Active Directory

How can we improve Active Directory in Windows Server?

(thinking…)

Enter your idea and we'll search to see if someone has already suggested it.

If a similar idea already exists, you can support and comment on it.

If it doesn't exist, you can post your idea so others can support it.

Enter your idea and we'll search to see if someone has already suggested it.

  1. Allow group managed service Accounts (gMSA) to have a dummy password

    It's 2017 and there's still Server Software (even microsoft's own - like TFS), which is not able to handle gMSAs, because the password field is mandatory.
    Since that software probably uses windows function to sign-in as such a user, it would be nice to have a mechanism, which allowed us to just use a dummy password for such an account - like "groupManaged" or "-" whatever else.

    So perhaps this is possible, that Windows Server introduces a mechanism allowing to type a password in the mandatory password fields, which signalizes the same as an empty password for gMSAs.

    1 vote
    Sign in
    Check!
    (thinking…)
    Reset
    or sign in with
    • facebook
    • google
      Password icon
      I agree to the terms of service
      Signed in as (Sign out)

      We’ll send you updates on this idea

      0 comments  ·  Logon, Passwords  ·  Flag idea as inappropriate…  ·  Admin →
    • Single uidNumber and gidNumber permissions on Active Directory user object don't work

      Environment: Domain 2012 with Windows 2012 Domain Controllers

      I need to delegate uidNumber and gidNumber Active Directory attributes to the Linux team.

      Thus I have set permissions for on those attributes.

      However, these permissions don't work because they can only view concerned attributes and not edit them.

      If I set the Write All Properties permissions, it works fine because they can edit these attributes.

      But I don't want them to be able to edit all attributes, only uidNumber and gidNumber.

      Is this a bug? Or did I miss something?

      Already posted on Technet with screenshots :
      https://social.technet.microsoft.com/Forums/windowsserver/en-US/37b9396b-9a01-49ec-98c3-47ecbea0bdb8/single-uidnumber-and-gidnumber-permissions-on-active-directory-user-object-dont-work?forum=winserverDS

      1 vote
      Sign in
      Check!
      (thinking…)
      Reset
      or sign in with
      • facebook
      • google
        Password icon
        I agree to the terms of service
        Signed in as (Sign out)

        We’ll send you updates on this idea

        0 comments  ·  Flag idea as inappropriate…  ·  Admin →
      • Get-ADObject LDAP Extended Controls parameter

        I would like the option to use LDAP Extended Controls with the Get-ADObject cmdlet.

        As of Server 2016 you can use Get-ADGroup with -ShowMemberTimeToLive to see the TTL for expiring links or Get-ADObject with -IncludeDeletedObjects to include deleted objects.

        However you can't use Get-ADGroup for Shadow Principals (used for Privileged Access Management) and Get-ADObject doesn't have the ShowMemberTimeToLive parameter.

        So I suggest adding an ExtendedControls parameter to get Get-ADObject cmdlet, so you can pass the LDAP Extended Control OID you need to it.

        At the very least add "ShowMemberTimeToLive" to Get-ADObject.

        LDAP Extended Controls:
        https://msdn.microsoft.com/en-us/library/cc223320.aspx

        2 votes
        Sign in
        Check!
        (thinking…)
        Reset
        or sign in with
        • facebook
        • google
          Password icon
          I agree to the terms of service
          Signed in as (Sign out)

          We’ll send you updates on this idea

          0 comments  ·  Management Tools  ·  Flag idea as inappropriate…  ·  Admin →
        • Show DisplayName and Description in the Members tab on a group in ADUC

          When viewing a group membership in ADUC, it would be extremely helpful to show additional columns like DisplayName and Description directly instead of having to open up each CN when our usernames/CN's are not friendly when they come from an enterprise provisioning system. The ability to directly see an account type, and name of user would allow us to remove people immediately without recursion.

          1 vote
          Sign in
          Check!
          (thinking…)
          Reset
          or sign in with
          • facebook
          • google
            Password icon
            I agree to the terms of service
            Signed in as (Sign out)

            We’ll send you updates on this idea

            0 comments  ·  Management Tools  ·  Flag idea as inappropriate…  ·  Admin →
          • Additional Information on what features require Windows Server 2016 Functional Level or Schema 87. Not currently documented.

            Documentation is missing on what features require the Windows Server 2016 Functional Level and/or Schema Version 87.
            - I found one mention in an Ignite presentation that said Windows Hello for Business requires Windows Server 2016 Functional Level.
            -Conflicting old info on non-MS sites indicate Bastion forest needs to be Server 2016, but TechNet says 2012 R2 okay.

            This link for 2016 Functional Level provides insufficient information.
            https://technet.microsoft.com/en-us/windows-server-docs/identity/ad-ds/windows-server-2016-functional-levels

            4 votes
            Sign in
            Check!
            (thinking…)
            Reset
            or sign in with
            • facebook
            • google
              Password icon
              I agree to the terms of service
              Signed in as (Sign out)

              We’ll send you updates on this idea

              0 comments  ·  Flag idea as inappropriate…  ·  Admin →
            • ADFS should support SQL Azure

              Please add support to use SQL Azure as DB. Would open up some easy HA scenario deployments for ADFS.

              1 vote
              Sign in
              Check!
              (thinking…)
              Reset
              or sign in with
              • facebook
              • google
                Password icon
                I agree to the terms of service
                Signed in as (Sign out)

                We’ll send you updates on this idea

                0 comments  ·  ADFS  ·  Flag idea as inappropriate…  ·  Admin →
              • AD FS should not require Domain Admin privileges

                Right now in Windows Server 2012 R2 you are required to run present Domain Admin credentials while installing. This is not an option when AD FS and AD DS are supported by separate teams - it exposes domain admin credentials to persons which are not allowed to know them.
                This was not a case for AD FS 2.0 - please remove the need of DA privileges to be entered at AD FS server.

                9 votes
                Sign in
                Check!
                (thinking…)
                Reset
                or sign in with
                • facebook
                • google
                  Password icon
                  I agree to the terms of service
                  Signed in as (Sign out)

                  We’ll send you updates on this idea

                  0 comments  ·  ADFS  ·  Flag idea as inappropriate…  ·  Admin →
                • join domain

                  Add the setting of ACL for domain join to "New-ADComputer" cmdlet.

                  In MMC it is possible to create an Computer AD Account and set "The following user or group can join this computer to a domain"

                  Would be nice to have it in New-ADComputer

                  3 votes
                  Sign in
                  Check!
                  (thinking…)
                  Reset
                  or sign in with
                  • facebook
                  • google
                    Password icon
                    I agree to the terms of service
                    Signed in as (Sign out)

                    We’ll send you updates on this idea

                    0 comments  ·  ADFS  ·  Flag idea as inappropriate…  ·  Admin →
                  • AGPM status icons and requester feedback

                    AGPM is a great tool for GPO management but I think it's missing some functionality.
                    When working in the controlled GPO section you have icon showing if a GPO it's checked out. Would be good to see more status icons showing these states: deployed, checked out, modified after deployment.
                    Also it would be nice if the requester of a GPO action can get mail notification back when it's done or rejected.

                    4 votes
                    Sign in
                    Check!
                    (thinking…)
                    Reset
                    or sign in with
                    • facebook
                    • google
                      Password icon
                      I agree to the terms of service
                      Signed in as (Sign out)

                      We’ll send you updates on this idea

                      0 comments  ·  Management Tools  ·  Flag idea as inappropriate…  ·  Admin →
                    • get-aduser error on date attribute

                      The get-aduser command fails when attempting to retrieve an attribute that contains a date value in the year 2000 with the following error message:

                      Get-ADUser : Year, Month, and Day parameters describe and un-representable DateTime.

                      Example:

                      Get-ADUser -Identity <common-name> -Properties <SomeDateField>

                      where the string <SomeDateField> represents an attribute that contains a human readable date, and not an offset value.

                      1 vote
                      Sign in
                      Check!
                      (thinking…)
                      Reset
                      or sign in with
                      • facebook
                      • google
                        Password icon
                        I agree to the terms of service
                        Signed in as (Sign out)

                        We’ll send you updates on this idea

                        0 comments  ·  Management Tools  ·  Flag idea as inappropriate…  ·  Admin →
                      • Bug - Active Directory Administrative Center Global Search

                        When double-clicking on a search result in "Global Search", the item that opens is the previously selected item, not the one that is double-clicked.

                        Steps to reproduce: Open ADAC, enter a value in global search that will get more than one result, for example "domain". This will give a list of results, the top one will be selected. Double-click on any result that is not the selected one.

                        Result: The previously selected item opens
                        Expected result: The double-clicked item opens

                        11 votes
                        Sign in
                        Check!
                        (thinking…)
                        Reset
                        or sign in with
                        • facebook
                        • google
                          Password icon
                          I agree to the terms of service
                          Signed in as (Sign out)

                          We’ll send you updates on this idea

                          4 comments  ·  Bug  ·  Flag idea as inappropriate…  ·  Admin →
                        • Get-ADPrincipalGroupMembership Raises Error if any Group Name has the "/" character

                          The Get-ADPrincipalGroupMembership PowerShell cmdlet raises an error if any of the groups retrieved has the "/" character in the common name. Error message is "The server was unable to process the request due to an internal error", followed by instructions to get more details or turn on tracing.

                          For example, if user "cn=Frank Madison,ou=Sales,ou=West,dc=MyDomain,dc=com" is a member of the group "cn=East/West,ou=Admin,dc=MyDomain,dc=com", then the following raises the error:

                          Get-ADPrincipalGroupMembership -Identity "cn=Frank Madison,ou=Sales,ou=West,dc=MyDomain,dc=com"

                          This issue is similar to the one reported here, where the "/" character is in the name of the user, not the group:
                          https://windowsserver.uservoice.com/forums/301869-powershell/suggestions/11088447-get-adprincipalgroupmembership-error-with-in-p

                          2 votes
                          Sign in
                          Check!
                          (thinking…)
                          Reset
                          or sign in with
                          • facebook
                          • google
                            Password icon
                            I agree to the terms of service
                            Signed in as (Sign out)

                            We’ll send you updates on this idea

                            2 comments  ·  Management Tools  ·  Flag idea as inappropriate…  ·  Admin →
                          • Set-ADAccountPassword Raises Error if DN of Account has "*" Character

                            The Set-ADAccountPassword cmdlet raises an error if the distinguished name of the account includes the asterick character, "*". The error is raised even if you identify the user by sAMAccountName (astericks are not allowed in sAMAccountName values). It does not help to identify the user by distinguished name, even if you escape the "*" character, whether you escape with the backtick "`", the backslash "\", or using the 2 character ASCII hexadecimal equilvalent "\2A". The only workaround found is to bind to the account using the [ADSI] accelerator and invoke the SetPassword method.

                            Assuming the user "cn=Will * Johnson" exists,…

                            3 votes
                            Sign in
                            Check!
                            (thinking…)
                            Reset
                            or sign in with
                            • facebook
                            • google
                              Password icon
                              I agree to the terms of service
                              Signed in as (Sign out)

                              We’ll send you updates on this idea

                              1 comment  ·  Management Tools  ·  Flag idea as inappropriate…  ·  Admin →
                            • Managed Service Accounts in Active Directory Administrative Center

                              I would like to create, view and edit Managed Service Accounts from Active Directory Administrative Center.

                              11 votes
                              Sign in
                              Check!
                              (thinking…)
                              Reset
                              or sign in with
                              • facebook
                              • google
                                Password icon
                                I agree to the terms of service
                                Signed in as (Sign out)

                                We’ll send you updates on this idea

                                0 comments  ·  Management Tools  ·  Flag idea as inappropriate…  ·  Admin →
                              • The -PasswordExpired parameter of the Search-ADAccount cmdlet does not work

                                The help for the Search-ADAccount cmdlet includes the following example:

                                Search-ADAccount -PasswordExpired

                                This is supposed to retrieve all accounts with expired passwords, but it retrieves nothing. In a similar manner, the following also retrieves nothing:

                                Get-ADUser -Filter {PasswordExpired -eq $True}

                                The cmdlets will display the value of the PasswordExpired property, either True or False, when we filter on other properties. For example, both of the following examples will indicate if passwords are expired:

                                Get-ADUser -Identity "jsmith" -Properties PasswordExpired
                                Search-ADAccount -AccountDisabled

                                I believe the PowerShell property PasswordExpired and the -PasswordExpired parameter are both based on the msDS-User-Account-Control-Computed attribute. This attribute is…

                                4 votes
                                Sign in
                                Check!
                                (thinking…)
                                Reset
                                or sign in with
                                • facebook
                                • google
                                  Password icon
                                  I agree to the terms of service
                                  Signed in as (Sign out)

                                  We’ll send you updates on this idea

                                  0 comments  ·  Flag idea as inappropriate…  ·  Admin →
                                • Open Source the ActiveDirectory PowerShell Module

                                  Please consider open sourcing the ActiveDirectory PowerShell Module. While regarded as feature complete internally at MSFT, there is still much work that can be done to offer PowerShell users of all skill levels a more consistent experience by ensuring all Cmdlets in the ActiveDirectory Module accept pipeline input and parameter binding by property name and value. There is also tremendous value in providing PowerShell users with Cmdlets to determine which attributes in the Active Directory schema have been indexed as well as Cmdlets to extend the schema with the addition of other attributes.

                                  64 votes
                                  Sign in
                                  Check!
                                  (thinking…)
                                  Reset
                                  or sign in with
                                  • facebook
                                  • google
                                    Password icon
                                    I agree to the terms of service
                                    Signed in as (Sign out)

                                    We’ll send you updates on this idea

                                    6 comments  ·  Flag idea as inappropriate…  ·  Admin →
                                  • Improve Members and Member Of view in Active Directory Administrative Center

                                    When opening a user or group and looking at “Member of” or “Members” in ADAC only three items is visible in the view. I would like the ability to resize the view to include more than three items.

                                    9 votes
                                    Sign in
                                    Check!
                                    (thinking…)
                                    Reset
                                    or sign in with
                                    • facebook
                                    • google
                                      Password icon
                                      I agree to the terms of service
                                      Signed in as (Sign out)

                                      We’ll send you updates on this idea

                                      0 comments  ·  Management Tools  ·  Flag idea as inappropriate…  ·  Admin →
                                    • Set-ADDefaultDomainPasswordPolicy

                                      The help for the Set-ADDefaultDomainPasswordPolicy cmdlet has incorrect or misleading information about several parameters:

                                      -ComplexityEnabled, -LockoutDuration, -LockoutObservationWindow, -LockoutThreshold, -MinPasswordLength, -PasswordHistoryCount, and -ReversibleEncryptionEnabled

                                      The help is linked here:
                                      https://technet.microsoft.com/en-us/library/ee617251.aspx

                                      The help either states that the cmdlet sets a property of a password policy, or states that the ldapDisplayName of the property begins with "msDS-". The help seems to be referring to attributes of a Password Settings Object (PSO). But this cmdlet only assigns values to attributes of a domain object, corresponding to the default domain password policy. Domain objects do not have attributes that begin with "msDS-".

                                      The -ComplexityEnabled parameter of…

                                      2 votes
                                      Sign in
                                      Check!
                                      (thinking…)
                                      Reset
                                      or sign in with
                                      • facebook
                                      • google
                                        Password icon
                                        I agree to the terms of service
                                        Signed in as (Sign out)

                                        We’ll send you updates on this idea

                                        0 comments  ·  Management Tools  ·  Flag idea as inappropriate…  ·  Admin →
                                      • Set-AdUser doesn't work when 'Instance' and 'WhatIf' are used at the same time

                                        When you use the Set-AdUser cmdlet with the -Instance parameter throws an error if you also use -WhatIf

                                        [1] PS G:\> $User = Get-ADUser -Identity joshuak

                                        [2] PS G:\> $User.GivenName = 'Josh'

                                        [3] PS G:\> Set-ADUser -Instance $User -WhatIf
                                        What if: Performing the operation "Set" on target "CN=Joshua King,OU=staff,OU=users,DC=example,DC=co,DC=nz".
                                        Set-ADUser : One of the following parameters is required 'Identity,Instance'.
                                        At line:1 char:1
                                        + Set-ADUser -Instance $User -WhatIf
                                        + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
                                        + CategoryInfo : InvalidArgument: (:) [Set-ADUser], ArgumentException
                                        + FullyQualifiedErrorId : ActiveDirectoryCmdlet:System.ArgumentException,Microsoft.ActiveDirectory.Management.Commands.SetADUser

                                        4 votes
                                        Sign in
                                        Check!
                                        (thinking…)
                                        Reset
                                        or sign in with
                                        • facebook
                                        • google
                                          Password icon
                                          I agree to the terms of service
                                          Signed in as (Sign out)

                                          We’ll send you updates on this idea

                                          3 comments  ·  Management Tools  ·  Flag idea as inappropriate…  ·  Admin →
                                        • active directory

                                          It would be so nice if you could see the difference between an active account and an expired account in Active Directory Users and Computers.

                                          Now only disabled accounts have an arrow in the icon. But there is no way to tell in the overview if an account is expired.

                                          2 votes
                                          Sign in
                                          Check!
                                          (thinking…)
                                          Reset
                                          or sign in with
                                          • facebook
                                          • google
                                            Password icon
                                            I agree to the terms of service
                                            Signed in as (Sign out)

                                            We’ll send you updates on this idea

                                            0 comments  ·  Management Tools  ·  Flag idea as inappropriate…  ·  Admin →
                                          ← Previous 1 3
                                          • Don't see your idea?

                                          Feedback and Knowledge Base