less convenient ADSI Edit tool.

Attribute Editor in ADUC

In order to use the AD Attribute Editor, you must install the dsa.msc snap-in (ADUC — Active Directory Users and Computers).

Try to open the properties of any user in AD. As you can see, some tabs with the user attributes are available. Here are the main of them:

  • General – the basic user properties that are set when an AD account is created (first name, last name, phone number, email address, etc.).
  • Address
  • Account – the account name (samAccountName, userPrincipalName). Here you can specify the list of computers a user can log on to (LogonWorkstations), the options are: password never expires, user cannot change password, enabled/disabled account, the account expiration date, etc.
  • Profile – you can set a path to a user profile (in the scenario of roaming profiles), a logon script, a home folder, a mapped network folder.
  • Telephones
  • Organization – job title, department, company, manager name.

Only the basic set of user properties is available to you in this window, but the User class in AD contains much more attributes (200+).

active directory user properties in aduc console

In order to display the advanced Attribute Editor, enable the option Advanced Features in the ADUC  View menu.

enable Advanced Features in ADUC snap-in

Then open the user properties again and note that a separate Attribute Editor tab has appeared. If you switch to it, the AD user Attribute Editor will open. You can see the list of all user attributes and their values in the table form. You can click any attribute to change its value. For example, if you change the value of the department attribute, you will see that the name of the department in the Organization tab of user properties has also changed.

Active Directory Attribute Editor in ADUC

In the Attribute Editor, you can copy the distinguishedName value (in this format: CN=Jon Brion,OU=Users,OU=California,OU=USA,DC=woshub,DC=com — a unique object name in AD), find the date when the account was created (whenCreated), etc.

There is the Filter button at the bottom of the AD Attribute Editor. By default, empty object attributes are not displayed in the attribute window (the Show only attributes that have values option is checked). If you uncheck it, all attributes of the User class will be shown in the editor console. Please note the Show only writable attributes option. If you enable it, only the attributes you are delegated the edit permissions on will be shown (if you do not have the modify permissions on the attributes of this user, the list of attributes will be empty).

attribute editor filter: show only writable attributes

empty user attribute list in aduc

Most AD attributes have the integrated value decoding feature. For example:

  • You can view the user last logon time in a domain in the lastLogonTimestamp attribute (as you can see, time is displayed normally in the Attribute Editor, but if you click it, you will see that in fact time is stored as timestamp value);
    lastLogonTimestamp ad attribute
  • The account status is stored in the userAccountControl attribute. You see a more convenient view instead of a bitmask. For instance, 0x200 = (NORMAL_ACCOUNT) instead of the number 512;
    userAccountControl ad attribute
  • However, an AD user photo (thumbnailPhoto attribute) is not displayed and is stored in the binary format.

Missing Attribute Editor Tab in Active Directory Search Results

The main disadvantage of the AD Attribute Editor is that it won’t open in the object properties if you have found it using Active Directory search. To use the Attribute Editor, must expand the OU that contains the object you need in the AD tree, find the object and open its properties (it is very inconvenient).

I have found a lifehack that allows to open the Attribute Editor for the user if you found an account through a search in the ADUC console.

So:

  1. Use the search to find the user you need;
  2. Go to the tab with the list of user groups (Member of);
  3. Open one of the groups (it is better that it contained as few users as possible);
  4. In the group properties, go to the Members tab and close (!) the user properties window;
    aduc search object
  5. Then click the user you need in the list of group members and the user properties window with the Attribute Editor tab will appear.
    Active Directory show attribute editor from search

You can also open the Attribute Editor using the Active Directory saved queries. For example, you can use the following query to find a user: (objectcategory=person)(samaccountname=*andrey*)

AD Saved queries

Or you can use the new Active Directory Administrative Center where the Attribute Editor tab of a user (or a computer) is available even for the search results (check the Extension tab).

User's Attribute Editor in Active Directory Administrative Center

To view and edit all attributes of users, groups or computers in AD you can use PowerShell cmdlets from RSAT-AD-PowerShell module instead of the Attribute Editor.

To view the values of all object attributes:

  • of a user: Get-ADUser username -Properties *
  • of a computer: Get-ADComputer computername -Properties *
  • of a group: Get-ADGroup groupname -Properties *

To change object attributes in AD, the Set-ADUser, Set-ADComputer and Set-ADGroup cmdlets are used respectively.

1 comment
2
Facebook Twitter Google + Pinterest
previous post
How to Configure MariaDB Master-Master/Slave Replication?
next post
How to Install and Configure Free Hyper-V Server 2019/2016?

Related Reading

Checking Windows Activation Status on Active Directory Computers

June 27, 2022

How to Disable or Enable USB Drives in...

June 24, 2022

Adding Domain Users to the Local Administrators Group...

June 23, 2022

Creating New User Accounts in Active Directory with...

June 7, 2022

Create Organizational Units (OU) Structure in Active Directory...

May 17, 2022

1 comment

Wilson Hong October 20, 2021 - 4:36 am

Hello, how about a user telephone extension? Where is the attribute value?

Reply

Leave a Comment Cancel Reply

Categories

  • Active Directory
  • Group Policies
  • Exchange Server
  • Microsoft 365
  • Azure
  • Windows 11
  • Windows 10
  • Windows 7
  • Windows Server 2019
  • Windows Server 2016
  • Windows Server 2012 R2
  • PowerShell
  • VMWare
  • Hyper-V
  • MS Office

Recent Posts

  • How to Deploy Windows 10 (11) with PXE Network Boot?

    June 27, 2022
  • Checking Windows Activation Status on Active Directory Computers

    June 27, 2022
  • Configuring Multiple VLAN Interfaces on Windows

    June 24, 2022
  • How to Disable or Enable USB Drives in Windows using Group Policy?

    June 24, 2022
  • Adding Domain Users to the Local Administrators Group in Windows

    June 23, 2022
  • Viewing a Remote User’s Desktop Session with Shadow Mode in Windows

    June 23, 2022
  • How to Create a Wi-Fi Hotspot on your Windows PC?

    June 23, 2022
  • Configuring SSH Public Key Authentication on Windows

    June 15, 2022
  • How to Run a Program as a Different User (RunAs) in Windows?

    June 15, 2022
  • FAQ: Licensing Microsoft Exchange Server 2019/2016

    June 14, 2022

Follow us

woshub.com

ad

  • Facebook
  • Twitter
  • RSS
Popular Posts
  • How to Configure Google Chrome Using Group Policy ADMX Templates?
  • Get-ADUser: Find Active Directory User Info with PowerShell
  • Allow RDP Access to Domain Controller for Non-admin Users
  • How to Find the Source of Account Lockouts in Active Directory domain?
  • Get-ADComputer: Find Computer Details in Active Directory with PowerShell
  • Deploy PowerShell Active Directory Module without Installing RSAT
  • Configuring Proxy Settings on Windows Using Group Policy Preferences
Footer Logo

@2014 - 2018 - Windows OS Hub. All about operating systems for sysadmins


Back To Top