Directory Manager

Affordable, improved directory data accuracy, delegated user and contact management

Overview

Directory Manager is a customizable Web-based utility that allows a designated user or users to update Active Directory user and contact information. Authorized users could include a department secretary, human resources personnel, a receptionist, or Tier 1 support personnel. The authorized user uses a simple search interface to locate users and edit those users.

The authorized user can then double-click on a selected user and edit the properties of that user. The properties/attributes that are available on the Directory Manager Edit dialog box are controlled by the administrator. Data accuracy is enforced through drop-down lists and field validation. The data in the Active Directory and, thus, the Global Address List becomes more up-to-date and accurate.

Systems and utilities that depend on the Active Directory, such as possibly your PBX, Office 365, Microsoft Lync, Microsoft Systems Center Configuration Manager, and other programs can successfully leverage the updated information.


The administrator controls the fields/attributes that area available, the field types (drop-down or plain text), and the validation format

Setup time for Directory Manager is quick, the interface is intuitive and easy for even the most non-technical user to master in a short time. In less than an hour, you can have a web-based interface up and running for your human resources or secretaries and have them helping to keep the information in your Active Directory up-to-date.

Features

The administrator maintains control over the interface through a simple set of XML files in which the Directory Manager configuration is stored. Features include:

  • Provide authorized users with a simple Web interface for updating Active Directory. No client software required!

  • Administrator specifies which fields are visible, editable, field types (drop-down list, text, or combo field types) as well as providing values for drop-down lists.

  • Directory Manager allows photos to be uploaded (in to either thumbnailPhoto or jpegPhoto attributes). Photos stored in the thumbnailPhoto attribute can be used by applications such as Exchange 2010/2013, Office 365, Microsoft Lync, and Outlook 2010/2013.

  • Field validation using customizable regular expressions to control data entered by the user. This allows you to, for example, enforce the format of telephone numbers.

  • Any field can be shown/hidden, editable/read-only, include default data, and use format validation.

  • Address and telephone number information can automatically be populated based on field selection such as office or department.

  • Directory Manager exposes more user native attributes than Active Directory Users and Computers such as employee number, employee id, employee type, secretary, assistant and the photo attributes.

  • All field labels, help screens, and button labels can be customized or localized.

  • Elevated administrative rights for Directory Manager users are not necessary. Updates to the directory are performed via a proxy account.

  • User can export search results to Excel spreadsheets or CSV files

Directory Manager is licensed on a “per Active Directory domain” basis. You can install as many instances or copies as you want in a licensed domain. The number of end users or authorized Directory Manager users you have does not matter. Volume discounts and enterprise licensing agreements are available for customers with four or more Active Directory domains.

There are a number of software applications similar to Directory Manager on the market. Most of these are significantly more expensive and are often full-blown user account provisioning systems. Most of these provide dozens or hundreds of features that make them very powerful, but they also provide many more features than most companies actually require for simple delegated management of Active Directory users and contacts. Directory Manager provides an affordable, easy to use, and configurable option to Web-based management systems that provide hundreds of often unnecessary features.

Evaluating

We strongly urge all potential customers to download Directory Manager, install it in your environment, and customize it for your use. You will see how easy it is to get Directory Manager up and running.

You can download a fully functional from the Downloads section of our Web site; the evaluation will function for 21 days with no limitations. We will not ask you for your e-mail address, telephone number, or first born child; all you have to do is download the software. And, if you run in to problems and have a question, we will give you the same great support we give our customers.

If you choose to buy the product, you keep your customized configuration; using the Configuration wizard to convert from evaluation to licensed by entering your organization name and license key.

Online Demo

Note quite ready to download the evaluation and install it yourself? Not a problem! You can still see Directory Update in action on our "live" demo page. This is a test Active Directory with a test set of data. The Directory Manager installation is pretty much a default install with a few features enabled to give you a feel for how the software works. The photo upload feature is disabled, by the way.

Directory Manager online demo

Requirements

The server on which Directory Manager is installed must be a member of the same forest in which it will be used. Directory Manager cannot be used against accounts in trusted domains that are located in another Active Directory forest. You will need a licensed copy of Directory Manager for each domain in which there are user accounts you want to edit.


Active Directory Requirements

Directory Manager works against all versions of Active Directory including Windows 2000, Windows 2003, Windows 2008, Windows 2008 R2, Windows 2012, and Windows 2012 R2.


Exchange Server Requirements

Directory Manager does not require any version of Microsoft Exchange Server. We can use some attributes that are provided by the Exchange Server “schema” prep forest. To use attributes such as the extension attributes (aka custom attributes) we suggest you “prep” you forest with a minimum of Exchange Server 2003, but this is not necessary. Note that Exchange Server 2010 SP2 provides more extension attributes. You do not need to install Exchange just because you prepped your schema.


Server Operating System

Starting in June 2014, all Ithicos installers only support x64 Windows. If you are using Windows 2003 or Windows 2008 x86, please contact support for manual installation instructions.

  • Windows Server 2008 with SP1 (x64)
  • Windows Server 2008 R2
  • Windows Server 2012
  • Windows Server 2012 R2

Either the Standard Edition or Enterprise Edition is supported. Either a physical server or virtual server is supported. For Windows Server 2008 or Windows Server 2012, you must install the full installation. Server Core installations are not supported.


Internet Information Server

  • Internet Information Service (IIS) 6, 7, 7.5, 8, or 8.5
  • ASP.NET must be enabled
  • .NET Framework v4.0 must be installed/enabled
  • Integrated Windows Authentication must be enabled/allowed on the root of the Web site

Quick Installation of Prerequisites

You can quickly install all of the roles and features necessary using the PowerShell's Server Manager module. This allows you to specify all the roles and features required.

Windows Server 2008 R2

1.  Open a PowerShell command prompt as an administrator (Shift-Right Click and choose "Run As Administrator")
2.  Type Import-Module ServerManager and press Enter
3.  Type Add-WindowsFeature Web-Server, Web-Basic-Auth, Web-Windows-Auth, Web-ASP-NET,
  Web-Net-Ext, AS-Web-Support and press Enter
4.  Reboot if prompted.
Windows Server 2012 / Windows Server 2012 R2

1.  Open a PowerShell command prompt as an administrator 
2.  Type Import-Module ServerManager and press Enter
3.  Type Add-WindowsFeature Web-Server, Web-Basic-Auth, Web-Windows-Auth, NET-FRAMEWORK-45-Core,
  NET-FRAMEWORK-45-ASPNET, Web-HTTP-Logging, Web-NET-Ext45, Web-ASP-Net45 and press Enter
4.  Reboot if prompted.
                  

Microsoft / Windows Updates

Once the prerequisites are installed, we strongly recommend that you perform a Microsoft Update and install all recommended and critical updates.


Interoperability with Other Web Applications

Directory Manager usually works fine with most web applications running on the same IIS server provided the server remains in a minimum of IIS 6 mode. We recommend against running Directory Manager on the same server with Microsoft SharePoint. We have customers that run Directory Manager on domain controllers as well as Exchange servers.


Service / Proxy Account

All updates to the Active Directory are performed under the security context of a proxy account (sometimes called a service account.) While the proxy account can be restricted to a very minimum set of permissions, we recommend that the proxy account be a member of either the Account Operators or domain’s Administrators group. Note that if you use Directory Manager to update Contact objects, the Account Operators group does not have permissions to update Contacts by default. Here are some properties of the proxy account that you should take note of:

  • Name the account something recognizable such as SVC_DirectoryManager
  • Proxy account password should have a strong password (15 characters)
  • Proxy account’s password must not expire
  • Proxy account must have the permissions necessary to edit user accounts, such as membership in the Account Operators or Administrator's group.

IIS Application Pool

An application pool is an isolated memory space in which a web application executes. Web applications are assigned to the DefaultAppPool by default. We have found it is best to run our applications in dedicated application pools. Our installers should create and assign the applicatin pool. However, if you are doing a manual installation, we strongly recommend creating a dedicated application pool for Ithicos applications, such as IthicosAppPool. This helps ensure that the server-side components of Directory Manager have the necessary permissions on the IIS server.


Installer’s Account

The person that installs Directory Manager should use a user account that is both a domain user account and a member of the server’s local Administrators group.


Authorized Users of Directory Manager

Two principal advantages of Directory Manager are that authorized Directory Manager users can edit account information via a web browser (Active Directory Users and Computers is not required!) and that the Directory Manager does not need to have Administrative or operator rights to Active Directory. All updates to the Active Directory are performed by the service / proxy account rather than the end user's account.

Not just any user can use Directory Manager, though. To authorize a user to use Directory Manager, create a security group in Active Directory called Directory Update Managers and put the user accounts that need to use Directory Manager in this group.


Secure Sockets Layer (SSL)

SSL is a security layer that protects HTTP data (or other protocols) as it is transmitted across your network or the Internet. We strongly recommend that any web site that transmits personal data use SSL. Directory Manager will work on a web site that uses SSL or not.

SSL uses a certificate that is “signed” by a certificate authority. We recommend that the certificate be issued by a certificate authority (CA) that is trusted by the browser clients that your users will be using. This prevents security warnings; users should never get used to ignoring security warnings.

Enabling SSL is a feature of Internet Information Server. The process will depend on the operating system.

Follow these links:


Browser Requirements

Directory Manager uses ASP.NET and AJAX controls to create some enhanced functionality within the browser; some call this Web 2.0 technology. This means that it is not as quite simple as a standard HTML web page and thus browsers must be carefully tested.

Our current releases support the following browser versions:

  • Internet Explorer 8.x - IE 11.x - IE compatibility must be turned off
  • Firefox 16.x and later
  • Google Chrome v11.x and later

We only update current versions of our software when a new browser is released. This does not mean that older versions of our software or other browsers (Safari or Chrome) will not work, but we may not support them if you have problems. As a general rule, we find anything that works in Firefox will work in Chrome. We recommend customers stay on software maintenance so that they can upgrade to newer builds of the software as they become available.

Note also that Internet Explorer is required to use Integrated Windows Authentication unless your 3rd party browser also supports IWA.

Installation

Directory Manager is simple to install as long as the prerequisites all installed. Download the latest version from our Web site and unzip the DirectoryManager.msi file. Place the MSI file on the server’s local hard drive, such as in the c:\temp folder.

You can usually just double-click on the MSI file to launch the installer, but on Windows Server 2008 or Windows Server 2012, the User Account Control security settings may be set so tightly that you have to launch the installer from the command line (don’t forget to “Run As Administrator”) like so:

msiexec.exe /i c:\temp\DirectoryManager.msi
  1. On the installation wizard welcome screen, Click Next

  2. On the License Agreement screen, click “I Accept The Terms In The License Agreement” and then click Next

  3. On the Select Installation Address, most installations use the defaults. From this screen, you can select a different web site and virtual directory name. When you have made your selection, click Next.

    Directory Manager Installation Address

  4. On the Destination Folder screen, select the location for the Directory Manager files (usually c:\inetpub\wwwroot\DirectoryManager\) and click Next

  5. On the Active Diretory Information screen, enter the host name of the domain controller, then DNS domain name of your Active Directory domain, the service/proxy account (in domain\username format), and the service/proxy account password. A common configuration problem is entering the FQDN name of the domain controller in the Domain Controller text box; this text box is for the host (short) name of the domain controller. Click click Next when finished.

    Directory Manager - Specifying domain and service account information

  6. On the Licensing Information Screen, copy and paste the organization name and license key that you were provided after you purchased the software. If you select the Evaluation checkbox, the software is fully functional in Evaluation mode for 10 days and you can run the configuration wizard later to provide the licensing information. Click Next when finished.

    Directory Manager - Adding the license key

  7. On the Ready To Install Directory Manager screen, click Install

  8. The installation will run for 15 - 30 seconds and will copy the software, set file system permissions, create a virtual directory, create an application pool, and configure the Registry settings. When it is complete, click the Finish button.

  9. Immediately test the installation by using a Web browser to visit http://localhost/DirectoryManager (the default URL if you are checking from the console of the server) or http://yourservername.yourcorp.local/DirectoryManager (if you are checking from elsewhere on your network.

You can now proceed to customizing the application.


Installation Checklist

You are now ready to customize the application. If you have not already, take a look at the Directory Manager Quick Start guide on our Downloads -> Documentation page.

  1. Test the default installation (with no customizations)

  2. Edit the DirectorySettings.XML file to configure the fields that you want to use (visibility, required, dropdown versus text, validation formats, etc…)

  3. Edit the AppSettings.XML file to customize the help text and search screen

  4. Enable file logging and/or auditing in the AppSettings.XML file

  5. Set file system permissions for photos and log files (if necessary)


File System Permissions

Our newest installers should set the necessary file system permissions, but you can always check to make sure this is the case if you wish to use Directory Manager to upload photos to the Active Directory, give the NETWORK SERVICE user all permissions but Full Control to the .\Photos folder. This means you must give NETWORK SERVICE the following permissions to that folder: Modify, Read & Execute, List Folder Contents, Read, and Write. The Photos folder is found (by default) at c:\inetpub\wwwroot\directorymanager\photos.

Directory Update - Folder Permissions for Photos and Logs

If you wish to allow Directory Manager to record a text (CSV) file log of all changes made using Directory Manager you must give the NETWORK SERVICE the following persmissions to the .\Logs folder: Modify, Read & Execute, List Folder Contents, Read, and Write. The .\Logs folder is found (by default) at c:\inetpub\wwwroot\directorymanager\Logs.

Customizing

Directory Manager is customized almost entirely by editing option files. Most of these files take the format of an XML file. Prior to starting the customization work, we have afew recommendations:

  • Remember, XML is much pickier than HTML. Tags names and options are often case sensitive and all open tags must have a close tag

  • Get a good text editor – Notepad++ is both very good and free

  • Always make backup copies of configuration files before editing them


The configuration files are as follows:

  • DirectorySettings.xml – This is the primary configuration file; this is the file you will edit most often. It controls the fields that are visible/hidden, field labels, dropdown list options, field types, validation formats, required fields, default values, and more. When you edit this file, you may find many attributes that you did not realize exist in the Active Directory. There are many attributes that Microsoft does not use.

  • AppSettings.xml – This file controls options such as help text, logging, e-mail notification, error message text customization, button labels, and filtering options for lookup boxes like the Manager box. This file also controls the options that are available on the search interface and the maximum number of search results.

  • AddressSettings.xml – This file controls the Address Sets feature. The Address Sets feature allows the end user to pick a field (such as Office) and automatically have other fields filled in automatically (such as street address, city, state, country, etc..) Once you create a list of offices, for example, and enable Address Sets, the office list no longer needs to be maintained in the DirectorySettings.XML file.

  • SubSettings.xml – This file allows you to define a parent-child relationship between 2 attributes. For example, you can define a relationship between a division and a department. If the user selects the “Information Technology” division, then they would only see a list of departments within that division.

  • PasswordSettings.xml – This file is used to define password policies if you enable the Password Management tab.

  • Style.css – This is the cascading style sheet. This can be used to change fonts, screen colors, and screen width. Changes to this file can negatively affect the interface so only experienced web site developers should edit this file.

  • Web.Config – This file is the web application file. Typically, the only useful thing you can do in this file is to enable Integrated Windows Authentication.

The primary changes that most customers want to make are handled via the DirectorySettings.XML file. This file allows you to:

  • Change an attribute/field’s screen label
  • Set the field type (dropdown, text, combo)
  • Add values for fields that use dropdown lists.
  • Hide / show a field
  • Make a field editable/read only
  • Set a default value for a text field
  • Make a field required
  • Define a validation format
  • Set a field to be double-wide
  • Set a field to be multi-line
  • Provide some example text below the field

Here is a typical “tag” from the DirectorySettings.xml file. The tag consists of the field name as well as options for that field that enable or disable particular features. This tag is for the company field:

<company label="Company" type="dropdown" visible="yes" editable="yes">
  <value>Company 1</value>
  <value>Company 2</value>
  <value>Company 3</value>
  <value>Company 4</value>
</company>

This "tag" produces a field on the Directory Manager whose label is "Company", the type is a drop-down list, and there are 4 options in the drop-down list.

Directory Update - Sample field

Note with drop-down lists, if there is an existing value in the Active Directory and it is NOT one of the values in the dropdown list, then it will not be displayed in the dropdown list.


Label

The label=“Company” option displays the text “Company” next to the field.


Field Type

The type=“dropdown” option allows you to define the field type. Valid field types are:

  • dropdown
  • text
  • combo
  • maskedText

The text box allows the user to enter data in free-form text with no validation or control. The combo box has a drop-down list but the end user can enter free-form text also.

The other option (maskedText) is best used with phone number fields and allows you to define input guidance or field formatting. For example, you could use a maskedText option if you wanted a user to enter a phone number in a specific US format, such as this:

Directory Update - Masked text field

Below is an example of using the maskedText option for the office phone number field:

<officePhone label="Office Phone" type="maskedText" mask="(###) ###-####" visible="yes" editable="yes" validationFormat=""/>

Visible or Hidden Fields

A field can either be hidden or visible on the interface. visible=“yes” displays the field while visible=“no” hides the field.


Editable or Read Only Fields

A field can be either editable or read only. In some situations you may want the user to see the current value in Active Directory but not edit that value. Editable=“yes” allows the field to be edited by the user while editable=“no” sets the field to read only.


Required Fields

You can set a field to be required by adding the required=“yes” option to the field’s tag. Here is an example making the title required:

<title label="Title" type="text" visible="yes" editable="yes" required="yes"/>

Validation Format

Directory Manager allows you to define a rule set for field content using regular expressions (REGEXs). There are two parts to this process. You must first define the validation format (including the format name, example text, and the regular expression that will be used. This is done in the validations section of the DirectorySettings.xml file. Below is an example of a RegEx that requires that a user enter a phone number in either of these two formats: (808) 555-4321 or (808) 555-4000 x4322:

<validation format="US-Phone" formatExample="Example: (808) 123-4567 or 808-123-4567 x4321" 
  regularExpression="((\(\d{3}\) ?)|(\d{3}-))\d{3}-\d{4}(( x)\d{1,5}| )?"/>

Once you have created a validation format, such as the one above called US-Phone, you then need to add the validationFormat=“US-Phone” option to the appropriate field. Below is an example of using that for the office phone number field.

<officePhone label="Office Phone" type="text" visible="yes" editable="yes" required="yes" validationFormat="US-Phone"/>

Please note that our support personnel cannot assist you in creating custom regular expressions. We recommend you visit a site like htp://www.regexlib.com


Photos

Photo support has become one of our most popular features; this is because Microsoft is now displaying photos in Outlook 2010 and Lync clients if the photo is stored in the thumbnailPhoto attribute. Directory Manager can upload the photo to either the thumbnailPhoto or jpegPhoto attributes in Active Directory. Below is the recommended photo tag using the thumbnailPhoto attribute and a size of 128x128:

<photo label="Add/Change Photo" type="file" visible="yes" editable="yes" attribute="thumbnailPhoto" width="128" height="128" defaultValue="Images/noPhoto.gif"/>

When the photo tag's editable="yes" option is set, the photo option appears in the General section of the user interface. When a user uploads a photo, the photo file is temporarily stored in the c:\inetpub\wwwroot\directorymanager\photos folder until the user saves their information. At that time, the photo is then stored in the Active Directory. Here is a fun tip, upload your photo, but don't save your information. Look in that folder on the IIS server to see how big the photo will be in the Active Directory.

Directory Manager - Luke Husky Photo

By default, the photos are stored in an attribute (thumbnailPhoto) as part of the user’s object in Active Directory. Regardless of the original photo file size, Directory Update “re-renders” the photo to the size specified in the DirectorySettings.xml file. Typical file sizes are between 5KB and 10KB. For more information, read our Photo Support TechNote.

Since we store the photo (by default) as a square image, we recommend the original source image also be square. Otherwise, the photo will look squashed or stretched.


Double Wide Fields

In some cases your data may not display properly when the field is half-width. If you want a field to be wider, add the doublewide=“yes” option to the field’s tag:

<company label="Company" type="text” visible="yes" editable="yes" doublewide="yes"/>

Note in the screen shot below that the Company field is a double-wide field while the Office field is a single-width (default) field.

Directory Manager - Double wide field


Default Value

You can also specify a default value if the field type is a text box. This feature is only valuable if there is no data in the field to begin with.

<title label="Title" type="text" visible="yes" editable="yes" defaultvalue="Accountant"/>

Multiline Fields

For most Active Directory data types, the multiline option is not very valuable, but for attributes like streetAddress or notes, it can be useful. Note that multi-line does not change how Active Directory stores the data, only how Directory Update displays it. Here is an example setting multiLine=“yes” for the streetAddress field:

<streetAddress label="Street Address" type="text" visible="yes" editable="yes" multiLine="yes"/>

Directory Update - Multiline field


Help Notes and Example Text

Directory Manager is designed to help you provide as much help as necessary to the end user. This is in the form of a couple of different types of help fields. First, each "section" of the user interface, such as the General, Organization, Address, etc... Within each section, there is a note area at the bottom of the section. Below shows the Telephones section, the note tag is at the bottom of the image:

Directory Update - Telephone section and Notes field

This corresponds to the following section in the DirectorySettings.XML file. If you do not need the note, then save your self some screen space by setting the visible="no" option. Otherwise, you can customize the text to suit your organization's needs and best help your end users.

Directory Update - DirectorySettings.XML file Telephone Section

Each attribute can also have individual example text. This was originaly intended for phone number fields, but you can add the example option to any tag.

Directory Update - Field example text

The following is an example of adding the example option to the officePhone tag.

<officePhone label="Office Phone" type="text" visible="yes" editable="yes" validationFormat=""
  example="Include your area code, such as: (212) 555-1234"/>

Manager, Assistant, and Secretary Attributes

The Manager, Assistant, and Secretary attributes are special data fields that store object names. For example, in order to select a Manager, the manager must have a user name or contact name in the Active Directory already. These fields are not free-form text fields, but rather lookup fields for users and/or contacts. Active Directory Users and Computers only exposes the Manager attribute fog editing, but the Active Directory schema does provide for the Secretary and Assistant fields.

Directory Manager allows for one or more of these fields to be enabled. We provide a lookup box where the Directory Update can type in the first few characters of the person's display name.

Directory Update - Searching for a Manager

There is little-to-no configuration necessary to use these fields other than to enable them to be editable via the DirectorySettings.XML file.

<manager label="Manager" type="text" visible="yes" editable="yes"/>

There is one noteable exception, though. If you have more than one domain in your forest, by default the lookup fields only query a single domain. Therefore you must enable global catalog lookups so that you can see the users from the other domains in your forest. This is done in the AppSettings.XML file. The useGlobalCatalog option within the lookupFields tag must be set to "yes".

<lookupFields useGlobalCatalog="yes" showOnlyExchangeEnabledUsers="no" showContacts="yes" showDisabledUsers="no" 
  maxResults="20"/>

Enabling Integrated Windows Authentication (Single Sign-on)

By default, Directory Manager uses a customizable logon form. However, a much more convenient way to use Directory Manager is to enable Integrated Windows Authentication (sometimes called single sign-on or Windows Login.)

Edit the Web.Config file and locate the <authentication mode=“Forms”> tag. You can find the Web.Config file in the root of the installation folder, by default that is in c:\inetpub\wwwroot\directorymanager. Replace mode=“Forms” with mode=“Windows”. That will enable Integrated Windows Authentication.

Directory Update - Enabling Integrated Windows Authentication

For more information, read our TechNote Enabling Integrated Windows Authentication.

Configuring the Search Interface

The search interface is broken in to 3 separate parts: the search interface, search results, and a tabbed view below the search results that represents the currently highlighed user. These are all controlled from the AppSettings.XML file.

Directory Manager - Interface components

One of the most common questions that we are asked is why are there only 100 search results generated and why is the listing not a true representation of the users in Active Directory. This is because we limit the maximum number of results to 100. We do allow you to narrow the search result so that only a subset of the objects in Active Directory are actually returned. The userList tag within the AppSettings.XML file allows you to control some of the search result listings including:

  • Maximum number of search results - maxResults
  • Results per page - pageSize
  • Column on which to sort the results - sortBy
  • Display only Exchange-enabled users - showOnlyExchangeEnabledUsers
  • Display disabled users (or not) - showDisabledUsers
  • Don't show an intitial search results screen upon connecting to the site - showInitialResults
  • Do or do not show the tabbed details pane below the search result - showDetailPane

Here is the tag that controls the above features of the Directory Manager search results feature:

<userList maxResults="100" pageSize="20" sortBy="displayName" showOnlyExchangeEnabledUsers="no" showDisabledUsers="no" 
  showInitialResults="yes" showDetailPanel="yes">

A fairly common question we are asked is if we can increase the maximum number of search results. Directory Manager uses LDAP to query the Active Directory and as such as designed as a "search" application more than a "browse" application. That being said, you can increase the maxium number of serach results by adjusting the maxResults option within the AppSettings.XML file. Note that Active Directory limits the maximum number of LDAP query results returned to 1,000 via the Active Directory parameter maxPageSize in the LDAP policy. This can be changed; see the KB article 315071: How to view and set LDAP policy in Active Directory by using Ntdsutil.exe.


Controlling the columns shown in the display and filtering attributes

For the search results grid, the AppSettings.XML file's columns sections allows control what the Directory Manager user sees. You can control the following:

  • Title for the column header - headerText
  • Show the attribute in column - visible
  • Include as a filter or search option - filter
  • Allow export to an Excel spreadsheet or text file

The attributes allowed in the search results grid should be used sparingly. Directory Manager auto-sizes the grid. You cannot manually specify individual column sizes. So if you have too many attributes the data will be compressed. We recommend no more than 5 or 6 columns be set to visible="yes". The following is the first few lines from the AppSettings.XML file showing columns section:

<columns>
  <personalTitle   headerText="Personal Title"     visible="no" filter="no" export="no" />
  <firstName       headerText="First Name"         visible="no" filter="no" export="no" />
  <initials        headerText="Middle Initials"    visible="no" filter="no" export="no" />
  <middleName      headerText="Middle Name"        visible="no" filter="no" export="no" />
  <lastName        headerText="Last Name"          visible="no" filter="no" export="no" />
  <nameSuffix      headerText="Name Suffix"        visible="no" filter="no" export="no" />
  <displayName     headerText="Display Name"       visible="yes" filter="yes" export="yes" />
  <email           headerText="Email Address"      visible="yes" filter="yes" export="yes" />
  <userName        headerText="User Name"          visible="no" filter="yes" export="no" />
...

Pre-filtering Search Results

By default, Directory Manager returns *all* user accounts found in the domain including service accounts, domain trust accounts, and other accounts. For your targeted user community, this may not be desirable.

We have created a document on the Documentation section of our Downloads page called "Applying Search Filters" that dicusses in more detail how to apply search filters, exclusions, and limit the search scope to a single parent organizational unit (OU).


Users and Contacts Display

By default, Directory Manager displays both users and contacts in the search results listing. An authorized user can edit the properties of either users or contacts.

Directory Manager - Display Users or Contacts

You can disable this feature or change the default behavior in the objectTypes section of the AppSettings.XML file.

<objectTypes>
  <all     text="All"     visible="no" />
  <user    text="User"    visible="yes" />
  <contact text="Contact" visible="yes" />
</objectTypes>

Exporting Search Results

The Export button on the Directory Manager interface gives you the ability to export the search results to an Excel spreadsheet or a common separated vault (CSV) file. This can disabled via the exporting section of the AppSettings.XML file.

<exporting enabled="yes" text="Export" fileName="UserList">
  <options>
    <exportToExcel text="Excel" visible="yes" />
    <exportToCSV   text="CSV"   visible="yes" />
  </options>
</exporting>

Version History and Product Updates

Directory Manager has been in almost continual development since 2007. We release a new version about once every six to nine months. The features and functionality in those new releases reflect customer requests, bug fixes, updates to support new browsers/operating systems, and more.


Directory Manager v2.3

  • Updated RAD / screen / grid controls to maintain compatibility with browser and .NET Framework updates

    • Changes and improvements to photo upload feature including: Photos do not get re-rendered if they match the dimensions specified in the XML file exactly. Fixed a bug in the upload control that occasionally cause the cropping feature to crash. Added adjustable compression photo quality option allows the administrator to designate an image compression factor. The value can be between A value of 100 is a high quality image (less compression) and a larger file (14K to 18K for a 128x128 image.)

    • Now allow the administrator to specify the visibility of individual options on the Account Management tab including Unlock Account, Enable/Disable Account.

    • Updated installer to accommodate issues setting the "Network Service" account on some international versions of Windows.

    • Added Configuration option so that the main "User Information" tab can be hidden so that customers that only want to use the Password or Account Management tabs can hide the main tab.


    Directory Manager v2.2

    • Installer updated to better handle Windows servers that use European languages.

      • Improves to photo features including uploading photos exactly if they match the exact pixel dimensions from the DirectorySettings.XML file and changing how photos are displayed if they are larger than the dimensions in the DirectorySettings.XML file .


      Directory Manager v2.1

      • Update base code to use .NET Framework 4.0 and updated AJAX controls.

      • New installer that supports Windows 2008 and Windows Server 2012. Ne installer creates dedicated application pool and necessary file system permissions.

      • Support for newer verions of Google Chrome and Internet Explorer 11.

      • Fixed search issues that sometimes caued the interface to crash after multiple invalid searches.

      • Updated software to allow for 21 day evaluation period rather than 10 days.


      Directory Manager v2.1

      • New, optional Password Management tab that allows authorized Directory Manager user to reset a user's password. This is enabled via the AppSettings.XML file.

      • New, optional Account Management tab that allows authorized Directory Manager user to enable or disable a user account as well as unlocking a locked account. This is enabled via the AppSettings.XML file.

      • Improved photo upload controls allows a photo to be cropped and improves the resizing feature. The maximum "source" size of a photo is 2MB, but the photo is usually between 5KB and 7KB once it is uploaded to the Active Directory.

      • Customized password complexity can be set via PasswordSettings.XML file or password complexity can match Microsoft's complexity rules.

      • Domain drop-down list can be enabled/disabled via AppSettings.XML file in a multi-domain environment.

      • Added feature to allow account status (enabled/disabled) to be exported to CSV or Excel files.

      • Changed the way the default search listing is displayed. Search listing represents more accurate, alphabetized listing of Active Directory users. Maximum of 100 users displayed by default.

      • Added a feature to allow custom LDAP filter for default search listing.

      • Fixed a bug that caused photos to be improperly displayed in multi-domain environments.

      • Changed timeout defaults so that Directory Manager will not automatically log a user off for 3 hours.


      Directory Manager v1.6

      • Updated AJAX grid and button controls to newest versions.

      • Fixed issues with Directory Manager freezing after 5 or 6 updates

      • Changed default photo attribute to thumbnailPhoto and default size to 128x128

      • Added support for the subsets feature

      • Added option so that results tabs do not appear and to prevent a default search from executing when Directory Manager opens.

      • Added support so that selected country controls phone number validation


      Directory Manager v1.4 / v1.5

      • Introduced support for Internet Explorer 9.

      • Included file logging / auditing feature

      • Added support for masked text phone number fields and RegEx validation for all fields

      • Updated AJAX controls and converted code to use .NET Framework v3.5

      • Added support for the Address Sets feature


      Directory Manager v1.3

      • Added photo support

      • Improved filtering / search capabilities

      • Added RegEx validation checking for phone number fields

      • Updated AJAX controls

Limitations

Directory Manager is designed to be a simple, easy-to-use Web application that allows an authorized user to update other user’s information in the Active Directory. There are a number of limitations to the application which the administrator should be aware, these include:

  • All updates are performed using the service/proxy account. Authorized users can update any user account in the Active Directory that the service/proxy account is allowed to update. This limitation can be overcome with multiple instances of Directory Manager, though.

  • User accounts and contacts cannot be created or deleted through the Directory Manager interface.

  • Group membership cannot be edited through Directory Manager.

  • The email address field cannot be edited if you are using Exchange Server. Exchange must control the e-mail address properties.

Last Review: 17 Dec 2016