You can use the Active Directory Attribute Editor to get/change the LDAP attribute values of any user, computer, or group in your domain. There are several different tools available for Windows that can be used as an AD attribute editor:
- Active Directory Users and Computer snap-in;
- Active Directory Administrative Center Console;
- ADSI Edit;
- Cmdlets from the PowerShell Active Directory module.
In this article, we’ll show you how to use the AD Attribute Editor on Windows.
Most often, the Active Directory Users and Computer (ADUC) console is used as the AD Attribute Editor. This is the simplest AD administration tool. The attribute editor is part of the ADUC mmc tool, so you first need to install the Active Directory Users and Computers snap-in on your Windows device.
- On Windows 10 and 11, you can install the Active Directory Console online. Go to Settings > Apps > Optional features > Add an optional feature. Select RSAT: Active Directory Domain Services and Lightweight Directory Services Tools and click Install.
Or you can install this console using PowerShell:Add-WindowsCapability –online –Name Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0
- On Windows Server 2022/2019/2016, you can install the ADUC console via Server Manager > Add Roles and Features > Features > Remote Server Administration Tools > Role Administration Tools > AD DS and AD LDS Tools > AD DS Tools. Or with PowerShell:
Install-WindowsFeature -Name RSAT-ADDS
You can run the Active Directory Users and Computers snap-in from the Control Panel (Control Panel\All Control Panel Items\Administrative Tools) or by using the dsa.msc command.
The attribute editor is available in the Active Directory Users and Computer (ADUC) console, but is hidden by default. In order to enable the hidden Attribute Editor tab in ADUC, check the Advanced Features option in the View menu.
Now open the properties of any AD object (computer, user, or group). The Attribute Editor tab should be available among the standard object tabs.
The full list of user object attributes is available on this tab (including custom AD attributes).
On this tab, you can get or change the value of any attribute (if you have been delegated the appropriate permissions). The console can only display those attributes that are editable (click the Filter button and select Show only writable attributes).
In order to edit an attribute’s value, double-click on it, enter a new value, and save the changes. For example, we want to change the value of the user’s samAccountName attribute.
One of the downsides of the Attribute Editor tab in the ADUC console is that it doesn’t show up if you’ve found an AD object using search.
You can use a little trick with a saved LDAP query to display the Attribute Editor tab in search results:
- Open the Saved Queries section in the console and select New > Query;
- Set a query name and click the Define Query button;
- Select the Custom Search query type and go to the Advanced tab;
- Paste the following LDAP query code:
(objectcategory=person)(samaccountname=*brion*)
- Save LDAP Query and update results in ADUC console (press F5);
- Select a user and make sure that the Attribute Editor tab is displayed in its properties;;
- To find another user, replace the username brion in the query and save it.
You can use the Active Directory Administrative Center console (dsac.exe ) instead of the ADUC snap-in. In the ADAC console, the Attribute Editor tab is always available, even for objects found through search.
