{"id":48223652,"url":"https://github.com/rwx-g/dspanel","last_synced_at":"2026-04-26T11:01:26.902Z","repository":{"id":344273460,"uuid":"1177683975","full_name":"Rwx-G/DSPanel","owner":"Rwx-G","description":"Active Directory support and administration tool for Windows - adaptive UI from read-only lookups to full domain admin.","archived":false,"fork":false,"pushed_at":"2026-03-29T08:52:54.000Z","size":11030,"stargazers_count":1,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-04-04T20:26:02.598Z","etag":null,"topics":["active-directory","cross-platform","desktop-app","directory-management","kerberos","ldap","react","rust","sysadmin","sysops","tauri","typescript","windows-administration"],"latest_commit_sha":null,"homepage":"","language":"TypeScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Rwx-G.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":"NOTICE","maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-03-10T09:12:18.000Z","updated_at":"2026-03-29T08:48:42.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/Rwx-G/DSPanel","commit_stats":null,"previous_names":["rwx-g/dspanel"],"tags_count":3,"template":false,"template_full_name":null,"purl":"pkg:github/Rwx-G/DSPanel","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Rwx-G%2FDSPanel","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Rwx-G%2FDSPanel/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Rwx-G%2FDSPanel/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Rwx-G%2FDSPanel/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Rwx-G","download_url":"https://codeload.github.com/Rwx-G/DSPanel/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Rwx-G%2FDSPanel/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":32294591,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-26T09:34:17.070Z","status":"ssl_error","status_checked_at":"2026-04-26T09:34:00.993Z","response_time":129,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["active-directory","cross-platform","desktop-app","directory-management","kerberos","ldap","react","rust","sysadmin","sysops","tauri","typescript","windows-administration"],"created_at":"2026-04-04T19:16:21.106Z","updated_at":"2026-04-26T11:01:26.893Z","avatar_url":"https://github.com/Rwx-G.png","language":"TypeScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"\u003cp align=\"center\"\u003e\n  \u003cimg src=\"docs/logo.png\" alt=\"DSPanel\" width=\"120\"\u003e\n  \u003ch1 align=\"center\"\u003eDSPanel\u003c/h1\u003e\n  \u003cp align=\"center\"\u003eActive Directory support and administration tool for Windows, macOS, and Linux - lightweight native binary (~10 MB), no subscription, no agent.\u003c/p\u003e\n\u003c/p\u003e\n\n\u003cp align=\"center\"\u003e\n  \u003ca href=\"LICENSE\"\u003e\u003cimg src=\"https://img.shields.io/badge/license-Apache%202.0-blue.svg\" alt=\"License\"\u003e\u003c/a\u003e\n  \u003cimg src=\"https://img.shields.io/badge/Rust-2024-orange.svg\" alt=\"Rust\"\u003e\n  \u003cimg src=\"https://img.shields.io/badge/Tauri-v2-blue.svg\" alt=\"Tauri\"\u003e\n  \u003cimg src=\"https://img.shields.io/badge/Platform-Windows%20|%20macOS%20|%20Linux-0078D6.svg\" alt=\"Platform\"\u003e\n  \u003cimg src=\"https://img.shields.io/badge/Status-v1.0.4-brightgreen.svg\" alt=\"Status\"\u003e\n  \u003cimg src=\"https://img.shields.io/badge/Coverage-82%25_Rust_|_87%25_TS-brightgreen.svg\" alt=\"Coverage\"\u003e\n  \u003cimg src=\"https://img.shields.io/badge/i18n-EN%20|%20FR%20|%20DE%20|%20ES%20|%20IT-blueviolet.svg\" alt=\"i18n\"\u003e\n\u003c/p\u003e\n\n---\n\n## Overview\n\nDSPanel is an open source cross-platform desktop application (Rust/Tauri v2) that unifies the entire Active Directory support chain into a single tool. It dynamically adapts its interface based on the AD permissions of the current user, covering everything from read-only lookups to full domain administration.\n\n### Why DSPanel?\n\n- **No subscription** - Apache 2.0, self-hosted, zero telemetry\n- **Cross-platform** - native Rust/Tauri binary, runs on Windows, macOS, and Linux\n- **Compliance-ready** - 9 frameworks (GDPR, ANSSI, NIS2, CIS v8...) with PowerShell remediation built-in\n- **Adaptive** - UI automatically adjusts to the user's AD permissions (read-only to domain admin)\n- **Multilingual** - 5 languages (EN, FR, DE, ES, IT) with runtime switching\n\n![DSPanel Overview](docs/screenshots/overview.png)\n\n## Features\n\n### Directory\n\n- **User Lookup** - Search accounts, view detailed info, healthcheck badges, group memberships, advanced attributes editor\n- **Computer Lookup** - Search and browse computer accounts with OS info, last logon, health badges\n- **User Comparison** - Side-by-side comparison with visual group delta (shared / only A / only B)\n- **Group Management** - Tree/flat views, drag-and-drop membership, scope/category badges\n- **Group Hygiene** - Detect empty, single-member, stale, undescribed, circular, deeply nested, and duplicate groups\n- **Bulk Operations** - Add/remove members, clone, merge, move, create groups from CSV\n- **Contact \u0026 Printer Management** - Browse, search, and edit AD contacts and printers with inline editing\n- **NTFS Permissions Audit** - Cross-reference UNC path permissions with AD groups for two users\n\n![User Lookup](docs/screenshots/user-lookup.png)\n\n### Workflows\n\n- **Onboarding Wizard** - Guided user creation with declarative presets (JSON)\n- **Offboarding Wizard** - Disable, remove groups, reset password with preset support\n- **Preset Management** - Shared preset files on network storage with integrity checking\n- **Automated Cleanup** - Rules-based detection (inactive, never logged on, disabled) with dry-run, double confirmation for deletes, and service account exclusion\n- **AD Recycle Bin** - Browse and restore deleted objects with type filtering and OU picker\n- **Move Objects** - Move users, computers, groups, contacts, printers between OUs with dry-run preview\n\n### Support Actions\n\n- **Password Reset** - Reset with secure password generation (HIBP breach check)\n- **Account Unlock / Enable / Disable** - One-click with confirmation\n- **Password Flags** - Toggle \"Password Never Expires\" and \"User Cannot Change Password\"\n- **User Photos** - View, upload (auto-resize to 96x96), and remove AD thumbnail photos\n- **Password Generator** - Configurable length, character sets, pronounceable mode, HIBP check\n- **Object Snapshots** - SQLite-backed attribute snapshots before every write, with diff viewer and restore\n\n### Infrastructure\n\n- **DC Health Checks** - 7 cross-platform checks per DC (DNS, LDAP, SPNs, replication, SYSVOL/DFSR, clock skew, machine account), FSMO roles, functional level\n- **Replication Monitoring** - Partnership table with latency, error tracking, USN data, and force-replication via repadmin\n- **DNS \u0026 Kerberos Validation** - SRV record validation via AD DNS (cross-platform, hickory-resolver), clock skew detection\n- **AD Topology** - Site/DC/replication/site-link overview with per-DC details (IP, OS, roles, online status, subnets)\n- **GPO Viewer** - GPO links per user/computer/OU with effective order, scope report, enforcement and WMI filter status\n- **Workstation Monitoring** - Real-time CPU, memory, disk, sessions, and services monitoring on remote workstations\n\n![Infrastructure Health](docs/screenshots/infrastructure-health.png)\n\n### Security\n\n- **Privileged Accounts Audit** - Admin group members with 12 security checks per account (Kerberoastable, AS-REP Roastable, Protected Users, SIDHistory, delegation, etc.), domain findings (KRBTGT age, LAPS coverage, PSO), CSV/HTML export\n- **Domain Risk Score** - Security posture scoring (0-100) with 9 weighted factors and ~70 checks, SVG gauge + radar chart, per-finding CIS/MITRE references, remediation with complexity scoring, 30-day trend, HTML report export\n- **Attack Detection** - On-demand Windows Security Event Log analysis for 14 attack types (Golden Ticket, DCSync, Kerberoasting, Pass-the-Hash, etc.) with structured XML parsing and MITRE ATT\u0026CK mapping\n- **Escalation Paths** - Privilege escalation path analysis with 5 node types, 8 edge types (membership, delegation, RBCD, SIDHistory, ADCS, GPO), and weighted Dijkstra path-finding\n- **Compliance Reports** - 7 checks across 9 frameworks (GDPR, HIPAA, SOX, PCI-DSS v4.0, ISO 27001, NIST 800-53, CIS v8, NIS2, ANSSI) with per-framework scoring, control references, and remediation PowerShell commands\n- **MFA Gate** - TOTP verification for sensitive operations (password reset, account disable, etc.)\n- **Audit Trail** - Full internal action logging for compliance with export support\n\n![Risk Score](docs/screenshots/risk-score.png)\n\n### Exchange\n\n- **Exchange On-Prem** - Read-only mailbox info from LDAP attributes (msExch*): primary SMTP, aliases, forwarding, delegates\n- **Exchange Online** - Mailbox quota usage, auto-reply status, delegates via Microsoft Graph API with token caching\n\n### Settings \u0026 UX\n\n- **Application Settings** - Centralized settings (Connection, Presets, Permissions, Security, Reports, Appearance)\n- **Custom Permission Mapping** - Map AD security groups to DSPanel permission levels via UI\n- **Auto-Update Notifications** - GitHub Releases API check with Download, Skip, Remind Me Later\n- **i18n** - Full localization in 5 languages: English, French, German, Italian, Spanish (1709 keys)\n- **Theme** - Light, Dark, and System theme with live preview\n- **Login Prompt** - Password prompt at startup when credentials are partially configured\n\n![Settings](docs/screenshots/settings.png)\n\n## Adaptive Permissions\n\nThe UI adapts dynamically based on the running user's AD permissions. Detection uses three strategies (highest wins):\n\n1. **SID-based** - automatic detection of well-known AD groups (Domain Admins, Account Operators, etc.) via RID matching - works in any AD locale\n2. **Probe-based** - tests effective permissions via `allowedAttributesEffective` and `allowedChildClassesEffective` - detects delegated permissions without requiring specific group membership\n3. **Custom groups** - optional AD group-to-level mapping configurable in Settings \u003e Permissions\n\n| Level               | Access                                                |\n| ------------------- | ----------------------------------------------------- |\n| **ReadOnly**        | Lookup, view, export                                  |\n| **HelpDesk**        | + Password reset, unlock, diagnostics                 |\n| **AccountOperator** | + Group management, presets, onboarding/offboarding   |\n| **Admin**           | + Delete/move objects, create users                   |\n| **DomainAdmin**     | + Built-in/sensitive objects, infrastructure           |\n\n## Requirements\n\n- Windows 10/11, macOS 12+, or Linux (x64)\n- Network access to an Active Directory domain\n- (Optional) Azure AD App Registration for Entra ID / Exchange Online features\n\n### Authentication\n\nDSPanel supports two authentication modes:\n\n| Mode | When | How |\n| ---- | ---- | --- |\n| **GSSAPI (Kerberos)** | Domain-joined machine | Automatic - uses current user's ticket |\n| **Simple Bind** | Non-domain machine or explicit credentials | Set `DSPANEL_LDAP_SERVER` + `DSPANEL_LDAP_BIND_DN` env vars. Password is prompted at startup (recommended) or set via env var (not recommended) |\n\n### Event Log Permissions (Attack Detection)\n\nAttack Detection reads the Windows Security Event Log on the target DC remotely. Two prerequisites:\n\n1. The account must be a member of **Event Log Readers** on the DC\n2. The **Remote Event Log Management** firewall rule must be enabled on the DC:\n   ```\n   netsh advfirewall firewall set rule group=\"Remote Event Log Management\" new enable=yes\n   ```\n\n## Installation\n\n### Portable (Windows)\n\nDownload the latest release from [GitHub Releases](https://github.com/Rwx-G/DSPanel/releases), extract, and run `DSPanel.exe`.\n\n### Installers\n\n- **Windows**: `.msi` or `.exe` installer\n- **macOS**: `.dmg`\n- **Linux**: `.deb`, `.AppImage`, `.rpm`\n\n## Building from Source\n\n### Prerequisites\n\n- [Rust](https://rustup.rs/) (latest stable)\n- [Node.js](https://nodejs.org/) (v20+) with [pnpm](https://pnpm.io/)\n- OS-specific dependencies (see [Tauri prerequisites](https://v2.tauri.app/start/prerequisites/))\n\n### Build\n\n```bash\ngit clone https://github.com/Rwx-G/DSPanel.git\ncd DSPanel\npnpm install\npnpm tauri build\n```\n\n### Dev mode\n\n```bash\npnpm tauri dev\n```\n\n## Configuration\n\n### LDAP Connection\n\nBy default, DSPanel uses **GSSAPI (Kerberos)** authentication on the current user's domain. For environments requiring explicit credentials:\n\n| Variable | Description | Default |\n| -------- | ----------- | ------- |\n| `DSPANEL_LDAP_SERVER` | LDAP server hostname or IP. Supports `ldaps://` and `ldap://` prefixes. | Auto-detected from `USERDNSDOMAIN` |\n| `DSPANEL_LDAP_BIND_DN` | Bind DN for simple bind (e.g. `CN=svc,CN=Users,DC=corp,DC=local`) | GSSAPI |\n| `DSPANEL_LDAP_BIND_PASSWORD` | Password for simple bind. If omitted (with SERVER and BIND_DN set), DSPanel prompts at startup. | GSSAPI / prompt |\n| `DSPANEL_LDAP_USE_TLS` | Enable LDAPS (implicit TLS on port 636). Set to `true` or `1`. | `false` |\n| `DSPANEL_LDAP_STARTTLS` | Enable StartTLS (upgrade plaintext on port 389). | `false` |\n| `DSPANEL_LDAP_CA_CERT` | Path to a custom CA certificate file (PEM or DER). | System store only |\n| `DSPANEL_LDAP_TLS_SKIP_VERIFY` | **Dev only.** Skip TLS certificate verification. Never use in production. | `false` |\n\n**Examples:**\n\n```bash\n# LDAPS with login prompt (recommended for non-domain machines)\nDSPANEL_LDAP_SERVER=dc01.corp.local\nDSPANEL_LDAP_BIND_DN=\"CN=DSPanel-Svc,CN=Users,DC=corp,DC=local\"\nDSPANEL_LDAP_USE_TLS=true\n# Password will be prompted at startup\n\n# LDAPS with password in env var (CI/automation only - not recommended)\nDSPANEL_LDAP_SERVER=dc01.corp.local\nDSPANEL_LDAP_BIND_DN=\"CN=DSPanel-Svc,CN=Users,DC=corp,DC=local\"\nDSPANEL_LDAP_BIND_PASSWORD=\"s3cur3!\"\nDSPANEL_LDAP_USE_TLS=true\n```\n\n### Microsoft Graph (Exchange Online)\n\nConfigure in Settings \u003e Connection \u003e Graph Settings. Requires an Azure AD App Registration.\n\n**Required permissions** (Application type, admin consent required):\n\n| Permission | Type | Purpose |\n| ---------- | ---- | ------- |\n| `Mail.Read` | Application | Read mailbox settings, folder sizes |\n| `User.Read.All` | Application | Read user profiles, proxy addresses |\n| `Reports.Read.All` | Application | Read mailbox usage reports (real quota) |\n\nThe client secret is stored in the OS credential store (Windows Credential Manager, macOS Keychain, Linux Secret Service).\n\n## Testing\n\n### Unit tests\n\n```bash\n# Frontend (2089 tests, 87% coverage)\npnpm test\n\n# Rust (1520 tests, 82% coverage)\ncargo test --manifest-path src-tauri/Cargo.toml --lib\n```\n\n### Coverage reports\n\nCoverage is generated automatically by CI on every PR (GitHub Actions Summary + downloadable LCOV artifacts). To generate locally:\n\n```bash\n# Frontend\npnpm exec vitest run --coverage\n\n# Rust (requires cargo-llvm-cov)\ncargo llvm-cov --manifest-path src-tauri/Cargo.toml --lib\n```\n\n### Integration tests (Real AD - not in CI)\n\nIntegration tests run against a real Active Directory domain with replication (2 DCs). They are **not part of CI** - they require a lab environment. All 45 tests are validated manually before each release.\n\n**Lab setup:**\n\n1. 2x Windows Server 2022 VMs (Hyper-V, Internal switch)\n2. Promote both to DCs in the same domain with AD replication\n3. Populate with [BadBlood](https://github.com/davidprowe/BadBlood) for realistic data\n4. Create three test accounts: `TestReadOnly` (standard user), `TestOperator` (Account Operators), `TestAdmin` (Domain Admins + Enterprise Admins)\n\n**Test coverage (45 tests):**\n\n| Category | Tests | Permission | Operations |\n| -------- | ----- | ---------- | ---------- |\n| Read | 27 | ReadOnly | Search, browse, schema, OU tree, nested groups, replication metadata, contacts, printers, recycle bin, rootDSE, RID resolution, configuration, permissions probe, topology, DC health |\n| Write | 7 | AccountOperator | Create/delete groups, add/remove members, move objects, modify attributes, update managedBy, set password flags, create/delete contacts |\n| Admin | 6 | DomainAdmin | Password reset, unlock, disable/enable accounts, create/delete users, thumbnail photos |\n| Resilience | 1 | ReadOnly | Connection pool stability after idle |\n| DC Health | 4 | DomainAdmin | Single DC check, multi-DC check, replication partnerships, topology |\n\n**Running:**\n\n```bash\nexport DSPANEL_LDAP_SERVER=\u003cdc1-ip\u003e\nexport DSPANEL_LDAP_BIND_DN=\"CN=TestAdmin,CN=Users,DC=example,DC=local\"\nexport DSPANEL_LDAP_BIND_PASSWORD=\"\u003cpassword\u003e\"\n\n# All tests\ncargo test --test ldap_integration -- --nocapture\n\n# By permission level\ncargo test --test ldap_integration -- --nocapture read_\ncargo test --test ldap_integration -- --nocapture write_\ncargo test --test ldap_integration -- --nocapture admin_\n```\n\n## Project Structure\n\n```\nDSPanel/\n  src/              # Frontend (React + TypeScript)\n  src-tauri/        # Backend (Rust + Tauri v2)\n    src/            # Rust source code\n    Cargo.toml      # Rust dependencies\n    tauri.conf.json # Tauri configuration\n  docs/             # Project documentation\n  .github/          # CI/CD workflows, issue templates\n```\n\n## Documentation\n\n- [Product Requirements (PRD)](docs/prd.md) - Functional/non-functional requirements, epics, stories\n- [Architecture](docs/architecture.md) - Tech stack, data models, components, workflows\n- [Localization](docs/architecture/localization.md) - i18n guide for adding languages and translation keys\n\n## Contributing\n\nContributions are welcome! Please read [CONTRIBUTING.md](CONTRIBUTING.md) before submitting a pull request.\n\n## License\n\nThis project is licensed under the Apache License 2.0 - see the [LICENSE](LICENSE) file for details.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frwx-g%2Fdspanel","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Frwx-g%2Fdspanel","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frwx-g%2Fdspanel/lists"}