Active Directory

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Check the computers option by default in the object types dialog

    When adding objects to an Active Directory group, the Computers option is not checked by default. This will save a lot of clicks if that was checked by default.

    48 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)

    We’ll send you updates on this idea

    5 comments  ·  Flag idea as inappropriate…  ·  Admin →
  2. Download ADMX Templates no MSI but ZIP

    It would be great to have ADMX Templates not as MSI files but ZIP files, so you don't need to install it. Only extraction. Saves lot of time for me.

    9 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Management Tools  ·  Flag idea as inappropriate…  ·  Admin →
  3. Force select groups to forms authentication in ADFS

    Their exists a scenario with ADFS and SSO based apps (to include 365) where there is a common user logged into their PC but need to access their webmail. However it detect the user logged and and wants to leverage WIA. Current work around is to do a REGEX and push user agent string to those impacted PCs to not perform WIA and results in Forms Auth. However with Microsoft pushing Edge and Chromium going towards client hints, this bandaid is slowly loosing its adhesive.

    Ideally it would be nice to specify a group and force them to forms based…

    1 vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  ADFS  ·  Flag idea as inappropriate…  ·  Admin →
  4. Windows Domain Server incorrect-password delay

    One change to security for incorrect password entry that would make it friendlier for the users and more secure against brute force password attacks would be to use a geometrically increasing delay when a specific number of wrong passwords are entered. The first delay could be one minute, the second 5 minutes, the third 25 minutes, the fourth 125 minutes, etc. Of course this would also involve a time setting for resetting the wrong passwords progression after a previous delay. This would make the initial delay for wrong passwords very short for the user, but would increase the time for…

    1 vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Logon, Passwords  ·  Flag idea as inappropriate…  ·  Admin →
  5. DCPromo را برای تخریب DC تنظیم کنید

    DCPromo را برای تخریب DC تنظیم کنید

    1 vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Flag idea as inappropriate…  ·  Admin →
  6. Import-Module -Name ActiveDirectory ; Get-Help -Name about_ActiveDirectory returns a list of cmdlets, not help info

    When I try to use Get-Help with any of the aboutActiveDirectory* topics, it just gives me a list of cmdlets. Other topics, like aboutFor or about_Break work as expected. I had originally thought it was perhaps an interop issue with PowerShell 7 being installed as well, but it happens when I try it on my Domain Controller that has only the PS built in to the server. An example is below:

    PS C:\Windows\system32> Get-Help -Name about_ActiveDirectory

    Name Category Module Synopsis


    Get-ADAuthenticationPolicy Cmdlet ActiveDirectory Gets one or more Active Directory Domain Services authentication policies.
    Get-ADAuthenticationPolicySilo Cmdlet ActiveDirectory Gets one…

    1 vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Bug  ·  Flag idea as inappropriate…  ·  Admin →
  7. Add -IncludeContainers Parameter to Get-ADOrganizationalUnit cmdlet

    Currently Get-ADOrganizationalUnit does not have the ability to return containers, requiring the use of Get-ADObject with filters to return the appropriate results. Get-ADOrganizationalUnit would be much more useful if it had the ability to retrieve ALL containers that AD objects can be stored in, not just OUs.

    The exchange powershell Get-OrganizationalUnit cmdlet addresses this with an "-IncludeContainers" parameter to have it return both OUs and containers. I think this would be a useful addition to the Get-ADOrganizationalUnit cmdlet as well.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Management Tools  ·  Flag idea as inappropriate…  ·  Admin →
  8. conditional access

    Conditional access manageability should be available in Local Active directory console also.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Management Tools  ·  Flag idea as inappropriate…  ·  Admin →
  9. Attribute Editor multi-value sorting issue

    When adding values in a multi-value field (such as the serialNumber attribute), the editor sorts by alphabetical order. When adding values via PowerShell, order is the order in which they were inserted.

    The order in which the editor displays is not a filter, but modifies the true order (to where even PowerShell displays them that way). Without this order, the positions are useless. One could use a MV field like a simple one row spreadsheet (using ordering like column positions). The only way to make it useful is by making it a key/value pair (e.g. model:12345), and this basically defeats…

    1 vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Bug  ·  Flag idea as inappropriate…  ·  Admin →
  10. Active Directory Dark Theme

    When set the Windows 10 to Dark Theme, change the color of Active Directory from the Server and from the Administrative Tools from Windows 10 to a Dark Theme also!

    13 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Management Tools  ·  Flag idea as inappropriate…  ·  Admin →
  11. AD Visual Modelling

    It would be good to see the layout of AD domains, forests, servers and clients(?) as an additional role within AD services to allow a visualisation of the current AD structure.
    Similar to the SQL Database Diagram implementation within SQL Server software.
    Perhaps even an API could be made available to integrate it into documentation tools like Visio

    4 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  12. Build ADFS 2019 Plug-in to allow user authentication requiring Azure MFA to be bypassed when internet access is down

    My company uses O365, AD FS 2016 and Azure AD, recently our internet provider had repeated outages where the AD FS servers access to the internet was compromised. This was a unavoidable outage for users on our internal network but since O365 leveraged Azure MFA in a CA policy external users could not get to O365 resources because they could not do MFA at ADFS. I want to create a plugin that checks for access to Azure MFA if it fails it places a default hardcoded claim in the token package validating MFA but raising a RIsk factor whtich will…

    4 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  ADFS  ·  Flag idea as inappropriate…  ·  Admin →
  13. Add "creatorsName" and "modifiersName" attributes to the schema

    Currently the only possibility to check the time and creator of a user is to check the audit logs for event 4720. Storing creation and modification date-time for an AD user is great but when the creatorsName & modifiersName information is absent, it becomes a burden.

    Also RFC 4512 Lightweight Directory Access Protocol (LDAP): Directory Information Models suggests these too.

    "...

      Entries may contain, among others, the following operational attributes:
    
    

    - creatorsName: the Distinguished Name of the user who added this
    entry to the directory,

    - createTimestamp: the time this entry was added to the directory,

    - modifiersName: the Distinguished…

    2 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  14. New-ADObject for Computer and New-ADComputer behaviors are different

    New-ADObject cmdlet with Type 'Computer'
    and
    New-ADComputer
    creates different types of objects.

    The New-ADObject creates samAccountType is NORMALUSERACCOUNT instead of MACHINE_ACCOUNT.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Bug  ·  Flag idea as inappropriate…  ·  Admin →
  15. Default location rules

    After domain join, the default computer location is the Computers OU. It can be changed but it is static. It would be better if there is an option to add rules for default locations like moving recently joined Server 2016 devices into "MS Server 2016 Member Servers" OU.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Domain join  ·  Flag idea as inappropriate…  ·  Admin →
  16. AD-DNS-CA integrated GPG Key distribution

    I assume it is possible to add GPG key creation through a CA, distribute it through AD & DNS while storing the keys in AD.

    A schema extension would be required in the next forest functional level.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  17. Add LDAPS as a role

    Currently the only way to add LDAPS capability depends on a manual process between OpenSSL and CA. The procedure is explained here: https://ldapwiki.com/wiki/LDAPs%20and%20AD

    I have implemented LDAPS following the procedure before. But thinking that OpenSSL is now a part of both Windows 10 & Server 2016, I believe it can be integrated into Windows Server as a role.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  18. Add sshPublicKeys attribute -maybe sshPrivateKeys too

    As sysadmins have the capability to manage non-windows clients & servers using SSH as of Windows 10, enterprise architectures shall enable sysadmins to securely store the private SSH keys and distribute public keys. It is possible to integrate these attributes with Windows Certificate store along with Credential Manager, so that after every log on the data can be synchronized allowing sysadmins connect to remote devices over SSH securely. It would simplify the SSH certificate management.

    Currently the only was is explained in this blog post:

    https://blog.laslabs.com/2016/08/storing-ssh-keys-in-active-directory/

    Of course a simple link or junction from C:\Users<username>/.ssh/ to Certificate Store or Credential…

    1 vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  19. Set 802.1X as default for both wired and wireless networks

    We implement 802.1x for Wired Networks utilizing RADIUS with AD. Yet, it becomes complicated for new deployments. After the OS deployment, joining the workstation o the network using a RADIUS portal, then conducting a domain join operation is time consuming.

    Combining NPS role into AD role by default for next "forest functional level" would be a great leap forward for security. It would help an AD domain being "secure by default" but also the sysadmins who try to secure their clients would appreciate the saved time.

    Of course, the "guest network", where non-domain guest computers should be allowed in another…

    1 vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Domain join  ·  Flag idea as inappropriate…  ·  Admin →
  20. DNS Conditional Forwarder and Delegation.

    Hi,

    To put it in a LAB scenario.



    Conditional forwarder site2.location1.country1.company.org cannot be created if the Forward zones has location1.country1.company.org -> "A problem occurred while trying to add the conditional forwarder. A zone configuration problem occurred."



    I delegate site2 under location1.country1.company.org pointing to external IPs - Successful.



    Now if i create a Conditional forwarder site2.location1.country1.company.org it gets created and works even if i delete the delegation done in step 2.

    I am not sure if this supported model, but would like to know this approach is documented anywhere? or i am wrong in understanding it.

    Thank you.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Bug  ·  Flag idea as inappropriate…  ·  Admin →
← Previous 1 3 4 5 6 7
  • Don't see your idea?

Feedback and Knowledge Base