OpenADUC — open-source web-based Active Directory Users and Computers replacement
// Active Directory Users and Computers — in the browser
An open-source, self-hosted replacement for the legacy Microsoft "Active Directory Users and Computers" MMC snap-in — with a real audit trail behind every change.
Runs as a small container next to your domain controllers, talks to AD over LDAPS, and gives sysadmins a fast, browser-based way to find users, reset passwords, unlock accounts, manage groups, and review who changed what — without remoting into a Windows server.
Everything ADUC did — plus what it didn't.
Built for small-to-mid-size IT teams that want a UI more responsive than the MMC, an audit trail more complete than the Windows event log, and a deployment story simpler than RSAT-on-a-jump-box.
Users
Search, view, and edit attributes. Reset passwords, unlock and enable/disable accounts, move between OUs — all from a fast typeahead, no MMC console required.
Groups & memberships
Browse members and memberOf relationships. Add and remove members inline. See nested groups expanded without clicking through five property dialogs.
Computers & OUs
Find a computer object, see where it lives in the OU tree, disable it, or browse the tree directly. Group Policy: list GPOs, inspect linked OUs and enabled CSEs.
Append-only audit log
Every write is logged with actor, target, before/after, and step-up status. Database
triggers reject UPDATE,
DELETE, and
TRUNCATE on
audit rows — even a compromised app can't rewrite history.
Step-up re-auth on every write
Mutating calls require re-entering the AD password. The elevated session is short-lived (default 60 min) and password material lives only in process memory.
Dashboard & first-run wizard
Sync status, recent activity, and locked-account counts at a glance. A guided first-run wizard handles directory connection, the recovery account, and role bootstrap.
Treated like the tier-0 tool it is.
OpenADUC sits in front of Active Directory and writes to it on behalf of operators. The defaults assume that.
-
LDAPS only. Outbound TCP/636 to your DCs. Plain LDAP (389) is not supported, by design.
-
Live AD bind on every sign-in. No application-layer password store outside the local break-glass recovery account.
-
Encrypted secrets at rest. Service-account passwords, Entra client secrets, and Teams webhooks are AES-256-GCM encrypted with a key you back up alongside your database.
-
You terminate TLS. The bundled web container speaks plain HTTP on :8080 and expects a real reverse proxy (nginx, Caddy, Traefik) in front.
-
Append-only audit at the DB layer. Postgres triggers enforce immutability — the app can't UPDATE or DELETE audit rows, period.
One line on a Linux host with Docker.
The installer prompts for an install directory, asks whether to use bundled Postgres or an existing one, generates strong secrets, and brings the stack up. Then open the printed URL to run the first-run wizard.
curl -fsSL https://raw.githubusercontent.com/OpenADUC/openaduc/main/install.sh | bash
Prefer the manual path? See docs/installation.md for clone-edit-env-compose-up.
Boring, modern, auditable.
Nothing exotic. Easy to read, easy to fork, easy to operate.
Frequently asked questions.
The questions sysadmins ask when first evaluating OpenADUC as an Active Directory Users and Computers replacement.
What is OpenADUC?
OpenADUC is an open-source, self-hosted web application that replaces the legacy Microsoft Active Directory Users and Computers (ADUC) MMC snap-in. It runs as a small Docker container, talks to your domain controllers over LDAPS, and gives sysadmins a fast, browser-based way to manage AD users, groups, computers, and OUs — with a full append-only audit trail behind every change.
What does ADUC stand for, and what is OpenADUC replacing?
ADUC stands for Active Directory Users and Computers — the Microsoft Management Console (MMC) snap-in that Windows administrators have used for decades to manage AD objects from a domain-joined Windows machine or a jump box running RSAT (Remote Server Administration Tools). OpenADUC replaces that experience with a modern, browser-based UI that runs on Linux and does not require RSAT or a Windows admin workstation.
Is OpenADUC free and open source?
Yes. OpenADUC is licensed under the Business Source License 1.1 — free to run in production for your own organization at no cost. The license automatically converts to Apache License 2.0 on 2030-05-09. The only restriction is that you cannot offer OpenADUC (or a substantial portion of its functionality) as a hosted service to third parties.
Does OpenADUC need a Windows server to run?
No. OpenADUC runs on 64-bit Linux (x86_64 or arm64) as Docker containers. It talks to your existing Windows domain controllers over LDAPS (TCP/636); nothing is installed on the DCs or on a Windows admin workstation. You do not need RSAT, and you do not need a domain-joined Windows machine to use the UI.
Can OpenADUC reset Active Directory passwords from a web browser?
Yes. Operators can reset AD passwords, unlock accounts, enable or disable accounts, edit attributes, and move users between OUs from the browser. Every write requires step-up re-authentication with the operator's AD password, and is recorded in an append-only audit log.
What database does OpenADUC use?
PostgreSQL only — version 14 or newer (16 recommended). The installer can run an embedded Postgres 16 container alongside the app, or you can point OpenADUC at an existing Postgres you already operate (on-prem, AWS RDS, Google Cloud SQL, Azure Database for PostgreSQL, Supabase, etc.). MySQL, SQL Server, and SQLite are not supported.
How is OpenADUC different from running the ADUC MMC snap-in remotely?
OpenADUC is a single small web app any operator can reach from a browser — no domain-joined Windows machine, no RSAT, no jump box. It is faster to navigate than the MMC, ships an audit log that the Windows event log cannot match (append-only at the database level, enforced by Postgres triggers), and is straightforward to deploy on a single Linux host with Docker.
Does OpenADUC support Microsoft Entra ID (Azure AD)?
OpenADUC manages on-premises Active Directory over LDAPS today. An Entra ID integration is on the roadmap toward v1.0. If you front OpenADUC with an identity-aware proxy (Entra Application Proxy, Cloudflare Access, Authentik, Keycloak, oauth2-proxy, Pomerium), Entra can already enforce MFA at the network boundary before operators reach the app.
How large a directory can OpenADUC handle?
The default sizing comfortably covers roughly 10,000 users, groups, computers, and OUs in cache on a 2 vCPU / 2 GB RAM host. Very small directories (a few hundred users) run happily on 1 vCPU and 1 GB RAM, especially with an external Postgres. For directories well past 10,000 objects, give Postgres more RAM or move it off-host; the API and web containers do not need to scale up.