Active Directory

How can we improve Active Directory in Windows Server?

(thinking…)

Enter your idea and we'll search to see if someone has already suggested it.

If a similar idea already exists, you can support and comment on it.

If it doesn't exist, you can post your idea so others can support it.

Enter your idea and we'll search to see if someone has already suggested it.

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Port Active Directory Module to PowerShell Core and Make Cross Platform

    Active Directory is used for more than just Windows Environments. Traditionally, scripting languages, such as python, have been used in the Linux space to perform automation against Active Directory. Now that PowerShell Core 6.0.X is GA, it would be great if the Active Directory module could be ported to be compatible with PowerShell Core and made cross-platform compatible. This would enable PowerShell based Active Directory management and automation possibilities from Linux, Mac, and IoT in addition to Windows.

    Currently, PSSnapin dependencies in the AD module make it impossible to use in PowerShell Core. This leaves AD as one of the…

    121 votes
    Sign in
    Check!
    (thinking…)
    Reset
    or sign in with
    • facebook
    • google
      Password icon
      Signed in as (Sign out)

      We’ll send you updates on this idea

      2 comments  ·  Management Tools  ·  Flag idea as inappropriate…  ·  Admin →
    • Remove 'This will clear your current search result' in Find ...

      When we type in a computer in the search field, in ‘Active Directory Users and Computers’ Find ..., and forget to change to 'computer'. Then when we change it to computer it will clear the name box. with the message 'This will clear your current search result' Why? this have been bugging me for many, many years... so this is my user-voice :-)

      I would like this behavior to change. Maybe just not to clear the box, and say nothing, and just change to computer.

      Or there could be an option, to have the search filed be custom and remember…

      15 votes
      Sign in
      Check!
      (thinking…)
      Reset
      or sign in with
      • facebook
      • google
        Password icon
        Signed in as (Sign out)

        We’ll send you updates on this idea

        3 comments  ·  Management Tools  ·  Flag idea as inappropriate…  ·  Admin →
      • Allow token signing and decryption on a per-relying party basis

        Currently ADFS only signs tokens with the primary token-signing certificate. This makes renewing the certificate difficult if an organization has many relying party trusts configured, as the swap has to be coordinated with multiple vendors.

        Please allow the signing certificate to be configured on a per-relying party basis. This would allow each relying party to migrate to the new certificate on their own schedules, as opposed to a single "big bang" approach.

        3 votes
        Sign in
        Check!
        (thinking…)
        Reset
        or sign in with
        • facebook
        • google
          Password icon
          Signed in as (Sign out)

          We’ll send you updates on this idea

          1 comment  ·  ADFS  ·  Flag idea as inappropriate…  ·  Admin →
        • GPO: turn off microsoft consumer features all sku

          Please make the GPO object for "Turn off Microsoft consumer features" work on all skus not just Enterprise and Education. I am in education but we have been buying Pro skus as we did not know about this garbage limitation which makes no sense. Removing the XBOX app and other preloaded nonsense is necessary no matter the sku. If it can join a domain this should just work. Yes there are scripts to do this but given its supported in "some" skus this should not be necessary.

          Tom

          3 votes
          Sign in
          Check!
          (thinking…)
          Reset
          or sign in with
          • facebook
          • google
            Password icon
            Signed in as (Sign out)

            We’ll send you updates on this idea

            0 comments  ·  Bug  ·  Flag idea as inappropriate…  ·  Admin →
          • 1 vote
            Sign in
            Check!
            (thinking…)
            Reset
            or sign in with
            • facebook
            • google
              Password icon
              Signed in as (Sign out)

              We’ll send you updates on this idea

              1 comment  ·  Flag idea as inappropriate…  ·  Admin →
            • Support empty PSCredential with ActiveDirectory module cmdlets

              The PowerShell ActiveDirectory module cmdlets do not properly check for [System.Management.Automation.PSCredential]::Empty in the Credential parameter. If an Empty PSCredential is passed to one of the cmdlets, the result is a NullReferenceException. Instead, it should default to the current logged-in user like when the Credential parameter is omitted.

              This is particularly useful when writing our own functions with an optional Credential parameter which call various AD cmdlets.

              1 vote
              Sign in
              Check!
              (thinking…)
              Reset
              or sign in with
              • facebook
              • google
                Password icon
                Signed in as (Sign out)

                We’ll send you updates on this idea

                0 comments  ·  Management Tools  ·  Flag idea as inappropriate…  ·  Admin →
              • Set the default on a Windows trust to allow AES encryption for Kerberos

                Set the default on a Windows trust to allow AES encryption for Kerberos. By default, any trust created between two domains, does not allow AES encryption across the trust boundary. This breaks policy application and certain tools that rely on AES encryption (the default encryption type in a modern domain). It would be nice if this was the default setting rather than having to remember to check that in the trust properties.

                1 vote
                Sign in
                Check!
                (thinking…)
                Reset
                or sign in with
                • facebook
                • google
                  Password icon
                  Signed in as (Sign out)

                  We’ll send you updates on this idea

                  0 comments  ·  Flag idea as inappropriate…  ·  Admin →
                • Publish activedirectory module to PSGallery

                  The active directory module is really useful, but a pain to install on a server/computer.
                  Current install instructions are these: https://blogs.technet.microsoft.com/ashleymcglone/2016/02/26/install-the-active-directory-powershell-module-on-windows-10/

                  I would love the possibility to just do:
                  Install-Module "ActiveDirectory" and have everything good to go.

                  6 votes
                  Sign in
                  Check!
                  (thinking…)
                  Reset
                  or sign in with
                  • facebook
                  • google
                    Password icon
                    Signed in as (Sign out)

                    We’ll send you updates on this idea

                    1 comment  ·  Management Tools  ·  Flag idea as inappropriate…  ·  Admin →
                  • Ability to navigate PS Provider by Canonical Name

                    Ability to navigate the PowerShell provider by Canonical name and refer to objects using the CN would make working with AD much more natural.

                    1 vote
                    Sign in
                    Check!
                    (thinking…)
                    Reset
                    or sign in with
                    • facebook
                    • google
                      Password icon
                      Signed in as (Sign out)

                      We’ll send you updates on this idea

                      0 comments  ·  Management Tools  ·  Flag idea as inappropriate…  ·  Admin →
                    • Add support for synthetic flattening of security groups

                      There are way too many "dumb" LDAP implementations out there that simply can't deal with nested group memberships in AD. This makes it really hard to implement well organized RBAC in AD without a bunch of exceptions for the bad apps.

                      You can fool some of them with LDAP_MATCHING_RULE_IN_CHAIN if they give you enough access to configure the filters they're using. But others are simply stuck only caring about the flat list of users returned by the "member" attribute.

                      I envision a new constructed attribute on group objects called something like memberFlattened that basically has AD flatten the group member…

                      1 vote
                      Sign in
                      Check!
                      (thinking…)
                      Reset
                      or sign in with
                      • facebook
                      • google
                        Password icon
                        Signed in as (Sign out)

                        We’ll send you updates on this idea

                        1 comment  ·  Flag idea as inappropriate…  ·  Admin →
                      • Saml <Subject> from AuthnRequest

                        Allow rps to specify a saml <Subject>. When the rp knows the user adfs could then pre populate the username field on the login page.

                        2 votes
                        Sign in
                        Check!
                        (thinking…)
                        Reset
                        or sign in with
                        • facebook
                        • google
                          Password icon
                          Signed in as (Sign out)

                          We’ll send you updates on this idea

                          0 comments  ·  ADFS  ·  Flag idea as inappropriate…  ·  Admin →
                        • Allow AD FS to fall back to Forms-based authentication if Windows Integrated Authentication fails

                          Currently, if a browser-based user comes to the AD FS sign-in page, AD FS can only decide whether to use integrated authentication by looking at the browser's user agent string. However, t

                          There are cases where not all users arriving at the AD FS sign-in page can perform a Kerberos login - they might be within the IP range of the "internal" part of AD FS (in a split-brain DNS configuration) but the client may not be domain joined for various reasons, for example wireless users using BYOD. For these users Kerberos fails and it falls back to NTLM/Basic auth…

                          37 votes
                          Sign in
                          Check!
                          (thinking…)
                          Reset
                          or sign in with
                          • facebook
                          • google
                            Password icon
                            Signed in as (Sign out)

                            We’ll send you updates on this idea

                            2 comments  ·  ADFS  ·  Flag idea as inappropriate…  ·  Admin →
                          • AD FS support for inline registration for Azure MFA

                            Would improve user experience a lot if AD FS would support inline user provisioning for Azure MFA. This is so inconvenient that users should do this separately, and not in app.
                            E.g. Microsoft Intune has this integrated in provision process.

                            Also error message for this is not provisioned users is too general and not informative at all.

                            More info in paragraph "Registering users for Azure MFA with AD FS 2016"
                            https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/configure-ad-fs-and-azure-mfa

                            2 votes
                            Sign in
                            Check!
                            (thinking…)
                            Reset
                            or sign in with
                            • facebook
                            • google
                              Password icon
                              Signed in as (Sign out)

                              We’ll send you updates on this idea

                              0 comments  ·  ADFS  ·  Flag idea as inappropriate…  ·  Admin →
                            • Add AD Users & Computers user property sheet tab for attributes synced to Azure AD, like proxyAddresses

                              When AD users are synced to Azure AD, some attributes like proxyAddresses currently require an on-premises Exchange Server for a friendly management GUI.
                              It would be nice to have a tab so we can manage Office 365 email & SIP aliases within AD Users and Computers, instead of using Exchange Server, ADSIEdit, PowerShell, or other utilities.

                              1 vote
                              Sign in
                              Check!
                              (thinking…)
                              Reset
                              or sign in with
                              • facebook
                              • google
                                Password icon
                                Signed in as (Sign out)

                                We’ll send you updates on this idea

                                0 comments  ·  Management Tools  ·  Flag idea as inappropriate…  ·  Admin →
                              • Role Based Administration ADAC

                                Nothing has changed about how you manage computers, groups and users in Active Directory since Server 2000. After 17 years ADUC/ADAC feels obsolate. It would be awesome if you can add Role Based Administration, something similar to Jast Enough Administraton and AD delegation.

                                9 votes
                                Sign in
                                Check!
                                (thinking…)
                                Reset
                                or sign in with
                                • facebook
                                • google
                                  Password icon
                                  Signed in as (Sign out)

                                  We’ll send you updates on this idea

                                  1 comment  ·  Management Tools  ·  Flag idea as inappropriate…  ·  Admin →
                                • Allow to run LoL in different forest

                                  I met a customer today, who is managing multiple forests from one admin machine. Currently, LoL does automatic discovery of DCs, NCs in the forest of the "tools" machine only. We need to be able to supply a target forest and credentials however. Is this something you could implement? TIA.

                                  1 vote
                                  Sign in
                                  Check!
                                  (thinking…)
                                  Reset
                                  or sign in with
                                  • facebook
                                  • google
                                    Password icon
                                    Signed in as (Sign out)

                                    We’ll send you updates on this idea

                                    0 comments  ·  Lingering Object Liquidator  ·  Flag idea as inappropriate…  ·  Admin →
                                  • Update Active Directory Password policies to align with new NIST guidelines

                                    Now that the new NIST 800-63B guidelines are coming together, can Active Directory be updated to follow some of the guidance in here? Specifically allowing for blacklists of breached or otherwise bad passwords, potentially allowing for a salt to be added to AD password hashes, and rate throttling instead of just account lockout?

                                    https://pages.nist.gov/800-63-3/sp800-63b.html

                                    24 votes
                                    Sign in
                                    Check!
                                    (thinking…)
                                    Reset
                                    or sign in with
                                    • facebook
                                    • google
                                      Password icon
                                      Signed in as (Sign out)

                                      We’ll send you updates on this idea

                                      3 comments  ·  Logon, Passwords  ·  Flag idea as inappropriate…  ·  Admin →
                                    • RSAT Tool is not replicating permission properly

                                      RSAT Tool is not replicating permission properly

                                      I had a user who said he could not access a OU in ADUC and I said well you should because you have permission to do so. in RSAT it was showing NTFS Permissions that he had full rigths. When in fact I went to the DC and he did not have delete permissions.

                                      So an improvement to the RSAT Tool to match ADUC would be great.

                                      Thanks,

                                      Jeff

                                      6 votes
                                      Sign in
                                      Check!
                                      (thinking…)
                                      Reset
                                      or sign in with
                                      • facebook
                                      • google
                                        Password icon
                                        Signed in as (Sign out)

                                        We’ll send you updates on this idea

                                        0 comments  ·  Management Tools  ·  Flag idea as inappropriate…  ·  Admin →
                                      • Provide a method for merging/spitting Group Policy Objects including GPP

                                        Provide a tool/method for merging/spitting Group Policy Objects including GPP. Integrate AGPM into group policy management console fully and use same backup and restore format for GPOs.
                                        Integrate Microsoft Security Compliance Manager/ the new Policy Analyzer functionality into group policy management console.

                                        I want to be able to apply the latest security baselines and split and merge GPOs all in one console.

                                        Provide PowerShell cmdlets for merging and splitting of GPOs including GPP.

                                        2 votes
                                        Sign in
                                        Check!
                                        (thinking…)
                                        Reset
                                        or sign in with
                                        • facebook
                                        • google
                                          Password icon
                                          Signed in as (Sign out)

                                          We’ll send you updates on this idea

                                          0 comments  ·  Management Tools  ·  Flag idea as inappropriate…  ·  Admin →
                                        • Implement replfix features into Lingering Object Liquidator

                                          Replfix is currently the only tool that will allow you to compare a DC with a writeable copy of the partition against a GC with a read-only copy of the partition.

                                          2 votes
                                          Sign in
                                          Check!
                                          (thinking…)
                                          Reset
                                          or sign in with
                                          • facebook
                                          • google
                                            Password icon
                                            Signed in as (Sign out)

                                            We’ll send you updates on this idea

                                            0 comments  ·  Lingering Object Liquidator  ·  Flag idea as inappropriate…  ·  Admin →
                                          ← Previous 1 3 4 5
                                          • Don't see your idea?

                                          Feedback and Knowledge Base