Custos
Self-hosted Active Directory account lifecycle and access governance.

The Problem
Managing Active Directory accounts in any organization is surprisingly painful. Creating accounts means following naming conventions, assigning the right groups, setting expiry dates, uploading NDAs — all manually. When someone leaves, you hope the offboarding checklist was followed. Over time, accounts drift: people end up in groups they shouldn't be in, naming conventions get inconsistent, and nobody really knows who has access to what anymore.
Most tools that solve this are enterprise-grade, expensive, and require deep integration with Windows infrastructure. I wanted something lightweight that just works — no domain join, no PowerShell, no agents on domain controllers.
What Custos Does
Custos handles the full lifecycle of AD accounts: creating them, modifying them, and offboarding them. Every change goes through a plan-and-confirm flow — you see exactly what will change before anything is written to Active Directory. Everything is logged with before/after snapshots, so there's always a clear audit trail.
Beyond basic account management, Custos continuously scans for compliance issues. It checks whether accounts follow your naming rules, flags expired passwords, detects people in groups they shouldn't be in, and tracks missing NDAs. When it finds a problem, it gives you a one-click fix.
Why I Built It
Working in critical infrastructure, I saw firsthand how messy AD management gets at scale. Teams were maintaining spreadsheets to track account states, manually cross-referencing group memberships, and relying on tribal knowledge for naming conventions. It was error-prone and time-consuming.
I built Custos to replace all of that with a single tool that enforces consistency automatically. It runs as a Linux container, talks to AD over LDAP, and stores its own state in PostgreSQL. No Windows dependencies, no complex setup — just docker compose up and connect to your directory through the setup wizard.
Key Capabilities
- Automated naming — define templates for usernames, display names, and email addresses. Custos generates them consistently and handles collisions automatically.
- Compliance scanning — continuously checks all accounts against your rules and surfaces drift before it becomes a security issue.
- Bulk provisioning — import a CSV of new hires and provision all accounts at once, with collision detection across the entire batch.
- Expiry management — set per-account-type expiry policies and get email notifications before accounts expire.
- Full audit trail — every write to AD is recorded. You can always trace who changed what and when.
How It Works
Custos connects to your Active Directory over LDAP or LDAPS — no agents, no domain join. You define your account types (employees, contractors, service accounts, etc.), each with its own naming scheme, group memberships, custom fields, and policies. From there, the UI guides you through every operation with a clear diff view before any change is committed.
The whole thing ships as a single Docker image. First-run setup takes about five minutes: point it at your directory, configure your account types, and you're ready to go.