How to Use the Attribute Editor in Active Directory

The Attribute Editor in Active Directory Users and Computers (ADUC) is a hidden tab that contains a list of all attributes and their values. This tab allows IT pros to view and edit almost every attribute of any object in Active Directory.

In this guide, I’ll show you how to view the Attribute Editor in Active Directory Users and Computers and how to use it along with search. Also, I will detail how to access the Attribute Editor in Active Directory Administrative Center (ADAC).

View Attribute Editor in Active Directory Users and Computers (ADUC)

When you open an object in the Active Directory Users and Computers Console, you can see some information tabs. These tabs contain the properties, user attributes, and AD attributes of the user account.

There is however a lot of from hidden Attributes you don’t see. In order to view all the attributes of the object, you need to take an essential step and discover a separate tab for the attribute editor.

In ADUC outlook menu, click Advanced features.

After turning on Advanced Features, you will see that other organizational units (OUs) and containers are also visible.

With this enabled, I can go back to Billy Reinders’ record and see the new one Attribute Editor Tab.

What you can see with the attribute editor in ADUC

Once you activate the Attribute Editor tab, you can access and edit almost all attributes (of which there are almost 250) of any object in Active Directory, especially the properties of the user. Here is a subset of all user class attributes that you can see:

• aduser username
• cn (canonical name)
• samaccountname
• first name
• Surname
• password
• Group Member tab
• User Principal Name (UPN)
• phone number
• job title
• department
• profile
• Smart Card Details
• device details

Let’s go back to Billy’s account. You can now see some examples of other object attributes that are now available.

Most attributes are unused or ““. We can filter these out to make things a little cleaner. press the filter button and then click Show only attributes that have values.

Then we have a much clearer view of Billy’s characteristics.

As an example of what it looks like when we open an attribute for editing, here is Billy’s ‘objectGUID’.

Note that it is stored in Active Directory in hexadecimal format. Other attributes are stored in a variety of data types.

Integrated value decoding in ADUC

You’ll notice that some of these attributes are displayed in one way but stored in a different format. For example, if I look at the pwdLastSet attribute, it shows 4/16/2021 1:23:45 PM Central Daylight Time.

However, when I click on the attribute and click the “Edit” button, it shows as a “Timestamp” value.

There are utilities and PowerShell commands you can run to manipulate and translate these values ​​between A and B to make changes effectively. To be clear, I wouldn’t be able to edit the “pwdLastSet” value and enter a date and time format of “xx/xx/xxxx x:x:xxxx”. It wouldn’t translate well to how the Active Directory database and software calculate it.

Using the Attribute Editor in conjunction with searching Active Directory Users and Computers

There is a long-standing quirk in how the Active Directory Users and Computers GUI works in relation to the Attribute Editor tab. It’s been giving IT pros hell for decades, and here it is.

When you search for a user and open their account, you don’t find the Attribute Editor tab, even if you have Advanced Features enabled… What?!

Yes I know. Annoying as everyone gets off. But thankfully, there’s an effective trick to get around this frustrating behavior — let me show you.

First search for the user and double-click to open their record.

Again you will notice that the attribute editor is not displayed. press the member of and double-click one of the groups the user is a member of.

The next step is to close the original window containing the user, in this case the Billy Reinders Properties window.

Now click on the members tab in the group window, and then open the original account, Billy Reinders.

Voila! Here we go! I know it’s certainly a detour, but it sure is better to break down your potentially complex AD OU structure and find the original user account.

Accessing the Attribute Editor in Active Directory Administrative Center (ADAC)

Well, there is another way to use the attribute editor in Active Directory. And thankfully it fixes the problem of searching for users and not showing the Attribute Editor tab.

To demonstrate, let’s open the Active Directory Administrative Center (ADAC) from the Administrative Tools menu.

I click Global search Look for Billy on the left and open his file.

i will click extensions on the left and here is the Attribute Editor Tab!

Conclusion

There is a nice and easy way to access all attributes in your Active Directory environment. Yes, there are some oddities with how Microsoft designed search, but Active Directory has them hardly changed since its inception over 20 years ago. If you have any comments or questions, please feel free to leave them below!