also, some of these are OD specific, but, here is a list of directory service related binaries to check out:
dscacheutil dscl dsconfigad dsconfigldap dseditgroup dsenableroot dsexport dsimport dsmemberutil
Kind of depends on what you want/need and what your AD Team and CISO are willing to tolerate.
We use tools from ManageEngine for monitoring and troubleshooting user issues, but for actually managing users, we RDP to a CISO approved hosted VM that has AD tools installed, using elevated credentials, limited access, etc. Field support staff are not allowed to use any other system other than that for user management, and even then there are strict controls and monitoring in place.