v2.7.0 · released 30 Jun 2026

The safe, audited Windows GUI for Active Directory — without PowerShell.

Every reset, unlock and disable is written to an HMAC-chained audit log you can verify independently. Runs on your admin workstation. Your credentials never leave your network.

Join the early access waitlist See the audit chain Windows 10/11 · No credit card · Code-signed installer
velauth.exe — connected to dirwarden.local
Velauth — directory overview
Overview · directory health at a glance
100% on-premises
Code-signed installer
No PowerShell required
Tamper-evident audit
RBAC delegation
30-day free trial
Why Velauth

Three things you couldn't trust before — pinned to specific evidence in the product.

01 / Evidence
Shipping · v2.7.0

An audit log you'd actually trust.

Every entry is HMAC-chained to the previous one and signed with a key derived at install. Edit a single row and the verifier breaks.

09:14 password.reset ✓ a4f1·c920
09:18 account.unlock ✓ 9d22·17af
09:22 account.disable ✓ 5e08·44d1
09:26 scope.add ✓ 1c7b·9e60
02 / Safety
On the roadmap · v2.0

Nothing risky happens silently.

Every write will be dry-run, risk-scored, and shown to you before execution. Tier-0 objects will need a second admin to approve.

account.disable → p.chen TIER-0
LOW
MED
HIGH
T-0
requires 2nd approver · 1 of 2 ✓
preview · v2.0 mockup
03 / Permissions
Shipping · v2.7.0

Velauth doesn't ask to be a Domain Admin.

It works within whatever the operator already has in AD. No privilege escalation. No cached credentials. No service account.

Domain Admin
Schema Admin
Cached credentials
Operator's AD rights
The audit chain

If a row gets edited, you'll know in 80ms.

Each entry contains the previous entry's HMAC. Delete a row, edit a timestamp, or splice in something that never happened — the chain breaks and Velauth.AuditVerifier will tell you exactly where.

HMAC-chained, install-derived signing key
Operator · target · action · risk · before/after — every entry
Filter by operator, target, action, risk band, date range
One-click PDF export for auditors
Standalone verifier CLI — run it from your compliance pipeline
$ Velauth.AuditVerifier --log .\audit.vlog
reading entries… 14,302 found
verifying HMAC chain…
✓ chain intact — 14,302 / 14,302 entries verified in 78ms
first entry: 2026-01-04T09:14:02Z   last: 2026-05-23T17:41:08Z
velauth.exe — connected to dirwarden.local
Audit Log — filter by operator, target, action, risk band, date range
Audit Log · filter by operator, target, action, risk band, date range
Confirm: bulk password reset
preflight · 47 targets · dry-run complete
Tier-0
targets47 users · OU=Sales, OU=Sales/EMEA
actionreset password + force change at next login
will affect3 users in 'Domain Admins' ⚠
est. time~1.4s per user · ~66s total
LOW
MED
HIGH
T-0
This action affects Tier-0 objects. A second admin must confirm. (1 / 2 approved)
Preflight & risk scoring
Coming · v2.0 · Q4 2026

See exactly what will change — before it changes.

In v2.0, every write will run a dry-run first. Velauth will show you the diff, score the risk Low · Medium · High · Tier-0, and ask you to confirm. For Tier-0 objects, a second admin will have to confirm too.

Dry-run preflight against your live AD
Before/after diff shown inline
Two-human gate on Tier-0 (Domain Admins, Schema Admins)
Global Safety Lock puts the whole app in read-only · shipping now
The mockup on the left is a preview of the v2.0 confirmation dialog. Pilot customers see it first.
A tour through the product

What you actually look at all day.

Browse OUs. Filter by password age, expiry, lockout, last login. Save filters as named scopes.

velauth.exe — connected to dirwarden.local
Velauth user list — browse OUs, filter by password age, expiry, lockout, last login
RBAC delegation

Give the helpdesk a key, not a master key.

Scope a role to "unlock accounts and reset passwords — nothing else." The junior tech sees a narrowed UI; they never need Domain Admin to do their job.

Role-based scoped UI per operator
Hide entire pages from delegated roles
Block specific actions even if AD would allow them
Every action still goes to the chained audit log
Capability Helpdesk IT Lead Auditor
Reset password
Unlock account
Disable account
Modify Tier-0 user
View audit log
Export PDF report
Toggle Safety Lock
Pricing

Per admin seat. Not per AD user.

You only pay for the people using Velauth — not the thousands of accounts in your directory.

Solo
For the one-person IT shop.
$19 / admin / month
billed annually · prepaid
  • 1 admin seat
  • 1 AD domain
  • Full audit chain + PDF reports
  • Email support · 48-hour response
Join waitlist
From v2.5 · Q1 2027
MSP
For multi-tenant operators.
$79 / admin / month
billed annually · prepaid
  • Everything in Team
  • Workspace isolation per client
  • Fleet dashboard
  • Per-tenant audit log exports
  • Named Customer Success Manager
Join MSP waitlist
· Prices exclude VAT · 30-day money-back guarantee · Code-signed installer · Source escrow available on Team & above
Enterprise · SaaS β · Q2 2027

Centralised SaaS UI with an on-prem connector. Private beta opens Q2 2027.

SSO via Entra ID. Your AD stays on-prem; the UI lives in the cloud.

Early access

Get in before launch. Early access members get the first 3 months free.

Join the waitlist. We notify you the day Velauth is ready for your environment — and early access members get a discount that doesn't expire.

Join the waitlist
Roadmap

Where we're going. Dates are targets, not commitments.

Pilot customers get every release free for 6 months.

Today
v1.x
SMB desktop
  • Users, scoping, passwords
  • HMAC-chained audit log
  • RBAC delegation
  • Global Safety Lock (read-only)
Q4 2026
v2.0
Safety, groups & Entra ID
  • Preflight & risk scoring
  • Tier-0 second-approver gate
  • Group management + GPO drift
  • Entra ID / Azure AD parity
Q1 2027
v2.5
MSP multi-tenant
  • Workspace isolation per client
  • Fleet dashboard
  • Per-tenant audit exports
Q2 2027
v3.0β
SaaS UI + on-prem connector
  • Web UI, SSO via Entra ID
  • On-prem connector agent
  • Private beta
Not planned · Mac or Linux support · Cloud-only AD (no on-prem)
Questions

Answers, in the same voice we use in the docs.

Still stuck? Email [email protected].

Does Velauth need cloud access to my AD?

No. It runs entirely on your Windows admin workstation. Your credentials never leave your machine.

How is the audit log tamper-evident?

Each entry is HMAC-chained to the previous one with a key derived at install. The Velauth.AuditVerifier CLI confirms the chain is intact. If a single entry has been edited or deleted, the verifier will detect it.

What permissions does Velauth need on AD?

Whatever the operator already has. We don't escalate privileges or cache credentials.

Can helpdesk staff use it without being Domain Admin?

Yes. RBAC delegation gives them a scoped UI; the AD permissions are whatever you've already granted them in AD.

Do you support Entra ID / Microsoft 365?

Not yet. Coming in v2.0 (Q4 2026).

What happens after the 30-day trial?

The app continues in read-only mode — you can still view and export data, but writes are blocked until you activate a licence. No data is deleted.

Is there a money-back guarantee?

Yes. 30 days from purchase, no questions asked.

Do you support Mac or Linux?

No. Velauth is Windows-only. A web-based version that works cross-platform is on the roadmap for v3.0β (Q2 2027).

Early access

Be first to know when Velauth is ready for your environment.

Leave your email. We notify you the day it ships — no noise in between. Early access members get the first 3 months free and a discount that doesn't expire.

No spam. One email when it ships, one when we need feedback. That's it. By joining you agree to our Privacy Policy.

✓ Code-signed installer ✓ Windows 10 & 11 ✓ 100% on-premises ✓ No credit card ever asked