Local Active Directory
Manage on-premises Active Directory users, groups, and OUs through natural conversation.
Dex connects to your on-premises Active Directory so CoAdmin can handle everyday AD user and group tasks in plain language. Built for organizations that keep identities on-prem and sync one-way to Entra ID, Dex creates, enables, disables, updates, and deletes AD users, resets passwords, unlocks accounts, sets account expiration, and manages groups and organizational units - all with policy guardrails. Self-service password reset and unlock are limited to the requester's own account, while admin actions require approval.
What Dex does with Local Active Directory
Dex handles both admin workflows and employee self-service — all policy-guardrailed and audit-logged.
For admins (CoAdmin)
- Create, enable, disable, update, and delete on-prem AD user accounts
- Reset passwords, unlock accounts, and set account expiration dates
- Manage AD groups - add and remove members, list and find groups
- Manage organizational units (OUs) and browse the directory structure
- Handle identities for environments that sync one-way from on-prem AD to Entra ID
For employees (self-service)
- Reset your own AD password
- Unlock your own account after too many failed sign-ins
- Check whether your account is locked or about to expire
Just ask Dex
Your team types a request in plain language. Dex investigates, plans, and executes — with the right guardrails.
Admin prompts
- >Create an AD user for Dana Levi in the Marketing OU and add her to the "Marketing" and "All-Staff" groups
- >Disable the account for jsmith and remove him from all groups
- >Reset the password for contoso\mwong and require a change at next sign-in
- >Set the account expiration for the contractor "tkadosh" to the end of next month
- >Which security groups is dlevi a member of?
Employee prompts
- >Reset my password
- >Unlock my account - I got locked out
- >Is my account about to expire?
Policy actions
Every action Dex can take on Local Active Directory is declared, scoped, and guardrailed. Admins control which apply, who approves them, and whether they're limited to self-service.
| Action | What it does |
|---|---|
active_directory_self_service | Reset password and unlock account for the requester's own account |
active_directory_manage_users | Create, enable, disable, update, and delete AD users and reset other users' passwords |
active_directory_manage_groups | Manage AD groups and organizational units, including membership changes |
How to configure Local Active Directory
Onboarding takes minutes. Dex validates your credentials before saving them.
Setup steps
- 1Deploy the Dex on-prem connector/agent on a domain-joined Windows host that can reach a domain controller.
- 2Create a dedicated service account in Active Directory with the delegated permissions Dex should use (user and group management on the target OUs).
- 3Grant the service account only the OUs and operations you want Dex to manage, following least privilege.
- 4Register the connector in Dex and provide the domain, the service account credentials, and the base OU scope.
- 5Dex validates connectivity to the domain controller before saving, then you configure policy actions and approval requirements.
Credentials required
- domain
- Active Directory domain (e.g., corp.contoso.com)
- service_account
- Service account username with delegated AD management rights (e.g., CORP\svc-dex)
- service_account_password
- Password for the AD service account
- base_ou
- Optional base OU distinguished name to scope which objects Dex can manage
Requirements
- •An on-premises Active Directory domain with a reachable domain controller
- •A domain-joined host to run the Dex on-prem connector/agent
- •A delegated service account scoped to the OUs and operations Dex should manage
- •Designed for one-way on-prem-to-Entra ID sync scenarios
Related integrations
Directory & IdentityMicrosoft Entra ID
Manage Entra ID users, groups, licenses, and sign-in risk through Microsoft Graph.
Learn more →
Directory & IdentityOkta
Run Okta user, group, and app-assignment operations in natural language.
Learn more →
Directory & IdentityGoogle Workspace
Run Google Workspace user, group, and org-unit operations in natural language.
Learn more →
See Dex run Local Active Directory
Book a 30-minute walkthrough with our team and see how autonomous IT works in your environment — or get started for free.