How to View the Attribute Editor in Active Directory

Network Security

The Attribute Editor in Active Directory Users and Computers (ADUC) is a hidden tab that contains a list of all attributes and their values. This tab lets IT pros view and edit almost every attribute of every object in Active Directory.

In this guide, I’ll show you how to view the Attribute Editor in Active Directory Users and Computers and how you can use it together with search. Moreover, I’ll be detailing how you can access the Attribute Editor in the Active Directory Administrative Center (ADAC).

How to view the Attribute Editor in Active Directory Users and Computers (ADUC)

When you open an object in the Active Directory Users and Computers console, you can see a couple of information tabs. These tabs include the user account’s properties, user attributes, and AD attributes.

Viewing a user account in Active Directory Users and Computers (ADUC)
Viewing a user account in Active Directory Users and Computers (ADUC)

However, there are a lot of hidden attributes you don’t see. In order to see all the attributes of the object, you need to perform one essential step and discover a separate attribute editor tab.

In the ADUC View menu, click on Advanced Features.

Enabling the 'Attribute Editor' tab in ADUC.
Enabling the ‘Attribute Editor’ tab

After switching on Advanced Features, you can see that other organizational units (OUs) and containers are also visible.

After switching on Advanced Features, more hidden containers are visible
After switching on Advanced Features, more hidden containers are visible

With that enabled, I can go back to Billy Reinders’s record, and see the new Attribute Editor tab.

Now, the Attribute Editor tab is shown!
Now, the Attribute Editor tab is shown!

What you can see with the Attribute Editor in ADUC

Once you’ve enabled the Attribute Editor tab, you can fully access and edit almost every attribute (of which there are close to 250) of every object in Active Directory, especially the user’s properties. Here is a subset of all the attributes of the user class you can see:

  • aduser username
  • cn (Canonical Name)
  • samaccountname
  • First Name
  • Last Name
  • Password
  • Group Member tab
  • userprincipalname (UPN)
  • Phone Number
  • Job Title
  • Department
  • Profile
  • Smart Card details
  • Device details

Let’s go back to Billy’s account. You can now see some examples of other object attributes that are now available.

There are a LOT of attributes in this tab
There are a LOT of attributes. I wish there was a way to hide some of these…

The majority of attributes are unused, or, ‘<not set>’. We can filter those out to make things a little cleaner. Click the Filter button and then click Show only attributes that have values.

you can filter out the unused attributes for a cleaner look
Let’s hide the unused attributes for a cleaner look

Then, we have a much clearer view of Billy’s attributes.

We now see only the attributes we want to see
Much more streamlined, thank you!

As an example of what it looks like when we open an attribute for editing, here is Billy’s ‘objectGUID’.

Viewing Billy's 'ObjectGUID' in hexadecimal format
Viewing Billy’s ‘ObjectGUID’ in hexadecimal format

Note that it is stored in Active Directory in hexadecimal format. Other attributes are stored in a variety of data types.

Integrated value decoding in ADUC

You will notice that several of these attributes are displayed one way, but stored in another format. For example, if I view the ‘pwdLastSet’ attribute, it shows ‘4/16/2021 1:23:45 PM Central Daylight Time’.

Viewing an attribute for 'pwdLastSet'
Viewing an attribute for ‘pwdLastSet’

However, when I click the attribute and click the ‘Edit’ button, it is displayed as a ‘timestamp’ value.

How the 'pwdLastSet' attribute looks when editing it
How the ‘pwdLastSet’ attribute looks when editing it

There are utilities and PowerShell commands you can run to manipulate and translate these values between A and B in order to make changes effectively. To be clear, I would not be able to edit the ‘pwdLastSet’ value and enter in a ‘xx/xx/xxxx x:x:xxxx’ date and time format. It would not translate well to how Active Directory’s database and software compute it.

Using the Attribute Editor together with search in Active Directory Users and Computers

There is one long-standing idiosyncrasy about how the Active Directory Users and Computers GUI works in relation to the Attribute Editor tab. It has bugged the hell out of IT pros for decades, and here it is.

If you search for a user and open their account, you won’t find the Attribute Editor tab, even if you have Advanced Features enabled… What?!

When searching for a user, you don't see the Attribute Editor tab
When searching for a user, you don’t see the Attribute Editor tab

Yes, I know. Annoying as all get out. But, thankfully, there is an effective trick to get around this frustrating behavior – let me show you.

First, search for the user and double-click on them to open their record.

Viewing Billy's account again
We’ll make this work…viewing Billy’s account again

You’ll note, again, the Attribute Editor is not showing. Click the Member Of tab and double-click on one of the groups the user is a member of.

Viewing properties of one of the Groups Billy is a member of...
Viewing properties of one of the Groups Billy is a member of…

The next step is to close the original window with the user, in this case, the ‘Billy Reinders Properties’ window.

Now, close the original window for Billy
Now, close the original window for Billy

Now, click the Members tab in the group window, then open up the original account, Billy Reinders.

Now, we can view the Attribute Editor tab!
Now, we can view the Attribute Editor tab!

Voila! There you go! I know, it sure is a roundabout way to do it, but it sure beats needing to drill down into your potentially complex AD OU structure and find the original user account.

Accessing the Attribute Editor in the Active Directory Administrative Center (ADAC)

Well, there is another way to use the Attribute Editor in Active Directory. And thankfully, it addresses the issue of searching for users and not seeing the Attribute Editor tab.

Let’s open the Active Directory Administrative Center (ADAC) from the Administrative Tools menu to demonstrate.

The Active Directory Administrative Center
The Active Directory Administrative Center

I will click on Global Search on the left, search for Billy, and open his record.

Searching for Billy Reinders in the ADAC
Searching for Billy Reinders in the ADAC

I will click Extensions on the left, and here is the Attribute Editor tab!

We can now see the Attribute Editor tab with ease!
We can see the Attribute Editor tab with ease!

Conclusion

There’s a nice and easy way to access all the attributes in your Active Directory environment. Yes, there are some oddities along the way in how Microsoft engineered searching, but, Active Directory has barely changed since its inception over 20 years ago. If you have any comments or questions, please feel free to leave them below!

Related Article: