Modern Active Directory administration without MMC sprawl.
Users | Computers | Groups | OU Scoping
Canopy is a Windows-native desktop app for everyday Active Directory administration. It gives you one fast interface for browsing users, computers, groups, directory structure, and on-demand security or hygiene reports without bouncing between legacy consoles all day.
Built with Tauri 2, React 19, TypeScript, and Rust. Windows only. Powered by integrated Windows authentication for reads and explicit elevation for writes.
- Browse users, computers, and groups with search, filters, sorting, and paging
- Open detailed object views without leaving the main workflow
- Use OU scoping to limit what the app surfaces
- Jump anywhere quickly with the command palette
- Read operations use the current Windows session
- Write operations require explicit elevation
- Passwords are never persisted
- Backend PowerShell input is sanitized before execution
- Report types are backend-allowlisted
- Dashboard cards drill into the exact users, reports, groups, or computers behind the metric
- Reports are organized into security, identity, device, and group sections so larger catalogs stay easy to scan
- Reports cover locked accounts, privileged accounts, stale privileged accounts, service accounts, delegation, SPN exposure, SIDHistory, old passwords, stale computers, outdated OS versions, empty groups, large groups, nesting depth, and more
- Launch-at-startup support is built into Settings
- Manual refresh is scoped so you can pull live directory state without reloading everything
- Desktop app, not a browser wrapper pretending to be an admin console
- Lazy-loaded routes and chart views for better perceived performance
- Connection-scoped local caching with bounded TTLs for fast repeat use without staying stale all day
- Keyboard-friendly navigation patterns throughout the UI
| Requirement | Notes |
|---|---|
| OS | Windows 10 or Windows 11 |
| Directory environment | Domain-joined machine with Active Directory access |
| PowerShell | Windows PowerShell 5.1 or later |
| RSAT | Active Directory module must be installed |
| Runtime | WebView2 |
| Dev tooling | Node.js 20+, npm 10+, Rust stable |
Install RSAT if needed:
Add-WindowsCapability -Online -Name Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0Download Canopy v1.0.3 directly:
- Install on a Windows machine with WebView2, RSAT AD tools, and line-of-sight to your directory environment.
- Launch Canopy and connect with integrated Windows authentication for reads.
- Use the elevation prompt only for write actions like password resets, unlocks, group membership changes, and object moves.
npm install
cargo check --manifest-path src-tauri/Cargo.toml
npm run tauri:devnpm run tauri:buildBuild artifacts are generated under src-tauri/target/release/bundle/.
- Tauri 2
- React 19
- TypeScript
- Rust
- TanStack Query
- TanStack Table
- Zustand
- Radix UI
.
├── src/ # React application
├── src-tauri/ # Tauri + Rust backend
├── docs/ # Project documentation
├── .github/ # CI and community templates
├── package.json # Frontend scripts and metadata
└── README.md
Canopy is intentionally split between low-friction reads and explicit writes:
- Read operations use the current Windows session
- Write operations require an elevation prompt
- Passwords are used per operation and are not stored
- Input is sanitized before PowerShell command construction
- The shared read worker falls back to isolated execution on failure
- Cached query data is scoped to the connected domain, server, and user context
Read more in docs/security-model.md and SECURITY.md.
Contributions welcome! See CONTRIBUTING.md for setup instructions and guidelines.
MIT © LoserLabs