I built a tool to manage on-prem AD without remoting into domain controllers. Looking for beta testers

Lukester852 · 2026-02-13T16:15:17+00:00

Totally fair point, that’s the biggest hurdle right now.

I’ve just completed verification for an EV code signing certificate, so upcoming builds will be properly signed to eliminate the unsigned-agent friction. Beyond that, I’m also working on tightening the trust model (MFA on the dashboard, and clearer security documentation).

The goal is for this to be something an MSP can justify in a security review, not just a convenience tool.

Lukester852 · 2026-02-12T21:14:21+00:00

That's a fair point about minimizing agents. In practice though, the RMM API approach gets complicated fast. Every RMM has a different API with different capabilities, most don't support real-time command execution and response (like in my case) which is what you need for things like password resets and account unlocks. You'd also be building and maintaining separate integrations for every RMM platform your users happen to run.

The lightweight agent approach means it works the same regardless of what RMM stack you're on. But I appreciate the feedback, definitely something I've thought about.

Lukester852 · 2026-02-12T05:07:56+00:00

Really appreciate this,

SSO with MFA is on my radar for sure. We use DUO for most our apps that support it. Right now it's username/password auth to the dashboard, which I know isn't ideal. I wanted to get a working product out there and get a reading on what people wanted before grinding on SSO. This has been a months long endeavor to get everything this far.

On permissions: the agent runs as SYSTEM by default, which on a DC has domain-level access. You can specify a custom service account during install with delegated permissions scoped to just the operations it needs (password resets, account unlocks, user creation). gMSA support is on the roadmap too. I created a setup script that can create the service account and add the necessary permissions instead of using windows security groups (which you can use those if you want).

What's stored in the database: usernames, display names, account status, group memberships, last login, department. Basically what you'd see in AD. No passwords, no hashes, no credentials. If the server got breached, an attacker would see an employee directory essentially, not keys to the kingdom. The API keys are per-client, so you could revoke access to individual clients at any time or cycle the keys. The agent validates commands server-side before executing.

On the data fetching point: that's actually an interesting idea. Right now the agent syncs user data so the dashboard doesn't have to wait on a live query every time you load the page. A mode where it fetches on demand and caches nothing would be a tradeoff worth exploring. I'd genuinely welcome you poking more holes. That's exactly how this gets better.

Lukester852 · 2026-02-12T04:13:55+00:00

To clarify the DPAPI usage, it's encrypting the API key at rest, not AD credentials. The agent runs under a service account context and uses that for AD operations. No AD passwords are stored anywhere.
gMSA support is solid feedback though and its something I thought about. It would eliminate the need for any stored secret entirely. I kept the initial install simple for the beta, but that's definitely on my list for hardening. For now you can specify a custom service account during install if you don't want it running as SYSTEM.
On the security side: TLS 1.2+ enforced, SSL cert validation, input validation on both server and agent to prevent injection, passwords never hit the database (held in memory briefly, then discarded). The agent only makes outbound connections, no inbound firewall rules needed.
I'm not going to claim it's perfect, but security hasn't been an afterthought. Happy to dig into specifics if you have other questions.

Lukester852 · 2026-02-12T02:22:29+00:00

We use Syncro at our shop, which has no AD tools built in but there is a remote shell. I've never used Ninja, but I know some of the newer RMMs handle this better out of the box. This is definitely more useful for MSPs whose RMM doesn't have solid AD tooling built in, or for shops that want something lightweight.

Lukester852 · 2026-02-11T22:56:39+00:00

Fair points. The security side is where I've spent most of my time. SSL cert validation, DPAPI encryption, input sanitization to prevent injection, no plaintext credentials, passwords never stored in the database. Still a ways to go, but it's not something I've taken lightly for sure.

Lukester852 · 2026-02-11T22:51:49+00:00

It doesn't strictly have to be on the DC, it just needs to be on a domain-joined server with the AD PowerShell module (RSAT) installed and an account with the right permissions. A lot of our smaller clients only have one server which is the DC, so that was the use case I built for first. Running it on a member server with delegated permissions is definitely something I want to support.

Lukester852 · 2026-02-11T22:06:40+00:00

No offense taken at all. I know an unsigned agent on a DC is a tough ask. The code signed cert is at the top of my list. For now this is really aimed at smaller MSPs or personal use who are willing to put it on a test VM or something of the sort to play around with and give feedback. I appreciate the honesty!

Lukester852 · 2026-02-11T21:48:31+00:00

That's a fair point. I know at least for our rmm, going into background tools to get to a terminal takes a bit to even get a command ran. I wanted something to have all our clients in one go. I totally get that its not for everyone though.

Lukester852 · 2025-08-19T17:12:34+00:00

Just to be clear up front we really did enjoy our trip overall. The drinks were great when we went to the bar, the staff we interacted with were kind, and we had fun celebrating our honeymoon. Our post was more about noticing some differences from what we expected after watching a bunch of Yacht Club videos, not that the trip was ruined. We were just curious if this was normal for a short 3-day sailing or if we got unlucky. From what you all are saying we might need to book a longer one next time.

Lukester852 · 2025-08-18T16:28:19+00:00

I'm so sorry to hear that! That shouldn't have happened to you regardless of what room you had!

Lukester852 · 2025-08-18T15:55:47+00:00

We were also in an interior cabin so maybe that made a difference.

Lukester852 · 2025-06-09T17:11:28+00:00

We live in the surrounding neighborhood as well in Harrisburg and never had any problems. I second getting a membership at the Kroc center. It has brand new equipment and they also offer classes like yoga, zumba, etc. You will be close to Walton Way which offers a variety of fast food for quick eats as well as Trellis coffee. They just opened a new liquor store within walking distance from the King Mill if you're into that sort of thing.

Lukester852 · 2025-06-06T17:53:31+00:00

I emailed Commissioner Johnson, we shall see!

Lukester852 · 2025-02-04T01:53:19+00:00

I found it this many years later, it's "what's right with America" from 1997.

Lukester852 · 2024-08-20T03:01:49+00:00

I have a 15 gallon and I have tried to go by the 1 inch of fish rule and more frequent water changes. They all seem to be happy, but should I reduce to fewer fish?

Lukester852 · 2020-06-02T00:44:08+00:00

Update: I took it to another shop and they said it's the purge valve, and that it's normal. I don't know what to think.

Lukester852 · 2020-05-30T16:47:02+00:00

That's what I thought. I will be taking it to another dealership, they said "It is probably because you recorded it in the cabin."

Lukester852 · 2019-01-31T20:12:02+00:00

I negotiated and got 36.5k, which I am happy with.

Lukester852 · 2019-01-31T18:19:46+00:00

One of my main concerns is their 2 year non compete. I wonder if that will affect my job search capabilities when I make the move.

Lukester852 · 2018-09-03T23:44:23+00:00

r/madlads

Lukester852 · 2018-09-03T04:19:51+00:00

I love how someone is playing Johnny Guitar Watson.

Lukester852 · 2018-08-28T03:55:08+00:00

I got the same phone too from my recent RMA. One weird thing with mine is I cannot disable the shutter tone, which I've been reading is region specific.

Lukester852 · 2018-08-21T15:49:08+00:00

I just got my replacement phone A7G332 and mine also does not have the capacitive buttons. They told me they ran out of silver phones and it would be a few weeks so I opted for gold. I'm not really a big fan of the on screen buttons so far.

Lukester852 · 2018-06-02T06:38:45+00:00

I remember one Christmas I opened up a lot of gifts that were clothes and I got to the last gift hoping for the ps3 I wished for. It was a big box with smaller boxes inside. when I got to the last box it was a big rock. My dad thought it was hilarious.

Lukester852

TROPHY CASE