AD User Management Tool: Stop Over-Privileging Your IT Staff

The Incident That Changed How I Approach Delegation

I'm reviewing an IR engagement report one evening when a client calls in a panic. Their IT team had been granted Domain Admin access to run routine helpdesk tasks, and now an attacker with a compromised service account was moving laterally through their environment.

The team had been using a shared "HelpDeskAdmin" account with Domain Admin privileges to reset passwords, unlock accounts, and manage security groups. They justified it by saying they "needed full access to do our job." Sound familiar?

That shared account had been compromised months earlier through a password reuse attack on an old vendor portal. The attacker waited weeks before moving, waiting for the IT team to reset passwords and unlock accounts — all while sitting in Domain Admin groups.

This is not a hypothetical scenario. This happens every quarter in one form or another. And the root cause is always the same: delegating too much access to solve simple problems.

The Problem with Delegated Permissions

IT teams are constantly balancing two competing needs: efficiency and security. You want to empower your helpdesk to do their job, but you don't want them to be able to elevate anyone to Domain Admin.

Traditional Active Directory delegation has two fundamental problems:

All-or-nothing permissions — You either grant full administrative access to a Organizational Unit, or you give nothing. There's no middle ground for granular task delegation.
Permission creep — Once someone has elevated access, they tend to accumulate more over time. The "helpdesk admin" becomes "tier 2 admin" becomes "partial domain admin."
Shared credentials — When delegation doesn't work, teams fall back to shared service accounts with broad permissions. These are the crown jewels for attackers.

The Microsoft Enterprise Access Model tries to solve this with tiering, but it's overkill for most organizations. You don't need EAM if you just need to let your helpdesk reset passwords without giving them Domain Admin.

What the AD User Management Tool Does

I built this PowerShell GUI tool specifically to address this problem. It's not a full Privileged Access Management solution. It doesn't need to be.

The tool gives your helpdesk team the ability to:

View and search AD users
Reset passwords with auto-generated strong passwords
Enable/disable user accounts (with automatic OU moves)
Edit basic properties (title, department, phone)
Manage security group membership
Create new users with proper UPN and proxy address generation

All without granting any administrative permissions. The tool runs on a designated management server, connects to the domain controller via PowerShell Remoting, and performs operations using a service account with only the specific permissions needed.

How It Works Under the Hood

The tool uses a single service account that has:

Read access to all users in Standard Users OU
Write access only to specific properties (password, telephoneNumber, title, department)
Membership in Domain Users group
No administrative privileges

When a helpdesk user runs the tool and authenticates with their domain credentials, the GUI sends commands to the management server which then executes AD operations using the service account. The user never has direct access to PowerShell or ADSI.

The service account is stored in Windows Credential Manager, encrypted with user-specific keys. No plaintext passwords anywhere.

The Configuration Approach

This is where the tool really shines: configuration. You don't hard-code your domain controller, OUs, or groups into the script.

Create a simple config.json file:

{
    "DomainController": "DC01.corp.local",
    "StandardUsersOU": "OU=Users,OU=Standard,DC=corp,DC=local",
    "DisabledUsersOU": "OU=Disabled Accounts,OU=Users,DC=corp,DC=local",
    "EmailDomain": "corp.local"
}

Store the service account credentials in Windows Credential Manager using the setup wizard. Deploy the tool to your helpdesk workstations via Group Policy or SCCM. They get a professional GUI without PowerShell knowledge required.

Why I Built This

I've seen too many environments where the IT team hasDomain Admin because "it's easier." I've also seen environments where delegation is so complex that helpdesk staff just call the domain admin every time they need to do something.

This tool sits in the middle. It solves specific problems (password reset, account enable/disable) without giving broad administrative access. The helpdesk can do their job. Security teams sleep better at night.

Getting Started

The tool is on GitHub: github.com/edtrud385/AD-UserManagement

Download both files: - AD-UserManagement.ps1 — The main GUI application - Configure-ADUserMgmt.ps1 — The configuration wizard

Run the configure script first to generate your config.json. Then run the main application.

The source code is on GitHub. Feel free to customize it for your environment. The goal isn't to be a one-size-fits-all solution — it's to show that you don't need full admin rights to empower your helpdesk team.

Don't grant Domain Admin for helpdesk tasks. Use this tool or similar to delegate only the permissions needed for specific tasks. The shared service account with elevated privileges is a credential theft target waiting to happen.

References: - GitHub Repository: github.com/edtrud385/AD-UserManagement - Configure Script: Configure-ADUserMgmt.ps1

AD User Management Tool: Stop Over-Privileging Your IT Staff

The Incident That Changed How I Approach Delegation

The Problem with Delegated Permissions

What the AD User Management Tool Does

How It Works Under the Hood

The Configuration Approach

Why I Built This

Getting Started

Ed Truderung, SSCP

The Microsoft Enterprise Access Model: AD Tiering That Actually Works in the Real World

LAPS, PAWs, and JIT: The Privileged Access Controls That Actually Reduce Risk

Post-Compromise AD Recovery: The Eviction Playbook Nobody Gives You