Mastering Active Directory Management with Python

Active Directory Management with Python

Automate, secure, and optimize your Active Directory environment using Python


Active Directory (AD) is the backbone of many corporate networks, managing users, computers, and resources. This guide will show you how to leverage Python’s power to automate AD tasks, enhance security, and streamline management processes. We’ll cover everything from basic operations to advanced techniques, including ethical hacking considerations and building a web-based AD management tool.

Essential Python Libraries for AD Management

  • ldap3: Robust LDAP operations
  • pyad: Python Active Directory module
  • python-ad: Active Directory integration
  • adal: Azure Active Directory Authentication Library
  • paramiko: SSH operations for remote management
  • cryptography: Secure password handling

Install these libraries using pip:

pip install ldap3 pyad python-ad adal paramiko cryptography

Basic Active Directory Operations

1. Connecting to Active Directory

Establish a secure connection to your AD server:

from ldap3 import Server, Connection, ALL, NTLM, SUBTREE
from getpass import getpass

def connect_to_ad():
    server = Server('ldap://your_ad_server:389', get_info=ALL)
    username = input("Enter your username: ")
    password = getpass("Enter your password: ")
    conn = Connection(server, user=f'your_domain\\{username}', password=password, authentication=NTLM)
    if not conn.bind():
        print('Error in connection:', conn.result)
        return None
    print('Connection established successfully')
    return conn

ad_conn = connect_to_ad()

2. Creating a New User

Automate user creation with built-in safeguards:

from ldap3 import MODIFY_REPLACE
import re

def create_user(conn, username, firstname, lastname, password):
    # Validate inputs
    if not all([username, firstname, lastname, password]):
        print("All fields are required.")
        return False
    if not re.match(r'^[a-zA-Z0-9_-]+$', username):
        print("Invalid username format.")
        return False
    if len(password) < 8:
        print("Password must be at least 8 characters long.")
        return False

    user_dn = f'CN={firstname} {lastname},OU=Users,DC=your_domain,DC=com'
    attributes = {
        'objectClass': ['top', 'person', 'organizationalPerson', 'user'],
        'cn': f'{firstname} {lastname}',
        'sAMAccountName': username,
        'userPrincipalName': f'{username}',
        'givenName': firstname,
        'sn': lastname,
        'displayName': f'{firstname} {lastname}',
        'userAccountControl': '512'  # Normal account

    if conn.add(user_dn, attributes=attributes):
        print(f"User {username} created successfully.")
        # Set password, password)
        # Enable account
        conn.modify(user_dn, {'userAccountControl': [(MODIFY_REPLACE, ['512'])]})
        return True
        print(f"Error creating user: {conn.result}")
        return False

# Usage
create_user(ad_conn, 'jdoe', 'John', 'Doe', 'SecurePass123!')

3. Modifying User Attributes

Update user information safely:

def modify_user(conn, username, attributes):
    user_dn = f'CN={username},OU=Users,DC=your_domain,DC=com'
    print(f"Are you sure you want to modify the following attributes for {username}?")
    for attr, value in attributes.items():
        print(f"{attr}: {value}")
    confirm = input("Type 'YES' to confirm: ")
    if confirm != 'YES':
        print("Operation cancelled.")
        return False

    if conn.modify(user_dn, changes=attributes):
        print(f"User {username} modified successfully.")
        return True
        print(f"Error modifying user: {conn.result}")
        return False

# Usage
modify_user(ad_conn, 'jdoe', {'title': [(MODIFY_REPLACE, ['Senior Developer'])]})

Advanced Active Directory Management

1. Bulk User Management

Automate the process of creating multiple users from a CSV file:

import csv

def bulk_create_users(conn, csv_file):
    with open(csv_file, 'r') as file:
        reader = csv.DictReader(file)
        for row in reader:
            create_user(conn, row['username'], row['firstname'], row['lastname'], row['password'])

# Usage
bulk_create_users(ad_conn, 'new_users.csv')

2. Advanced AD Querying

Perform complex AD queries to retrieve specific information:

def advanced_ad_query(conn, search_base, search_filter, attributes):, search_filter, attributes=attributes)
    return conn.entries

# Find all disabled user accounts
disabled_users = advanced_ad_query(
    ['cn', 'sAMAccountName']

for user in disabled_users:
    print(f"Disabled user: {}, Username: {user.sAMAccountName}")

3. Group Policy Management

Automate Group Policy Object (GPO) management:

import subprocess

def create_gpo(name, comment):
    result =['powershell', f'New-GPO -Name "{name}" -Comment "{comment}"'], capture_output=True, text=True)
    if result.returncode == 0:
        print(f"GPO '{name}' created successfully")
        print(f"Error creating GPO: {result.stderr}")

def link_gpo(name, target):
    result =['powershell', f'New-GPLink -Name "{name}" -Target "{target}"'], capture_output=True, text=True)
    if result.returncode == 0:
        print(f"GPO '{name}' linked to '{target}' successfully")
        print(f"Error linking GPO: {result.stderr}")

# Usage
create_gpo("Security Baseline", "Enforces security settings across the domain")
link_gpo("Security Baseline", "OU=Workstations,DC=your_domain,DC=com")

Ethical Hacking and Red Teaming Techniques

Note: These techniques are for educational purposes only. Always obtain proper authorization before performing any security testing.

1. Password Spraying Detection

Detect potential password spraying attacks:

import datetime

def detect_password_spraying(conn, time_window_minutes=60, failed_attempt_threshold=5):
    now =
    time_window = now - datetime.timedelta(minutes=time_window_minutes)
    search_filter = f'(&(objectCategory=person)(objectClass=user)(badPasswordTime>={time_window.strftime("%Y%m%d%H%M%S.0Z")}))'
    attributes = ['sAMAccountName', 'badPasswordTime', 'badPwdCount']
    results = advanced_ad_query(conn, 'DC=your_domain,DC=com', search_filter, attributes)
    suspicious_accounts = [entry for entry in results if int(entry.badPwdCount.value) >= failed_attempt_threshold]
    if suspicious_accounts:
        print(f"Potential password spraying attack detected! The following accounts have had {failed_attempt_threshold} or more failed login attempts in the last {time_window_minutes} minutes:")
for account in suspicious_accounts:
print(f"Username: {account.sAMAccountName}, Failed Attempts: {account.badPwdCount}")
print("No signs of password spraying detected.")

2. Privilege Escalation Detection

Monitor for unexpected privilege escalations:

def detect_privilege_escalation(conn):
    admin_group_dn = "CN=Domain Admins,CN=Users,DC=your_domain,DC=com"
    # Get current members of the Domain Admins group, '(objectClass=group)', attributes=['member'])
    current_admins = set(conn.entries[0].member.values)
    # Compare with a stored list of known admins (you'd need to implement this storage mechanism)
    known_admins = get_known_admins()  # Implement this function to retrieve known admins
    new_admins = current_admins - known_admins
    if new_admins:
        print("Potential privilege escalation detected! The following accounts have been added to the Domain Admins group:")
        for admin in new_admins:
        print("No unexpected privilege escalations detected.")

# Usage

3. Kerberoasting Detection

Identify potential Kerberoasting attacks:

import datetime

def detect_kerberoasting(conn, time_window_hours=24):
    now =
    time_window = now - datetime.timedelta(hours=time_window_hours)
    search_filter = f'(&(objectCategory=person)(objectClass=user)(servicePrincipalName=*)(lastLogon>={time_window.strftime("%Y%m%d%H%M%S.0Z")}))'
    attributes = ['sAMAccountName', 'servicePrincipalName', 'lastLogon']
    results = advanced_ad_query(conn, 'DC=your_domain,DC=com', search_filter, attributes)
    if results:
        print(f"Potential Kerberoasting activity detected! The following accounts with SPNs have logged on in the last {time_window_hours} hours:")
        for account in results:
            print(f"Username: {account.sAMAccountName}, SPN: {account.servicePrincipalName}, Last Logon: {account.lastLogon}")
        print("No signs of Kerberoasting detected.")

# Usage

Building a Web-Based AD Management Tool with Flask

Create a simple Flask application to manage Active Directory users and groups:

from flask import Flask, render_template, request, redirect, url_for, flash
from ldap3 import Server, Connection, ALL, NTLM

app = Flask(__name__)
app.secret_key = 'your_secret_key'  # Set this to a secure random value

# AD connection function (reuse the connect_to_ad function from earlier)

def index():
    return render_template('index.html')

def list_users():
    conn = connect_to_ad()
    if not conn:
        flash('Failed to connect to Active Directory', 'error')
        return redirect(url_for('index'))
    users = advanced_ad_query(conn, 'OU=Users,DC=your_domain,DC=com', '(objectClass=user)', ['cn', 'sAMAccountName'])
    return render_template('users.html', users=users)

@app.route('/create_user', methods=['GET', 'POST'])
def create_user():
    if request.method == 'POST':
        conn = connect_to_ad()
        if not conn:
            flash('Failed to connect to Active Directory', 'error')
            return redirect(url_for('index'))
        username = request.form['username']
        firstname = request.form['firstname']
        lastname = request.form['lastname']
        password = request.form['password']
        if create_user(conn, username, firstname, lastname, password):
            flash('User created successfully', 'success')
            flash('Failed to create user', 'error')
        return redirect(url_for('list_users'))
    return render_template('create_user.html')

if __name__ == '__main__':

This basic Flask application provides a web interface for listing AD users and creating new users. You’ll need to create HTML templates (index.html, users.html, create_user.html) to render the pages.

Here’s a simple project structure for this Flask application:

β”œβ”€β”€  # Place AD-related functions here
β”œβ”€β”€ templates/
β”‚   β”œβ”€β”€ index.html
β”‚   β”œβ”€β”€ users.html
β”‚   └── create_user.html
β”œβ”€β”€ static/
β”‚   └── styles.css
└── requirements.txt

This structure provides a foundation for building a more comprehensive AD management tool. In future updates, you could add features like group management, password resets, and detailed user information pages.

We plan to write more blog posts soon with more advanced Python Flask setups but this is just the basic of what it can potential do to manage your environment πŸ™‚

Best Practices and Security Considerations

  1. Use Least Privilege Principle: Always use accounts with the minimum necessary permissions for AD operations.
  2. Implement Proper Error Handling: Catch and log exceptions to prevent exposing sensitive information in error messages.
  3. Secure Credential Storage: Never hardcode credentials. Use environment variables or secure vaults for storing sensitive information.
  4. Input Validation: Validate and sanitize all user inputs to prevent injection attacks.
  5. Use SSL/TLS: Always use encrypted connections when communicating with Active Directory.
  6. Implement Logging: Log all significant actions for auditing purposes.
  7. Regular Code Reviews: Conduct regular code reviews to identify and fix potential security issues.
  8. Keep Libraries Updated: Regularly update your Python libraries to ensure you have the latest security patches.


Mastering Active Directory management with Python opens up a world of possibilities for IT professionals. From automating routine tasks to implementing advanced security measures, Python provides the tools needed to efficiently manage and secure your AD environment. Remember to always use these techniques responsibly and in compliance with your organization’s policies and legal requirements.

As you continue to explore and develop your AD management skills, consider building more advanced tools, implementing comprehensive monitoring systems, and staying updated on the latest AD security best practices.

Join Our Community!

🌟 Get exclusive insights and the latest IT tools and scripts, straight to your inbox.

πŸ”’ We respect your privacy. Unsubscribe at any time.

Andy N

Information Technology Support Analyst with over seven years of experience (in the telecommunications and manufacturing industries) ranging from user support to administering and maintaining core IT systems.

Related Posts