title: User Details Page category: Directory Browser tags: users, details, attributes, timestamps, uac, groups priority: Normal
User Details Page
The User Details page provides a comprehensive view of any synchronized user account. Navigate to it by clicking any user in the Directory Browser, or go directly to /admin/directory/user-details/{id}.
Overview Tab
The Overview tab is the default view when you open a user's detail page. It presents the most important identity information at a glance.
Header Section
At the top of the page you will see:
| Element | Description |
|---|---|
| Display Name | The user's full name (e.g., "Jane Smith") |
| Account Status | Visual badge showing Active, Disabled, or Locked |
| Risk Score | Color-coded badge from the AI risk assessment (Low, Medium, High, Critical) |
| Manager | Clickable link that navigates to the manager's own detail page |
Key Information Sections
The Overview tab is divided into several collapsible sections, each grouping related attributes.
Account Information
| Field | AD Attribute | Description |
|---|---|---|
| Username | sAMAccountName |
The legacy logon name (e.g., jsmith) |
| User Principal Name | userPrincipalName |
The UPN logon format (e.g., jsmith@corp.local) |
| SID | objectSid |
Security Identifier, unique across the forest |
| Object GUID | objectGUID |
Globally unique identifier for this object |
| Distinguished Name | distinguishedName |
Full LDAP path (e.g., CN=Jane Smith,OU=Users,DC=corp,DC=local) |
Contact Information
| Field | AD Attribute |
|---|---|
mail |
|
| Phone | telephoneNumber |
| Mobile | mobile |
| Home Phone | homePhone |
| Fax | facsimileTelephoneNumber |
Employment Information
| Field | AD Attribute |
|---|---|
| Department | department |
| Title | title |
| Company | company |
| Division | division |
| Employee ID | employeeID |
| Employee Type | employeeType |
Location
| Field | AD Attribute |
|---|---|
| Street Address | streetAddress |
| City | l |
| State / Province | st |
| Postal Code | postalCode |
| Country | co / c |
| Office | physicalDeliveryOfficeName |
Group Memberships Tab
The Groups tab lists every group the user belongs to. This includes both direct memberships and nested (transitive) memberships when available.
| Column | Description |
|---|---|
| Group Name | Clickable link to the group's detail page |
| Type | Security or Distribution |
| Scope | Domain Local, Global, or Universal |
| Membership | Direct or Nested (inherited through another group) |
Use the search bar within the tab to filter groups by name. This is especially useful for users with dozens or hundreds of group memberships.
Tip: Before conducting an access review, check this tab to understand the full access picture for a user. Nested memberships can grant access that is not immediately obvious.
Manager and Direct Reports
The Overview tab shows the user's manager as a clickable link. If the user manages other people, a Direct Reports section appears listing each report with a link to their detail page. This creates a navigable org chart snippet directly within the directory browser.
If the manager field is empty, IdentityCenter flags this as a potential governance issue. Policies such as "Unresolved Managers" can detect and alert on accounts missing a valid manager assignment.
Active Directory Timestamps
Active Directory stores many timestamps as Windows FILETIME values (a 64-bit integer representing 100-nanosecond intervals since January 1, 1601). IdentityCenter automatically converts these to human-readable dates.
| Attribute | What It Means | Replication Behavior |
|---|---|---|
lastLogon |
Most recent interactive logon | Not replicated -- per domain controller only |
lastLogonTimestamp |
Replicated last logon | Replicated, but may lag up to 14 days |
pwdLastSet |
When the password was last changed | Replicated |
accountExpires |
When the account expires (if configured) | Replicated |
whenCreated |
When the object was created in AD | Replicated |
whenChanged |
When the object was last modified | Replicated |
Note: IdentityCenter displays the more recent of
lastLogonandlastLogonTimestampas the effective "Last Login" value. If both are empty, the user has never logged in interactively.
Special Timestamp Values
| Value Displayed | Meaning |
|---|---|
| Never | The attribute is 0 or not set -- the event has never occurred |
| Never Expires | accountExpires is set to 0 or 9223372036854775807 (max int64) |
| A specific date | The converted FILETIME value |
User Account Control (UAC) Flags
The UAC section decodes the userAccountControl bitmask attribute into individual, human-readable flags. Each flag is displayed with a status indicator.
| Flag | Hex Value | Meaning |
|---|---|---|
ACCOUNTDISABLE |
0x0002 | Account is disabled |
LOCKOUT |
0x0010 | Account is locked out |
PASSWD_NOTREQD |
0x0020 | No password required |
NORMAL_ACCOUNT |
0x0200 | Standard user account |
DONT_EXPIRE_PASSWORD |
0x10000 | Password never expires |
SMARTCARD_REQUIRED |
0x40000 | Must use smart card to log on |
TRUSTED_FOR_DELEGATION |
0x80000 | Account trusted for Kerberos delegation |
NOT_DELEGATED |
0x100000 | Account cannot be delegated |
USE_DES_KEY_ONLY |
0x200000 | Restrict to DES encryption types |
DONT_REQ_PREAUTH |
0x400000 | Kerberos pre-authentication not required |
PASSWORD_EXPIRED |
0x800000 | Password has expired |
TRUSTED_TO_AUTH_FOR_DELEGATION |
0x1000000 | Protocol transition (constrained delegation) |
Security Note: The flags
TRUSTED_FOR_DELEGATION(unconstrained delegation) andDONT_REQ_PREAUTH(AS-REP roasting risk) are highlighted as security warnings when present. The AI insights panel calls these out specifically.
AI Insights Panel
When Intelligence features are enabled, the right side of the user detail page displays an AI-generated insights panel. The ContextualInsightService computes and displays:
| Insight | Description |
|---|---|
| Inactivity Detection | Days since last login, flagged if over your configured threshold |
| Risk Factors | UAC flags like unconstrained delegation, password never expires, pre-auth not required |
| Privileged Group Analysis | Whether the user is a member of sensitive groups (Domain Admins, Schema Admins, etc.) |
| SPN Analysis | If the user has SPNs registered (Kerberoasting risk for user accounts) |
| Security Recommendations | AI-generated suggestions such as "Consider removing DONT_EXPIRE_PASSWORD" |
The insights panel updates each time the page loads using the latest synced data.
Editing User Attributes
If your AD connection has write-back permissions, you can edit user attributes directly from this page. Click the Edit button to modify fields such as department, title, manager, phone numbers, and more. All changes are written back to Active Directory immediately and logged in the audit trail.
For full details on write-back capabilities, see Object Write-Back.
Next Steps
- Browsing Objects -- Navigate and search your directory data
- Object Write-Back -- Edit AD attributes from IdentityCenter
- Group Details & Management -- Explore group memberships and nesting
- Computer, OU & Other Object Details -- Detail pages for other object types
- Access Reviews -- Review and certify user access
- Policies -- Detect compliance issues automatically
- AI Chat -- Ask questions about this user in natural language