n8n-nodes-ad-admin
v1.0.12
Published
n8n community node for administering Active Directory via LDAPS with official Docker Collector support
Maintainers
fuskerrsReadme
n8n-nodes-ad-admin
The most complete Active Directory automation node for n8n
Manage Users, Groups, and Organizational Units with full LDAPS support and dynamic dropdowns
☕ Support this project
If you find this node useful, consider buying me a coffee! Your support helps maintain and improve this package. 🚀
✨ Features
👥 User Management
- ✅ Create users with complete configuration
- ✅ Enable/Disable user accounts
- ✅ Reset Password with LDAPS security
- ✅ Set Attributes with dynamic dropdown selection
- ✅ Get User with all properties and account flags
- ✅ List Users with advanced filtering
- ✅ Find by sAMAccountName for quick searches
- ✅ Get User Groups with nested group detection
- ✅ Get User Activity (last login, password info)
- ✅ Unlock Account for locked users
- ✅ Check Password Expiry with policy detection
👬 Group Management
- ✅ Create security or distribution groups
- ✅ Get group details with member list
- ✅ List groups with type and scope filters
- ✅ Modify group attributes
- ✅ Delete groups
- ✅ Add Member to groups
- ✅ Remove Member from groups
- 🎯 Group Types: Security / Distribution
- 🎯 Group Scopes: Global / Domain Local / Universal
🗂️ Organizational Unit Management
- ✅ Create new OUs
- ✅ Get OU details
- ✅ List OUs with search filters
- ✅ Modify OU attributes
- ✅ Delete OUs
🎯 Advanced Features
- 🔐 Full LDAPS Support with custom certificates
- 🔍 Dynamic Dropdowns for groups, OUs, and attributes
- ⚡ Smart Attribute Selection - No more manual typing!
- 📊 Detailed Activity Tracking - Login times, password changes
- 🔒 Certificate Validation - System CA, skip, or custom certificate
- 🌐 DNS & IP Support - Flexible connection options
- ⚙️ Comprehensive Error Handling - Clear messages and reconnection logic
📦 Installation
Method 1: Via n8n Community Nodes (Recommended)
- Open your n8n instance
- Go to Settings → Community Nodes
- Click Install
- Enter package name:
n8n-nodes-ad-admin - Click Install
Coming soon: Screenshot showing Settings → Community Nodes
Coming soon: Screenshot showing package installation
Method 2: Via npm
# For n8n installed globally
npm install -g n8n-nodes-ad-admin
# For n8n in a specific directory
cd /path/to/n8n
npm install n8n-nodes-ad-admin
# Restart n8n after installationMethod 3: Docker
# Add to your n8n Dockerfile
FROM n8nio/n8n
RUN npm install -g n8n-nodes-ad-adminOr using docker-compose:
version: '3'
services:
n8n:
image: n8nio/n8n
environment:
- N8N_COMMUNITY_PACKAGES=n8n-nodes-ad-admin
# ... rest of your config⚙️ Configuration
Prerequisites
- Active Directory Domain Controller with LDAP/LDAPS enabled
- Service Account with appropriate permissions:
- Create/modify/delete users
- Create/modify/delete groups
- Create/modify/delete OUs
- Reset passwords
- Manage group membership
Connection Modes
This node supports two connection modes:
🔗 Direct Mode (Default)
Connect directly from n8n to your Active Directory server using LDAP/LDAPS protocol.
Best for:
- On-premises n8n installations
- Direct network access to domain controllers
- Small to medium deployments
🐳 Collector Mode (Docker)
Use the official AD Collector Docker container as an API gateway to your Active Directory.
Best for:
- Cloud-hosted n8n instances
- Enterprise environments with network restrictions
- Multi-tenant deployments
- Better security isolation
| Feature | Direct Mode | Collector Mode | |---------|-------------|----------------| | Network Access | Requires LDAP ports (389/636) | Only HTTP/HTTPS (8443) | | Setup Complexity | Medium | Simple (Docker one-liner) | | Certificate Management | Per workflow credential | Centralized in collector | | Performance | Direct connection | Connection pooling | | Authentication | LDAP Bind DN/Password | JWT Bearer Token | | Best for | Small deployments | Enterprise/Cloud |
📦 Docker Collector Links:
- Docker Hub: fuskerrs97/ad-collector-n8n
- GitHub: docker-ad-collector-n8n
- Full Documentation: COLLECTOR.md
Quick Start with Collector:
docker run -d \
--name ad-collector \
-e LDAP_URL=ldaps://dc.example.com:636 \
-e LDAP_BASE_DN=DC=example,DC=com \
-e LDAP_BIND_DN=CN=n8n-service,CN=Users,DC=example,DC=com \
-e LDAP_BIND_PASSWORD=YourSecurePassword \
-e LDAP_TLS_VERIFY=false \
-p 8443:8443 \
--restart unless-stopped \
fuskerrs97/ad-collector-n8n:latestSee COLLECTOR.md for complete Collector Mode documentation.
Creating Credentials (Direct Mode)
- In n8n, go to Credentials → New → Active Directory API
- Configure the following:
| Field | Example | Description | |-------|---------|-------------| | Connection Type | LDAPS (Secure - Port 636) | Always use LDAPS in production | | Host Type | DNS Name | Choose DNS or IP | | Host | DC-01.example.com | Your domain controller | | Port | 636 | 636 for LDAPS, 389 for LDAP | | Base DN | DC=example,DC=com | Your domain base | | Bind DN | CN=n8n-service,CN=Users,DC=example,DC=com | Service account DN | | Password | ••••••••• | Service account password | | TLS Certificate Validation | System CA Bundle | Certificate validation method | | Connect Timeout | 10000 | Timeout in milliseconds |
TLS Certificate Options
- System CA Bundle: Use system-trusted certificates (default, recommended)
- Skip Validation: ⚠️ Ignore certificate errors (self-signed only, NOT for production)
- Custom Certificate: Provide your own Root CA certificate in PEM format
Example custom certificate:
-----BEGIN CERTIFICATE-----
MIIDXTCCAkWgAwIBAgIQPTxrAJiCX4pIRFX3zmhqoDANBgkqhkiG...
-----END CERTIFICATE-----📚 Operations Guide
User Operations
Create a new Active Directory user with full configuration.
Parameters:
- User CN: Full name (e.g., "John Doe")
- Parent OU DN: Where to create the user
- sAMAccountName: Login name (max 20 chars)
- User Principal Name: email-like format ([email protected])
- Initial Password: Must meet AD policy
- Must Change Password: Force change at next logon
- Enable Account Immediately: Activate after creation
Example:
{
"resource": "user",
"operation": "create",
"cn": "John Doe",
"parentOuDn": "OU=Users,DC=example,DC=com",
"samAccountName": "jdoe",
"upn": "[email protected]",
"initialPassword": "TempPass123!",
"pwdMustChange": true,
"enableImmediately": true
}Result:
{
"success": true,
"dn": "CN=John Doe,OU=Users,DC=example,DC=com",
"sAMAccountName": "jdoe",
"enabled": true,
"mustChangePassword": true
}Retrieve complete user information including account flags and properties.
Example:
{
"resource": "user",
"operation": "getUser",
"getUserSAM": "jdoe",
"includeAllProperties": true
}Result includes:
- Basic info (name, email, phone)
- Account status (enabled, locked, expired)
- Account flags (passwordNeverExpires, cannotChangePassword, etc.)
- Group memberships
- Timestamps (created, modified, last logon)
Search and list users with advanced filtering.
Filter Types:
- Exact Match
- Starts With
- Contains
- Ends With
Search Fields:
- sAMAccountName (login name)
- displayName (full name)
- userPrincipalName (UPN)
- givenName (first name)
- sn (last name)
- mail (email)
Example:
{
"resource": "user",
"operation": "listUsers",
"filterType": "contains",
"searchValue": "john",
"searchField": "displayName",
"maxResults": 50
}Get all groups a user belongs to, including nested groups.
Example:
{
"resource": "user",
"operation": "getUserGroups",
"getUserGroupsSAM": "jdoe",
"includeNested": true,
"groupDetails": "full"
}Result:
{
"groups": [
{
"name": "IT Staff",
"distinguishedName": "CN=IT Staff,OU=Groups,DC=example,DC=com",
"description": "IT Department",
"inherited": false
},
{
"name": "Domain Users",
"distinguishedName": "CN=Domain Users,CN=Users,DC=example,DC=com",
"inherited": true
}
]
}Retrieve user activity information including login times and password details.
Activity Types:
- All Activity
- Login Only
- Password Only
Example:
{
"resource": "user",
"operation": "getUserActivity",
"getUserActivitySAM": "jdoe",
"activityType": "all"
}Result:
{
"loginInfo": {
"lastLogon": "2025-01-28T14:30:00.000Z",
"lastLogonTimestamp": "2025-01-28T14:30:00.000Z",
"logonCount": 42,
"badPasswordCount": 0,
"isLockedOut": false
},
"passwordInfo": {
"passwordLastSet": "2025-01-15T09:00:00.000Z",
"mustChangePassword": false,
"passwordNeverExpires": false
},
"accountInfo": {
"whenCreated": "2024-12-01T10:00:00.000Z",
"whenChanged": "2025-01-28T14:30:00.000Z",
"isEnabled": true
}
}Unlock a locked user account.
Example:
{
"resource": "user",
"operation": "unlockAccount",
"unlockAccountSAM": "jdoe"
}Result:
{
"wasLocked": true,
"unlocked": true,
"message": "Account unlocked successfully"
}Check when a user's password will expire.
Example:
{
"resource": "user",
"operation": "checkPasswordExpiry",
"checkPasswordExpirySAM": "jdoe"
}Result:
{
"passwordNeverExpires": false,
"mustChangePassword": false,
"expired": false,
"daysUntilExpiry": 45,
"expiryDate": "2025-03-15T09:00:00.000Z",
"message": "Password expires in 45 day(s)"
}Modify user attributes with dynamic dropdown selection.
Supported Attributes (dropdown):
- Display Name
- First Name (Given Name)
- Last Name (Surname)
- Telephone Number
- Mobile
- Title
- Department
- Company
- Manager
- Description
- Office
- Street Address
- City
- State/Province
- Postal Code
- Country
Example:
{
"resource": "user",
"operation": "setAttributes",
"dn": "CN=John Doe,OU=Users,DC=example,DC=com",
"attributes": [
{
"name": "title",
"values": ["Senior Developer"],
"op": "replace"
},
{
"name": "department",
"values": ["IT"],
"op": "replace"
}
]
}Group Operations
Create a new security or distribution group.
Group Types:
- Security: Can be used for permissions
- Distribution: Email distribution only
Group Scopes:
- Global: Can be used across domains
- Domain Local: Local to current domain
- Universal: Can be used across forests
Example:
{
"resource": "group",
"operation": "create",
"groupName": "IT Staff",
"groupParentDn": "OU=Groups,DC=example,DC=com",
"groupType": "security",
"groupScope": "global",
"groupDescription": "IT Department Staff",
"groupSamAccountName": "IT-Staff"
}Result:
{
"success": true,
"dn": "CN=IT Staff,OU=Groups,DC=example,DC=com",
"name": "IT Staff",
"samAccountName": "IT-Staff",
"groupType": "security",
"scope": "global"
}Retrieve complete group information including members.
Example:
{
"resource": "group",
"operation": "get",
"groupDn": "CN=IT Staff,OU=Groups,DC=example,DC=com"
}Result:
{
"distinguishedName": "CN=IT Staff,OU=Groups,DC=example,DC=com",
"name": "IT Staff",
"samAccountName": "IT-Staff",
"description": "IT Department Staff",
"groupType": "security",
"scope": "global",
"memberCount": 5,
"members": [
"CN=John Doe,OU=Users,DC=example,DC=com",
"CN=Jane Smith,OU=Users,DC=example,DC=com"
]
}List groups with advanced filtering.
Filters:
- Search by name
- Filter by type (Security/Distribution/All)
- Filter by scope (Global/Domain Local/Universal/All)
- Limit results
Example:
{
"resource": "group",
"operation": "list",
"groupSearchFilter": "IT",
"groupFilterType": "security",
"groupFilterScope": "global",
"groupMaxResults": 50
}Update group attributes using dynamic dropdown.
Supported Attributes:
- Description
- Display Name
- Info
- Managed By
Example:
{
"resource": "group",
"operation": "modify",
"groupDn": "CN=IT Staff,OU=Groups,DC=example,DC=com",
"groupAttributes": [
{
"name": "description",
"value": "Updated IT Department description"
}
]
}Manage group membership.
Add Member Example:
{
"resource": "group",
"operation": "addMember",
"userDn": "CN=John Doe,OU=Users,DC=example,DC=com",
"groupDn": "CN=IT Staff,OU=Groups,DC=example,DC=com",
"skipIfMember": true
}Remove Member Example:
{
"resource": "group",
"operation": "removeMember",
"userDn": "CN=John Doe,OU=Users,DC=example,DC=com",
"groupDn": "CN=IT Staff,OU=Groups,DC=example,DC=com",
"skipIfNotMember": true
}Organizational Unit Operations
Create a new Organizational Unit.
Example:
{
"resource": "ou",
"operation": "create",
"ouName": "IT Department",
"ouParentDn": "DC=example,DC=com",
"ouDescription": "Information Technology"
}Result:
{
"success": true,
"dn": "OU=IT Department,DC=example,DC=com",
"name": "IT Department"
}Retrieve OU details.
Example:
{
"resource": "ou",
"operation": "get",
"ouDn": "OU=IT Department,DC=example,DC=com"
}List Organizational Units with optional search filter.
Example:
{
"resource": "ou",
"operation": "list",
"ouParentDnList": "DC=example,DC=com",
"ouSearchFilter": "IT"
}Update OU attributes.
Example:
{
"resource": "ou",
"operation": "modify",
"ouDn": "OU=IT Department,DC=example,DC=com",
"ouAttributes": [
{
"name": "description",
"value": "Updated IT Department"
}
]
}Delete an Organizational Unit (must be empty).
Example:
{
"resource": "ou",
"operation": "delete",
"ouDn": "OU=Old Department,DC=example,DC=com"
}🎯 Use Cases
1. Automated User Onboarding
Create a workflow that:
- Receives webhook with new employee data
- Creates AD user account
- Adds to appropriate groups
- Sends welcome email with temp password
- Creates calendar event for IT setup
2. Password Expiry Notifications
Create a scheduled workflow that:
- Lists all users
- Checks password expiry for each
- Sends notification email 7 days before expiry
- Generates report for IT team
3. Group Membership Audit
Create a workflow that:
- Gets all security groups
- For each group, gets members
- Exports to Excel/CSV
- Emails to security team monthly
4. Account Unlock Helpdesk
Create a webhook workflow that:
- Receives unlock request from helpdesk
- Verifies user identity
- Unlocks account
- Sends confirmation to user and helpdesk
5. Organizational Restructuring
Create a workflow to:
- Create new OU structure
- Create security groups
- Move users to new OUs
- Update group memberships
- Generate migration report
🔒 Security Best Practices
1. Always Use LDAPS
- ✅ DO: Use LDAPS (port 636) in production
- ❌ DON'T: Use unsecured LDAP (port 389) for production
2. Certificate Validation
- ✅ DO: Use proper SSL/TLS certificates
- ✅ DO: Validate certificates in production
- ❌ DON'T: Skip certificate validation in production
3. Service Account Permissions
- ✅ DO: Use dedicated service account with minimal permissions
- ✅ DO: Enable account auditing
- ❌ DON'T: Use Domain Admin account
4. Password Security
- ✅ DO: Enforce strong password policies
- ✅ DO: Use n8n's credential system for passwords
- ✅ DO: Force password change at first logon
- ❌ DON'T: Store passwords in workflow data
5. Monitoring & Auditing
- ✅ DO: Monitor AD logs for suspicious activity
- ✅ DO: Enable n8n execution logging
- ✅ DO: Review failed operations regularly
🐛 Troubleshooting
Connection Issues
Problem: Cannot connect to domain controller
Solutions:
- Verify DC hostname/IP is correct
- Check firewall allows port 636 (LDAPS) or 389 (LDAP)
- Test connectivity:
telnet dc.example.com 636 - Verify service account credentials
Certificate Issues
Problem: SSL certificate validation fails
Solutions:
- Verify certificate is properly installed on DC
- Check certificate chain is complete
- Import Root CA certificate if self-signed
- Use "Skip Validation" for testing only
Password Operations Fail
Problem: Cannot set or reset passwords
Solutions:
- Use LDAPS: Password operations require encrypted connection
- Verify password meets AD complexity requirements
- Check service account has "Reset Password" permission
- Ensure user account is not protected from password changes
Permission Denied
Problem: Operations fail with "Insufficient Access Rights"
Solutions:
- Verify service account has required permissions
- Check OU/object permissions
- Review delegation of control settings
- Ensure service account is not locked
Timeout Errors
Problem: Operations timeout
Solutions:
- Increase connection timeout in credentials
- Check network latency to DC
- Verify DC is not overloaded
- Test with smaller batch operations
📊 Version History
v0.2.0 (2025-01-29) - MAJOR UPDATE 🎉
NEW RESOURCES:
- ➕ Organizational Units (OU) - Full CRUD operations
- ➕ Enhanced Group Management - Full CRUD + advanced features
NEW OPERATIONS:
- ✨ OU: Create, Get, List, Modify, Delete
- ✨ Groups: Create (with type/scope), Get, List (with filters), Modify, Delete
- ✨ Users: Get User Groups, Get User Activity, Unlock Account, Check Password Expiry
IMPROVEMENTS:
- 🎯 Dynamic Dropdowns for Groups, OUs, and Attributes
- 🔍 Advanced Filtering for Groups (type, scope, search)
- 📊 Detailed User Activity Tracking
- 🔐 Group Type & Scope Management (Security/Distribution, Global/Domain Local/Universal)
- ✅ All text translated to English
- 🐛 Fixed checkPasswordExpiry timeout issue
v0.1.15 (2025-01-29) - SECURITY FIX
CRITICAL:
- 🔒 Removed test files containing credentials
- 🔒 Added .npmignore for security
- 🗑️ Unpublished vulnerable versions (0.1.0-0.1.14)
IMPROVEMENTS:
- 🌍 All French text translated to English
- 📝 Improved error messages
- 🐛 Bug fixes and stability improvements
Previous Versions
- 0.1.14 - Enhanced features (deprecated for security)
- 0.1.12 - Added Get User and List Users operations
- 0.1.11 - Custom SVG logo
- 0.1.10 - Fixed
change.write is not a functionerror - 0.1.0 - Initial release
💬 Support & Community
Get Help
- 📖 Documentation: You're reading it!
- 🐛 Bug Reports: GitHub Issues
- 💬 Discussions: GitHub Discussions
- 🌐 n8n Community: community.n8n.io
Show Your Support
If you find this node useful:
Other ways to support:
- ⭐ Star the project on GitHub
- 🐦 Share on social media
- 📝 Write a blog post about your use case
- 🤝 Contribute code or documentation
🤝 Contributing
Contributions are welcome! Here's how you can help:
Report Bugs
Open an issue with:
- Clear description of the problem
- Steps to reproduce
- Expected vs actual behavior
- n8n version and node version
Suggest Features
Open a discussion with:
- Description of the feature
- Use case and benefits
- Proposed implementation (if technical)
Submit Pull Requests
- Fork the repository
- Create a feature branch
- Make your changes
- Add tests if applicable
- Submit PR with clear description
Improve Documentation
- Fix typos or unclear sections
- Add examples or use cases
- Translate to other languages
- Create video tutorials
📄 License
MIT License - Copyright (c) 2025
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software.
See LICENSE file for full details.
🙏 Acknowledgments
- n8n Team - For creating an amazing automation platform
- ldapts - Excellent LDAP client library
- Community Contributors - Thank you for your feedback and support!
- You - For using this node! ❤️
🌐 Ecosystem
This node is part of a complete Active Directory automation solution:
📦 Core Package
- n8n-nodes-ad-admin - This npm package (n8n community node)
- GitHub Repository - Source code and documentation
🐳 Official Docker Collector (NEW!)
- AD Collector on Docker Hub - Official Docker image
- Collector Source Code - GitHub repository
- Image:
fuskerrs97/ad-collector-n8n:latest(138 MB, Alpine Linux) - Features: 26 REST API endpoints, JWT authentication, LDAPS support, connection pooling
- Documentation: COLLECTOR.md - Complete setup guide
🔗 Integration
┌─────────────┐ ┌──────────────────┐ ┌─────────────────┐
│ n8n │ ──────> │ AD Collector │ ──────> │ Active Directory│
│ Workflows │ HTTP │ Docker (8443) │ LDAPS │ Server │
└─────────────┘ └──────────────────┘ └─────────────────┘
(This node) (Optional gateway) (Domain Controller)Choose your deployment:
- Direct Mode: n8n → Active Directory (LDAP/LDAPS)
- Collector Mode: n8n → AD Collector → Active Directory (HTTP + LDAPS)
🔗 Links
- npm: npmjs.com/package/n8n-nodes-ad-admin
- GitHub: github.com/Fuskerrs/n8n-nodes-ad-admin
- Docker Collector: hub.docker.com/r/fuskerrs97/ad-collector-n8n
- Collector Source: github.com/Fuskerrs/docker-ad-collector-n8n
- n8n: n8n.io
- Support: buymeacoffee.com/freelancerc5
Made with ❤️ for the n8n community
Active Directory automation made simple