Using Attribute Editor in Active Directory Users and Computers

The Active Directory Attribute Editor is a built-in graphical tool to manage the properties of AD objects (users, computers, groups). It is the Attribute Editor where you can view and change the values of AD object attributes that are not available in the object properties shown in the ADUC console.

Enable Attribute Editor Tab in Active Directory Users and Computers

To use the AD Attribute Editor, you need to install the dsa.msc snap-in (ADUC — Active Directory Users and Computers), which is part of the RSAT (Remote Server Administration Tools) for Windows. To install the Active Directory management components, run the following PowerShell command:

• On Windows 10 and 11: Add-WindowsCapability –online –Name Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0
• On Windows Server 2022/2019/2016/2012R2, you can install roles and features using the Install-WindowsFeature cmdlet: Install-WindowsFeature RSAT-ADDS

Try to open the properties of any user in AD. As you can see, some tabs with the user attributes are available. Here are the main of them:

• General – the basic user properties that are set when an AD account is created (first name, last name, phone number, email address, etc.).
• Address
• Account – the account name (samAccountName, userPrincipalName). Here you can specify the list of computers a user can log on to (LogonWorkstations), or the following options: password expiration, user cannot change password, enabled/disabled account, the account expiration date, etc. Here you can also enable a user if his account is locked due to entering a wrong password by the domain’s password policy;
• Profile – you can set a path to a user profile (in the scenario with roaming profiles), a logon script, a home folder, and a mapped network folder.
• Telephones
• Organization – job title, department, company, manager name;
• Remote Control – settings for shadow connection to the user’s session in Windows;
• Sessions – timeouts (limits) for RDP/RDS sessions;
• Member Of – list of Active Directory groups the user is a member of.

To modify the value of one of the user’s attributes, simply change the value in the field and save the changes by clicking Apply or OK.

Only the basic set of user properties is available to you in this window, but the User class in AD contains much more attributes (200+).

To enable the advanced Active Directory Attribute Editor, check the option Advanced Features in the ADUC View menu.

Then open the user properties again and note that a separate Attribute Editor tab has appeared. If you switch to it, the AD user Attribute Editor will open. You can see the list of all user attributes and their values in the table form. You can click any attribute to change its value. For example, if you change the value of the department attribute, you will see that the name of the department in the Organization tab of user properties has also changed.

From the Attribute Editor, you can copy the distinguishedName value (in this format: CN=Jon Brion,OU=Users,OU=California,OU=USA,DC=woshub,DC=com — a unique object name in AD), find the date when the account was created (whenCreated), etc.

There is the Filter button at the bottom of the AD Attribute Editor form. By default, only non-empty object attributes are displayed in the attribute window (the Show only attributes that have values option is checked). If you uncheck it, all attributes of the User class will be shown in the editor. Also, note the Show only writable attributes option. If you enable it, only the attributes you are delegated the edit permissions on will be shown (if you don’t have the modify permissions on the attributes of this user, the list of attributes will be empty).

You can also display only the mandatory attributes with the option Filter -> Mandatory (for the user, these are cn, objectCategory, objectClass, sAMAccountName) or only additional (optional attributes) with Filter -> Optional.

Most AD attributes have a built-in value-decoding feature. For example:

• You can check the domain user’s last logon time by the lastLogonTimestamp attribute. As you can see, time is displayed normally in the Attribute Editor, but if you click it, you will see that time is stored as a timestamp value;
  
• The account status is stored in the userAccountControl attribute. You see a more convenient view instead of a bitmask. For example, 0x200 = (NORMAL_ACCOUNT) instead of the 512;
  
• However, the user’s photo in AD (thumbnailPhoto attribute) is not displayed and is stored in binary format.

Attribute Editor Tab Missing in Active Directory Search Results

The main disadvantage of the AD Attribute Editor is that it won’t show in the object properties if you have found it using an Active Directory search. To use the Attribute Editor, you must expand the container (Organizational Unit, OU) that contains the object you need in the AD tree, find the object in the list, and open its properties (it is rather inconvenient).

I have found a small trick that allows you to open the Attribute Editor for a user if you find the account through a search in the ADUC console.

1. Use the search to find the user you need;
2. Go to the tab with the list of user groups (Member of);
3. Open one of the groups (it is better that it contains as few users as possible);
4. In the group properties, go to the Members tab and close (!) the user properties window;
   
5. Then click the user you need in the list of group members and the user properties window with the Attribute Editor tab will appear.
   

You can also open the Attribute Editor using the Active Directory saved queries. For example, you can use the following query to find a user by its name: (objectcategory=person)(samaccountname=*andrey*)

Or you can use the new Active Directory Administrative Center snap-in (dsac.msc), where the user (computer) Attribute Editor tab is available even for the search results (check the Extension tab).

Modifying Active Directory Object Attributes with ADSI Edit

The ADSI Edit (Active Directory Service Interface Edit) console is a lower-level tool for managing and editing objects and attributes in LDAP directories (including those in the Active Directory database sections, NTDS.dit). The ADSI Edit console can be used to edit attributes, objects, and directory partitions that are not available through standard Active Directory snap-in MMCs, fix Active Directory errors, and various service objects that use AD to store their configuration (Exchange, SCCM).

To open the ADSI Edit snap-in, press the Win + R and run the adsiedit.msc command.

The first time you launch the ADSI console, you will be prompted to select the Active Directory naming context you want to connect to (Actions -> Connect to). The following sections are available:

• Default naming context
• Configuration
• RootDSE
• Schema

In our example, we will be using the ADSI console as a user/computer attribute editor, so we need to connect to the Default naming context.

You will see your tree structure of containers and OUs in AD. Here you can find the desired Active Directory object and open its properties. You will see the object Attribute Editor window. Here you can view or change the values of user/computer/group attributes.