Directory Update
  • Overview
  • Features
  • Evaluating
  • Requirements
  • Installation
  • Customizing
  • Version History
  • Limitations

Flexible, easy-to-use, web-based, self-service tools for Active Directory

Directory Update is a web-based application that you host on your own internal Internet Information Server (IIS). Directory Update allows your end users to update their own information via a flexible self-service web page. The administrator controls which attributes the user is allowed to view and update. Advantages of Directory Update include:

  • Enabling the Active Directory to be an up-to-date and usable resource

  • Improved accuracy of the data in the Active Directory through the use of drop-down lists, required fields, default values, and “address sets” features

  • Localizable interface can be customized for any language (US English is the only language provided.)

  • Reduce trouble-tickets and load on the help desk by freeing up personnel from simple tasks such as changing a user’s phone number or address

  • Validate and enforce phone number formats

  • Ability to update almost any Active Directory attribute

  • Forms based or Integrated Windows Authentication (single sign-on)

  • An administrator can have Directory Update installed and fully functional in under an hour.

  • Directory Update is economically priced and licensed once per Active Directory domain

There are flexible and versatile applications that perform many of the same tasks as Directory Update, but cost 10 times what Directory Update costs; there are also similar applications that offer fewer features, less flexibility, higher deployment costs.

The product is customized through the use of options available in XML files. The administrator adds/enables the fields that he/she wants made available to the user's of Directory Update.

Directory Update was originally designed to be a web-based version of Microsoft’s GALMod utility. Every feature since the very first version has been features that have been requested by our customers. We like to think that the product is completely customer driven.

Directory Update features include:

  • All Active Directory text and telephone number fields supported; the administrator defines which fields are visible and editable.

  • Interface can be localized to any language.

  • Field types can allow either free-form text, dropdown lists, or combination boxes.

  • Regular expression validation of data available such as telephone number fields

  • Logging of changes to text files and last date/time of changes to Active Directory

  • Email notification of changes (to the user, the user’s manager, and/or a predefined e-mail address)

  • Forms-based authentication or Integrated Windows Authentication

  • Multiple domains within the same forest can be supported on the same installation

  • Manager, Secretary, and Assistant fields available. These special lookup fields map to specific objects (users or contacts) in the Active Directory.

  • Required fields and default values for fields

  • Customizable help strings, help page, page title, window titles, attribute labels, and button titles

  •  Customizable field notes and examples

  • User can change their own password (if the Password Management tab is enabled)

Some of the elements of the Directory Update interface include drop-down lists, text boxes, labels, help text, examples, read only fields (non-editable), photo support, and an optional Password Managment tab.

No pressure. No annoying salesmen. No registration. Just download the software.

We strongly urge all potential customers to download Directory Update, install it in your environment, and customize it for your use. You will see how easy it is to get Directory Update up and running.

You can download a fully functional from the Software Downloads section of our Web site; the evaluation will be fully functional for 10 days with no limitations. We will not ask you for your e-mail address, telephone number, or first born; all you have to do is download the software. And, if you run in to problems and have a question, we will give you the same great support we give our customers.

If you choose to buy the product, you can keep your customized configuration. Using the Configuration wizard edit the Directory Update installation to add your license key and organization name.

The server on which Directory Update is installed must be a member of the same forest in which it will be used. Directory Update cannot be used against accounts in trusted domains that are located in another Active Directory forest.

Active Directory Requirements

Directory Update works against all versions of Active Directory including Windows 2000, Windows 2003, Windows 2008, and Windows 2008 R2.

Exchange Server Requirements

Directory Update does not require any version of Microsoft Exchange Server. We can use some attributes that are provided by the Exchange Server “schema” prep forest. To use attributes such as the extension attributes (aka custom attributes) we suggest you “prep” you forest with a minimum of Exchange Server 2003, but this is not necessary.

Server Operating System

  • Windows Server 2003 with SP2 (x86 or x64)
  • Windows Server 2003 R2 with SP2 (x86 or x64)
  • Windows Server 2008 with SP1 (x86 or x64)
  • Windows Server 2008 R2

Either the Standard Edition or Enterprise Edition is supported. Either a physical server or virtual server is supported. For Windows Server 2008, you must install the full installation. Server Core installations are not supported.

Internet Information Server

  • Internet Information Service (IIS) 6, 7, or 7.5
  • IIS 6 compatibility components must be installed if using Windows Server 2008 or Windows Server 2008 R2
  • ASP.NET must be enabled
  • .NET Framework v3.5 must be installed/enabled
  • Integrated Windows Authentication must be allowed

Microsoft/Windows Updates

Once the prerquisites are installed, we strongly recommend that you perform a Microsoft Update and install all recommended and critical updates.

Interoperability with Other Web Applications

Directory Update usually works fine with most web applications running on the same IIS server provided the server remains in a minimum of IIS 6 mode. We recommend against running Directory Update on the same server with Microsoft SharePoint.

Service / Proxy Account

All updates to the Active Directory are performed under the security context of a proxy account (sometimes called a service account.) While the proxy account can be restricted to a very minimum set of permissions, we recommend that the proxy account be a member of either the Account Operators or domain’s Administrators group. Here are some properties of the proxy account that you should take note of:

  • Name the account something recognizable such as SVC_DirectoryUpdate
  • Proxy account password should have a strong password (15 characters)
  • Proxy account’s password must not expire

Application Pool

An application pool is a memory space in which a web application executes. Web applications are assigned to the DefaultAppPool by default and that is usually works. However we strongly recommend creating an application pool for Ithicos applications. See this See TechNote

for more information.

  • Name the application pool something like IthicosAppPool
  • Application pool identity must run as the NetworkService user
  • 32-bit mode must be disabled

Installer’s Account

The person that installs Directory Update should use a user account that is both a domain account and a member of the server’s local Administrators group.

Secure Sockets Layer (SSL)

SSL is a security layer that protects HTTP data as it is transmitted across your network or the Internet. We strongly recommend that any web site that transmits personal data use SSL. Directory Update will work on a web site that uses SSL or not.

SSL uses a certificate that is “signed” by a certificate authority. We recommend that the certificate be issued by a certificate authority (CA) that is trusted by the browser clients that your users will be using. This prevents security warnings; users should never get used to ignoring security warnings.

Enabling SSL is a feature of Internet Information Server. The process will depend on the operating system.

Follow these links:

Browser Requirements

Directory Update uses ASP.NET and AJAX controls to create some enhanced functionality within the browser; some call this Web 2.0 technology. This means that it is not as simple as a standard web page and thus browsers must be carefully tested.

Our current releases support the following browser versions:

  • Internet Explorer 8.x
  • Internet Explorer 9.x
  • Firefox 4.x and later

We only update current versions of our software when a new browser is released. This does not mean that older versions of our software or other browsers (Safari or Chrome) will not work, but we may not support them if you have problems. We recommend customers stay on software maintenance so that they can upgrade to newer builds of the software as they become available.

Note also that Internet Explorer is required to use Integrated Windows Authentication.

Directory Update is simple to install as long as the prerequisites all installed. Download the latest version from our Web site and unzip the DirectoryUpdate.msi file. Place the MSI file on the server’s local hard drive, such as in the c:\temp folder.

You can usually just double-click on the MSI file to launch the installer, but on Windows Server 2008, the User Account Control security settings may be set so tightly that you have to launch the installer from the command line (don’t forget to “Run As Administrator”) like so:

     msiexec.exe /i c:\temp\DirectoryUpdate.msi

  1. On the installation wizard welcome screen, Click Next

  2.  On the License Agreement screen, click “I Agree” and then click Next

  3.  On the Select Installation Address, most installations use the defaults. From this screen, you can select a different web site, virtual directory name, or application pool. When you have made your selection, click Next.

    Directory Update Installation Address

  4.  On the Confirm Installation screen, click Next

  5.  The installation takes between 30 seconds and 1 minute and then the Directory Settings configuration screen appears. You may have to select it from the task bar as it sometimes appears “behind” the installer.

  6.  On the Directory Settings screen, enter the host name of the domain controller, then DNS domain name of your Active Directory domain, the service/proxy account (in domain\username format), and the proxy account password. A common configuration problem is entering the FQDN name of the domain controller in the Domain Controller text box; this text box is for the host (short) name of the domain controller. Click the “Test Directory Settings” button and then click Next.

    Directory Update - Specifying domain and service account information

  7.  On the Licensing Information Screen, copy and paste the organization name and license key that you were provided after you purchased the software. If you select the Evaluation checkbox, the software is fully functional in Evaluation mode for 10 days and you can run the configuration wizard later to provide the licensing information. Click Next when finished.

    Directory Update - Adding the license key

  8.  On the Directory Update Information screen, click Next

  9.  On the Installation Complete screen, click Close

  10.  Immediately test the installation by using a Web browser to visit http://localhost/DirectoryUpdate (the default URL if you are checking from the console of the server) or http://yourservername.yourcorp.local/DirectoryUpdate (if you are checking from elsewhere on your network.

You can now proceed to customizing the application.

Installation Checklist

  1. Test the default installation (with no customizations)

  2.  Edit the DirectorySettings.XML file to configure the fields that you want to use (visibility, required, dropdown versus text, validation formats, etc…)

  3.  Edit the AppSettings.XML file to customize the help text

  4.  Enable file logging and/or auditing in the AppSettings.XML file

  5.  Set file system permissions for photos and log files (if necessary)

File System Permissions

If you wish to use Directory Update to upload photos to the Active Directory, give the NETWORK SERVICE user all permissions but Full Control to the .\Photos folder. This means you must give NETWORK SERVICE the following permissions to that folder: Modify, Read & Execute, List Folder Contents, Read, and Write. The Photos folder is found (by default) at c:\inetpub\wwwroot\directoryupdate\photos.

Directory Update - Folder Permissions for Photos and Logs

If you wish to allow Directory Update to record a text (CSV) file log of all changes made using Directory Update, you must give the NETWORK SERVICE the following persmissions to the .\Logs folder: Modify, Read & Execute, List Folder Contents, Read, and Write. The .\Logs folder is found (by default) at c:\inetpub\wwwroot\directoryupdate\Logs.

Directory Update is customized almost entirely by editing option files. Most of these files take the format of an XML file. Prior to starting the customization work, we have afew recommendations:

  • Remember, XML is much pickier than HTML. Tags names and options are often case sensitive and all open tags must have a close tag

  • Get a good text editor – Notepad++ is both very good and free

  •  Always make backup copies of files before editing them

The configuration files are as follows:

  • DirectorySettings.xml – This is the primary configuration file; this is the file you will edit most often. It controls the fields that are visible/hidden, field labels, dropdown list options, field types, validation formats, required fields, default values, and more. When you edit this file, you may find many attributes that you did not realize exist in the Active Directory. There are many attributes that Microsoft does not use.

  • AppSettings.xml – This file controls options such as help text, logging, e-mail notification, error message text customization, button labels, enabling the Password Management tab, and filtering options for lookup boxes like the Manager box.

  • AddressSettings.xml – This file controls the Address Sets feature. The Address Sets feature allows the end user to pick a field (such as Office) and automatically have other fields filled in automatically (such as street address, city, state, country, etc..) Once you create a list of offices, for example, and enable Address Sets, the office list no longer needs to be maintained in the DirectorySettings.XML file.

  • SubSettings.xml – This file allows you to define a parent-child relationship between 2 attributes. For example, you can define a relationship between a division and a department. If the user selects the “Information Technology” division, then they would only see a list of departments within that division.

  • PasswordSettings.xml – This file is used to define password policies if you enable the Password Management tab.

  • Style.css – This is the cascading style sheet. This can be used to change fonts and screen colors. Changes to this file can negatively affect the interface so only experienced web site developers should edit this file.

  • Web.Config – This file is the web application file. Typically, the only useful thing you can do in this file is to enable Integrated Windows Authentication.

The primary changes that most customers want to make are handled via the DirectorySettings.XML file. This file allows you to:

  • Change the field’s screen label
  • Set the field type
  • Add values for fields that use dropdown lists.
  • Hide / show a field
  • Make a field editable/read only
  • Set a default value for a text field
  • Make a field required
  • Define a validation format
  • Set a field to be double-wide
  • Set a field to be multi-line
  • Provide some example text below the field

Here is a typical “tag” from the DirectorySettings.xml file. The tag consists of the field name as well as optoins for that field that enable or disable particular features. This tag is for the company field:

<company label="Company" type="dropdown" visible="yes" editable="yes">
  <value>Company 1</value>
  <value>Company 2</value>
  <value>Company 3</value>
  <value>Company 4</value>

This "tag" produces a field on the Directory Update whose label is "Company", the type is a drop-down list, and there are 4 options in the drop-down list.

Directory Update - Sample field

Note with drop-down lists, if there is an existing value in the Active Directory and it is NOT one of the values in the dropdown list, then it will not be displayed in the dropdown list.


The label=“Company” option displays the text “Company” next to the field.

Field Type

The type=“dropdown” option allows you to define the field type. Valid field types are:

The text box allows the user to enter data in free-form text with no validation or control. The combo box has a drop-down list but the end user can enter free-form text also.

The other option (maskedText) is best used with phone number fields and allows you to define input guidance or field formatting. For example, you could use a maskedText option if you wanted a user to enter a phone number in a specific US format, such as this:

Directory Update - Masked text field

Below is an example of using the maskedText option for the office phone number field:

<officePhone label="Office Phone" type="maskedText" mask="(###) ###-####" visible="yes"
  editable="yes" validationFormat="" />

Visible or Hidden Fields

A field can either be hidden or visible on the interface. Visible=“yes” displays the field while visible=“no” hides the field.

Editable or Read Only Fields

A field can be either editable or read only. In some situations you may want the user to see the current value in Active Directory but not edit that value. Editable=“yes” allows the field to be edited by the user while editable=“no” sets the field to read only.

Required Fields

You can set a field to be required by adding the required=“yes” option to the field’s tag. Here is an example making the title required:

<title label="Title" type="text" visible="yes" editable="yes" required="yes" />

Validation Format

Directory Update allows you to define a rule set for field content using regular expressions (REGEXs). There are two parts to this process. You must first define the validation format (including the format name, example text, and the regular expression that will be used. This is done in the validations section of the DirectorySettings.xml file. Below is an example of a RegEx that requires that a user enter a phone number in either of these two formats: (808) 555-4321 or (808) 555-4000 x4322:

<validation format="US-Phone" formatExample="Example: (808) 123-4567 or 808-123-4567 x4321" 
  regularExpression="((\(\d{3}\) ?)|(\d{3}-))\d{3}-\d{4}(( x)\d{1,5}| )?" />

Once you have created a validation format, such as the one above called US-Phone, you then need to add the validationFormat=“US-Phone” option to the appropriate field. Below is an example of using that for the office phone number field.

<officePhone label="Office Phone" type="text" visible="yes" editable="yes" required="yes"
  validationFormat="US-Phone" />

Please note that our support personnel cannot assist you in creating custom regular expressions. We recommend you visit a site like htp://


Photo support has become one of our most popular features; this is because Microsoft is now displaying photos in Outlook 2010 and Lync clients if the photo is stored in the thumbnailPhoto attribute. Directory Update can upload the photo to either the thumbnailPhoto or jpegPhoto attributes in Active Directory. Below is the recommended photo tag using the thumbnailPhoto attribute and a size of 128x128:

<photo label="Add/Change Photo" type="file" visible="yes" editable="yes" 
  attribute="thumbnailPhoto" width="128" height="128" defaultValue="Images/noPhoto.gif" />

When the photo tag's editable="yes" option is set, the photo option appears in the General section of the user interface. When a user uploads a photo, the photo file is temporarily stored in the c:\inetpub\wwwroot\directoryupdate\photos folder until the user saves their information. At that time, the photo is then stored in the Active Directory. Here is a fun tip, upload your photo, but don't save your information. Look in that folder on the IIS server to see how big the photo will be in the Active Directory.

Directory Update - Luke Husky Photo

By default, the photos are stored in an attribute (thumbnailPhoto) as part of the user’s object in Active Directory. Regardless of the original photo file size, Directory Update “re-renders” the photo to the size specified in the DirectorySettings.xml file. Typical file sizes are between 5KB and 10KB. [Link to Photo TechNote]

Since we store the photo (by default) as a square image, we recommend the original source image also be square. Otherwise, the photo will look squashed or stretched.

Double Wide Fields

In some cases your data may not display properly when the field is half-width. If you want a field to be wider, add the doublewide=“yes” option to the field’s tag:

<company label="Company" type="text” visible="yes" editable="yes" doublewide="yes" />

Note in the screen shot below that the Company field is a double-wide field while the Office field is a single-width (default) field.

Directory Update - Double wide field

Default Value

You can also specify a default value if the field type is a text box. This feature is only valuable if there is no data in the field to begin with.

<title label="Title" type="text" visible="yes" editable="yes" defaultvalue="Accountant" />

Multiline Fields

For most Active Directory data types, the multiline option is not very valuable, but for attributes like streetAddress or notes, it can be useful. Note that multi-line does not change how Active Directory stores the data, only how Directory Update displays it. Here is an example setting multiLine=“yes” for the streetAddress field:

<streetAddress label="Street Address" type="text" visible="yes" editable="yes" multiLine="yes" />

Directory Update - Multiline field

Help Notes and Example Text

Directory Update is designed to help you provide as much help as necessary to the end user. This is in the form of a couple of different types of help fields. First, each "section" of the user interface, such as the General, Organization, Address, etc... Within each section, there is a note area at the bottom of the section. Below shows the Telephones section, the note tag is at the bottom of the image:

Directory Update - Telephone section and Notes field

This corresponds to the following section in the DirectorySettings.XML file. If you do not need the note, then save your self some screen space by setting the visible="no" option. Otherwise, you can customize the text to suit your organization's needs and best help your end users.

Directory Update - DirectorySettings.XML file Telephone Section

Each attribute can also have individual example text. This was originaly intended for phone number fields, but you can add the example option to any tag.

Directory Update - Field example text

The following is an example of adding the example option to the officePhone tag.

<officePhone label="Office Phone" type="text" visible="yes" editable="yes" validationFormat=""
  example="Include your area code, such as: (212) 555-1234" />

Manager, Assistant, and Secretary Attributes

The Manager, Assistant, and Secretary attributes are special data fields that store object names. For example, in order to select a Manager, the manager must have a user name or contact name in the Active Directory already. These fields are not free-form text fields, but rather lookup fields for users and/or contacts. Active Directory Users and Computers only exposes the Manager attribute fog editing, but the Active Directory schema does provide for the Secretary and Assistant fields.

Directory Update allows for one or more of these fields to be enabled. We provide a lookup box where the Directory Update can type in the first few characters of the person's display name.

Directory Update - Searching for a Manager

There is little-to-no configuration necessary to use these fields other than to enable them to be editable via the DirectorySettings.XML file.

<manager label="Manager" type="text" visible="yes" editable="yes" />

There is one noteable exception, though. If you have more than one domain in your forest, by default the lookup fields only query a single domain. Therefore you must enable global catalog lookups so that you can see the users from the other domains in your forest. This is done in the AppSettings.XML file. The useGlobalCatalog option within the lookupFields tag must be set to "yes".

<lookupFields useGlobalCatalog="yes" showOnlyExchangeEnabledUsers="no" showContacts="yes"
  showDisabledUsers="no" maxResults="20" />

Enabling Windows Login (Single Sign-on)

By default, Directory Update uses a customizable logon form. However, a much more convenient way to use Directory Update is to enable Integrated Windows Authentication (sometimes called single sign-on.)

Edit the Web.Config file and locate the <authentication mode=“Forms”> tag. You can find the Web.Config file in the root of the installatoin folder, by default that is in c:\inetpub\wwwroot\directoryupdate. Replace mode=“Forms” with mode=“Windows”. That will enable Integrated Windows Authentication.

Directory Update - Enabling Integrated Windows Authentication

For more information, read our TechNote Enabling Integrated Windows Authentication.

Directory Update has been in continual development since 2006. We release a new version about once every six to nine months. The features and functionality in those new releases reflect customer requests, bug fixes, updates to support new browsers/operating systems, and more.

Note that Directory Update v2.3 requires a new license key. Please contact support(at) if you wish to determine if your eligible for a free update.

Existing customers cannot just install the new version over the top of the old version. See Upgrading from a Previous Version

Directory Update v2.2 / v2.3

  • Changes to photo upload control so that cropping is now allowed.

  • Photo upload control will now resize rectangular photos based on longest axis; this reduces likelihood of photo being squished or stretched.

  • Maximum souce photo size (before resizing) is 2MB but administrator can override this via AppSettings.XML file. Once the photo is uploaded, the photo is still only between 5KB and 8KB when stored in the Active Directory.

  • Change Password feature now allows either customized password complexity or the ability to use Microsoft password complexity rules (3 out of 4 character types). This is configurable via the PasswordSettings.XML file.

  • A bug was fixed that prevented a user from updating their security questions when the Directory Password module is enabled.

  • Improved support for IE 9.x/10.x and through Firefox 19.x.

  • Fixes to audit logging (auditing to text file) and now logs that the photo was updated though we don't keep the old photo.

  • Allows "Logoff" and "Help" buttons to be hidden via configuration optoins in AppSettings.XML file.

  • AJAX (aka RAD controls) updated to newer version.

Directory Update v2.0 / 2.1

  • Password change functionality - User can change their own password if they know their password.

  • Email notification of chagnes to the user, user's manager or predefined SMTP address

  • Subsets featurea allows for the creating of a parent-> child relationship between two additibutes. The values available in the child attribute's dropdown list depend on which value was selected for the parent.

  • Default photo attribute now set to thumbnailPhoto and set to 128 x 128. This is to better align with Microsoft's plans for Outlook 2010 and Microsoft Lync client.
  • Updated support for Internet Explorer 9 and Firefox 4.x

  • Integration with Directory Password v1.0; a separate product that allows a user to unlock their account or reset their password if they have forgotten their password

  • Improved error handling and friendlier messages for common errors.

  • Upgraded to latest version of Telerik RAD / AJAX controls to improve browser compatibility.

Directory Update v1.9

  • File logging / auditing capability allows all changes to be recorded to a text log file.

  • Coded attributes values. When user selects a specific value (such as city name, a code is stored in the attribute rather than the city name.

  • Support for Internet 8.0 and Firefox 3.x

  • Allow for use of phone numbers and other attributes with the AddressSets feature.

  • Upgraded code to use Microsoft .NET Framework v3.5

  • Telephone number format performed based validation rules defined for country selected.

  • Masked text phone number allows tight formatting of telephone numbers; note that phone number format control via regular expression is still more flexible.

Directory Update v1.6 / v1.7
  • Introduced photo upload capability to either the thumbnailPhoto or jpegPhoto attribute or storing the photo in a URL path. Storing in thumbnailPhoto is strongly advised.

  • AddressSets feature allows a user to select an attribute such as Office and have additional attributes automatically populated such as street, city, state, country.

  • Add additional attributes to user interface options in DirectorySettings.XML file.

  • Doublewide field and multi-line field control available.

  • Auditing (to an attribute such as extensionAttribute11) allows for date/time of change as well as IP address from which the change was made.

  • Multi-domain support - A single installation of Directory Update can support more than one domain in the same forest.

  • UPN name logon support and Integrated Windows Authentication (aka Single Sign-on).

We have tried hard to make Directory Update as functional and feature rich as possible while ensuring that the product remains affordable and simple to install. Inevitably, though, some organizations may require some specialized features that we do not support. We want you to understand the limitations of our products so that you can make sure you are buying the right solution for your company. The following are some of the limitations that we are occasionally asked about.

  • The IIS server on which Directory Update is installed must be in the same forest as the users that will use Directory Update.

  • We do not automatically enable SSL / HTTPS; you must do this for your IIS servers.

  • Active Directory was designed to store fairly small amounts of data that does not change frequently. Storing paragraphs of data in Active Directory may not be practical. Most attributes store 1KB of data or less but the phone number and title fields may hold less than 64bytes of data. There is nothing that any application can do to get around this.

  • Our data source for drop-down fields is our XML files; we do not have a mechanism for connecting to external databases. We cannot use the existing data in Active Directory as a validation source for drop-down lists.

  • Directory Update uses a static domain controller name that is configured via the Configuration wizard. We do not dynamically discover domain controllers in the local site.

  • We design and test our applications with specific browsers (such as IE 8, IE 9, Firefox 10.x, etc...) Browser updates may break our applications.

  • Directory Update does not allow a user to update other user's information. We have a separate product called Directory Manager that allows an authorized user to update other user's information.

  • We now provide limited support for resource forest usage. Directory Update must be installed in the domain in which the user accounts are created, not in the resource forest. The Resource domain module is an add-on option to Directory Update. Contact support (@) for more information.