Active Directory

How can we improve Active Directory in Windows Server?

(thinking…)

Enter your idea and we'll search to see if someone has already suggested it.

If a similar idea already exists, you can support and comment on it.

If it doesn't exist, you can post your idea so others can support it.

Enter your idea and we'll search to see if someone has already suggested it.

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Allow AD FS to fall back to Forms-based authentication if Windows Integrated Authentication fails

    Currently, if a browser-based user comes to the AD FS sign-in page, AD FS can only decide whether to use integrated authentication by looking at the browser's user agent string. However, t

    There are cases where not all users arriving at the AD FS sign-in page can perform a Kerberos login - they might be within the IP range of the "internal" part of AD FS (in a split-brain DNS configuration) but the client may not be domain joined for various reasons, for example wireless users using BYOD. For these users Kerberos fails and it falls back to NTLM/Basic auth…

    13 votes
    Sign in
    Check!
    (thinking…)
    Reset
    or sign in with
    • facebook
    • google
      Password icon
      I agree to the terms of service
      Signed in as (Sign out)

      We’ll send you updates on this idea

      0 comments  ·  ADFS  ·  Flag idea as inappropriate…  ·  Admin →
    • Role Based Administration ADAC

      Nothing has changed about how you manage computers, groups and users in Active Directory since Server 2000. After 17 years ADUC/ADAC feels obsolate. It would be awesome if you can add Role Based Administration, something similar to Jast Enough Administraton and AD delegation.

      3 votes
      Sign in
      Check!
      (thinking…)
      Reset
      or sign in with
      • facebook
      • google
        Password icon
        I agree to the terms of service
        Signed in as (Sign out)

        We’ll send you updates on this idea

        1 comment  ·  Management Tools  ·  Flag idea as inappropriate…  ·  Admin →
      • Update Active Directory Password policies to align with new NIST guidelines

        Now that the new NIST 800-63B guidelines are coming together, can Active Directory be updated to follow some of the guidance in here? Specifically allowing for blacklists of breached or otherwise bad passwords, potentially allowing for a salt to be added to AD password hashes, and rate throttling instead of just account lockout?

        https://pages.nist.gov/800-63-3/sp800-63b.html

        5 votes
        Sign in
        Check!
        (thinking…)
        Reset
        or sign in with
        • facebook
        • google
          Password icon
          I agree to the terms of service
          Signed in as (Sign out)

          We’ll send you updates on this idea

          1 comment  ·  Logon, Passwords  ·  Flag idea as inappropriate…  ·  Admin →
        • Provide a method for merging/spitting Group Policy Objects including GPP

          Provide a tool/method for merging/spitting Group Policy Objects including GPP. Integrate AGPM into group policy management console fully and use same backup and restore format for GPOs.
          Integrate Microsoft Security Compliance Manager/ the new Policy Analyzer functionality into group policy management console.

          I want to be able to apply the latest security baselines and split and merge GPOs all in one console.

          Provide PowerShell cmdlets for merging and splitting of GPOs including GPP.

          1 vote
          Sign in
          Check!
          (thinking…)
          Reset
          or sign in with
          • facebook
          • google
            Password icon
            I agree to the terms of service
            Signed in as (Sign out)

            We’ll send you updates on this idea

            0 comments  ·  Management Tools  ·  Flag idea as inappropriate…  ·  Admin →
          • Implement replfix features into Lingering Object Liquidator

            Replfix is currently the only tool that will allow you to compare a DC with a writeable copy of the partition against a GC with a read-only copy of the partition.

            1 vote
            Sign in
            Check!
            (thinking…)
            Reset
            or sign in with
            • facebook
            • google
              Password icon
              I agree to the terms of service
              Signed in as (Sign out)

              We’ll send you updates on this idea

              0 comments  ·  Lingering Object Liquidator  ·  Flag idea as inappropriate…  ·  Admin →
            • Administrative Templates language pack wrong region tag

              Finnish language pack folder name has changed in 'Administrative Templates (.admx) for Windows 10 (1703) Creators Update’ package.
              Earlier the language files folder name was fi-FI (as normal Finnish region tag in Windows systems), now it is fi-FL (I can't find region tag for that). Maybe typo; please check and correct tag in next release (1709). Reported this also directly to PG.

              1 vote
              Sign in
              Check!
              (thinking…)
              Reset
              or sign in with
              • facebook
              • google
                Password icon
                I agree to the terms of service
                Signed in as (Sign out)

                We’ll send you updates on this idea

                0 comments  ·  Bug  ·  Flag idea as inappropriate…  ·  Admin →
              • More granual account expiration and new account activation option

                The standard expiry date for an account only allows you to specify a date, the account is expired at the end of that date. How about adding in a time field as well - so that an account can be set to expire at 5pm on *** date. This can already be be done via Powershell "Set-ADUser username -AccountExpirationDate "12/25/2012 5:00:00 PM" but it would be great to have it as a GUI option.

                The use case is that most companies offboard staff at COB on a given date and want to restrict access at that specific time, rather than…

                1 vote
                Sign in
                Check!
                (thinking…)
                Reset
                or sign in with
                • facebook
                • google
                  Password icon
                  I agree to the terms of service
                  Signed in as (Sign out)

                  We’ll send you updates on this idea

                  0 comments  ·  Logon, Passwords  ·  Flag idea as inappropriate…  ·  Admin →
                • Join the Physical and Logical Layers

                  Add the BIOS UUID as a property on AD computer objects. This will finally tie the Physical and Logical layers together once and for all.

                  1 vote
                  Sign in
                  Check!
                  (thinking…)
                  Reset
                  or sign in with
                  • facebook
                  • google
                    Password icon
                    I agree to the terms of service
                    Signed in as (Sign out)

                    We’ll send you updates on this idea

                    0 comments  ·  Domain join  ·  Flag idea as inappropriate…  ·  Admin →
                  • BUG: Active Directory Users and Computers - using the search will not open the full properties

                    Active Directory Users and Computers - using the search will not open the full properties.

                    How to reproduce:
                    if you search for an object in ADUC and select properties of the object (e.g User account) some tabs will be missing, e.g. the tab where you see all AD properties. This can only be reached by using navigating to the object in the OU and right click > properties.

                    It's an unneccessary shortcoming for long imho. I am aware that MS would like to dump ADUC for the sake of the new PS based console but still in some cases both…

                    6 votes
                    Sign in
                    Check!
                    (thinking…)
                    Reset
                    or sign in with
                    • facebook
                    • google
                      Password icon
                      I agree to the terms of service
                      Signed in as (Sign out)

                      We’ll send you updates on this idea

                      0 comments  ·  Management Tools  ·  Flag idea as inappropriate…  ·  Admin →
                    • Get-ADPrincipalGroupMembership error when ADUser is 'memberoff' group name that contains the word 'deny'

                      getting the below error if you run Get-ADPrincipalGroupMembership against a user that is a member of a group that contains the word "deny" in the group name

                      Get-ADPrincipalGroupMembership : The server was unable to process the request due to an internal error. For more information about the error, either turn on IncludeExceptionDetailInFaults (either from ServiceBehaviorAttribute or from
                      the <serviceDebug> configuration behavior) on the server in order to send the exception information back to the client, or turn on tracing as per the Microsoft .NET Framework 3.0 SDK documentation and inspect the server trace logs.
                      At line:1 char:1
                      + Get-ADPrincipalGroupMembership -Identity…

                      1 vote
                      Sign in
                      Check!
                      (thinking…)
                      Reset
                      or sign in with
                      • facebook
                      • google
                        Password icon
                        I agree to the terms of service
                        Signed in as (Sign out)

                        We’ll send you updates on this idea

                        0 comments  ·  Management Tools  ·  Flag idea as inappropriate…  ·  Admin →
                      • Get-AdComputer properties for OperatingSystemVersion cannot be filtered properly because Windows 10 computers filter as -lt 2

                        the value for the OperatingSystemVersion of Get-ADComputer cannot be properly referenced for Windows 10 Computers. The value shows as less than 2 and not more than 6.3. This command will list only Windows 10 computers: "Get-ADComputer -Filter {OperatingSystemVersion -lt "2"} -Properties * | ft dNSHostName,OperatingSystemVersion,OperatingSystem" When it should be something more like "Get-ADComputer -Filter {OperatingSystemVersion -ge "6.3"} -Properties * | ft dNSHostName,OperatingSystemVersion,OperatingSystem"

                        1 vote
                        Sign in
                        Check!
                        (thinking…)
                        Reset
                        or sign in with
                        • facebook
                        • google
                          Password icon
                          I agree to the terms of service
                          Signed in as (Sign out)

                          We’ll send you updates on this idea

                          0 comments  ·  Management Tools  ·  Flag idea as inappropriate…  ·  Admin →
                        • Get-ADGroupMember and RODC

                          Hi!

                          I have a strange behaviour with Get-ADGroupMember on RODC while in a PSSession: I have to specify the server on which to made the query (in the example, Toto is domain admin):

                          PS C:\Users\Toto>Enter-PSSession RemoteRODC
                          [RemoteRODC]: PS C:\Users\Toto\Documents> Get-ADGroupMember ASimpleGroup
                          Unable to contact the server. This may be because this server does not exist, it is currently down, or it does not have the Active Directory Web Services running.
                          + CategoryInfo : ResourceUnavailable: (ASimpleGroup:ADGroup) [Get-ADGroupMember], ADServerDownException
                          + FullyQualifiedErrorId : ActiveDirectoryServer:0,Microsoft.ActiveDirectory.Management.Commands.GetADGroupMember

                          I get the same behavior when invoking command:
                          PS C:\Users\Toto>Invoke-Command -ComputerName RemoteRODC -ScriptBlock {Get-ADGroupMember ASimpleGroup}
                          Unable to contact the…

                          1 vote
                          Sign in
                          Check!
                          (thinking…)
                          Reset
                          or sign in with
                          • facebook
                          • google
                            Password icon
                            I agree to the terms of service
                            Signed in as (Sign out)

                            We’ll send you updates on this idea

                            0 comments  ·  Management Tools  ·  Flag idea as inappropriate…  ·  Admin →
                          • output Subject Alternative Name extension using certutil -view

                            I would like to be able to output the SAN in a certificate with the command CertUtil.

                            the cmdlet get-certificate seems to do the job but only for the local store.

                            thanks

                            1 vote
                            Sign in
                            Check!
                            (thinking…)
                            Reset
                            or sign in with
                            • facebook
                            • google
                              Password icon
                              I agree to the terms of service
                              Signed in as (Sign out)

                              We’ll send you updates on this idea

                              0 comments  ·  Management Tools  ·  Flag idea as inappropriate…  ·  Admin →
                            • BUG: 2016 server allows you to create machines with same name

                              I added a 2016DC to my 2012 and 2012r2 DCs a couple weeks ago.

                              Today I added a new PC into the network.

                              The problem is I used the same name as a PC already on the network (shouldn't be an issue Windows always catches this and doesn't allow it).

                              AD didn't catch this and actually updated the original PC in AD and did not add a second PC or warn that the name was already in use. If I look at the modified date of the original pc in AD it shows it was modified at the same time…

                              2 votes
                              Sign in
                              Check!
                              (thinking…)
                              Reset
                              or sign in with
                              • facebook
                              • google
                                Password icon
                                I agree to the terms of service
                                Signed in as (Sign out)

                                We’ll send you updates on this idea

                                3 comments  ·  Domain join  ·  Flag idea as inappropriate…  ·  Admin →
                              • Active Directory Administrative Center (ADAC) search feature is incomplete

                                well, WTH?! ADUC lets you find users, computers, group, printers, shares, etc.

                                why on earth the new ADAC is lacking this feature? why don't you have the option to choose primitive object types in ADAC search as you can in ADUC? I know you have LDAP query builder and all that (which is awesome by the way); but shouldn't simple stuff be available and intuitive stuff be as easy as they have always been with newer tools?

                                1 vote
                                Sign in
                                Check!
                                (thinking…)
                                Reset
                                or sign in with
                                • facebook
                                • google
                                  Password icon
                                  I agree to the terms of service
                                  Signed in as (Sign out)

                                  We’ll send you updates on this idea

                                  0 comments  ·  Management Tools  ·  Flag idea as inappropriate…  ·  Admin →
                                • ADFS and Claims Rule Language Reference

                                  we need a comprehensive syntax and semantics reference for Claims Rule Language. I know there are operators besides == ~= EXIST and such, which are not covered here. and this link is by far the most comprehensive which is available:
                                  http://social.technet.microsoft.com/wiki/contents/articles/4792.understanding-claim-rule-language-in-ad-fs-2-0-higher.aspx

                                  1 vote
                                  Sign in
                                  Check!
                                  (thinking…)
                                  Reset
                                  or sign in with
                                  • facebook
                                  • google
                                    Password icon
                                    I agree to the terms of service
                                    Signed in as (Sign out)

                                    We’ll send you updates on this idea

                                    0 comments  ·  ADFS  ·  Flag idea as inappropriate…  ·  Admin →
                                  • Dynamic Security Groups

                                    Managing group memberships has always been a pain, and given the manual nature of managing security groups we tend to just leave them alone and let them multiply like rabbits. It would be awesome if Active Directory would finally after all these years introduce the concept of Security Groups that have dynamic membership based on, well, any other AD Attribute and support logic similar to the new ADFS Access Control rules

                                    2 votes
                                    Sign in
                                    Check!
                                    (thinking…)
                                    Reset
                                    or sign in with
                                    • facebook
                                    • google
                                      Password icon
                                      I agree to the terms of service
                                      Signed in as (Sign out)

                                      We’ll send you updates on this idea

                                      0 comments  ·  Flag idea as inappropriate…  ·  Admin →
                                    • Automatic DNS Record Priority via Inter-Site Transport Cost

                                      Non-Windows Kerberos clients authenticating against AD typically find an AS by querying DNS, e.g. for a SRV record at "_kerberos._tcp.myrealm." Unfortunately, the default query reply does not do a good job of prioritizing the results. In a default configuration, the DNS priority for the results will all be the same. Although there are some workarounds (netmask ordering), these may not be appropriate for all scenarios -- as when the client subnets are in a random order.

                                      I propose that Windows DNS have an option to return results with a calculated priority based on the inter-site transport cost between the client…

                                      2 votes
                                      Sign in
                                      Check!
                                      (thinking…)
                                      Reset
                                      or sign in with
                                      • facebook
                                      • google
                                        Password icon
                                        I agree to the terms of service
                                        Signed in as (Sign out)

                                        We’ll send you updates on this idea

                                        0 comments  ·  Flag idea as inappropriate…  ·  Admin →
                                      • Allow group managed service Accounts (gMSA) to have a dummy password

                                        It's 2017 and there's still Server Software (even microsoft's own - like TFS), which is not able to handle gMSAs, because the password field is mandatory.
                                        Since that software probably uses windows function to sign-in as such a user, it would be nice to have a mechanism, which allowed us to just use a dummy password for such an account - like "groupManaged" or "-" whatever else.

                                        So perhaps this is possible, that Windows Server introduces a mechanism allowing to type a password in the mandatory password fields, which signalizes the same as an empty password for gMSAs.

                                        2 votes
                                        Sign in
                                        Check!
                                        (thinking…)
                                        Reset
                                        or sign in with
                                        • facebook
                                        • google
                                          Password icon
                                          I agree to the terms of service
                                          Signed in as (Sign out)

                                          We’ll send you updates on this idea

                                          0 comments  ·  Logon, Passwords  ·  Flag idea as inappropriate…  ·  Admin →
                                        • WhatIf switch does not work on cmdlet Install-AdcsCertificationAuthority

                                          The whatif switch is not working when installing a ADCS with the cmdlet Install-AdcsCertificationAuthority. The cmdlet is executed in full.
                                          I blogged about it here:
                                          https://mssec.wordpress.com/2016/02/18/installing-ca-via-powershell-whatif-not-working/
                                          Jeffery Snover himself asked me on Twitter to submit a bug reort on this, see here:
                                          https://twitter.com/jsnover/status/827524167465525249

                                          1 vote
                                          Sign in
                                          Check!
                                          (thinking…)
                                          Reset
                                          or sign in with
                                          • facebook
                                          • google
                                            Password icon
                                            I agree to the terms of service
                                            Signed in as (Sign out)

                                            We’ll send you updates on this idea

                                            0 comments  ·  Management Tools  ·  Flag idea as inappropriate…  ·  Admin →
                                          ← Previous 1 3 4
                                          • Don't see your idea?

                                          Feedback and Knowledge Base