Active Directory
-
Check the computers option by default in the object types dialog
When adding objects to an Active Directory group, the Computers option is not checked by default. This will save a lot of clicks if that was checked by default.
48 votes -
Download ADMX Templates no MSI but ZIP
It would be great to have ADMX Templates not as MSI files but ZIP files, so you don't need to install it. Only extraction. Saves lot of time for me.
9 votes -
Build ADFS 2019 Plug-in to allow user authentication requiring Azure MFA to be bypassed when internet access is down
My company uses O365, AD FS 2016 and Azure AD, recently our internet provider had repeated outages where the AD FS servers access to the internet was compromised. This was a unavoidable outage for users on our internal network but since O365 leveraged Azure MFA in a CA policy external users could not get to O365 resources because they could not do MFA at ADFS. I want to create a plugin that checks for access to Azure MFA if it fails it places a default hardcoded claim in the token package validating MFA but raising a RIsk factor whtich will…
4 votes -
AD Visual Modelling
It would be good to see the layout of AD domains, forests, servers and clients(?) as an additional role within AD services to allow a visualisation of the current AD structure.
Similar to the SQL Database Diagram implementation within SQL Server software.
Perhaps even an API could be made available to integrate it into documentation tools like Visio3 votes -
New-ADObject for Computer and New-ADComputer behaviors are different
New-ADObject cmdlet with Type 'Computer'
and
New-ADComputer
creates different types of objects.The New-ADObject creates samAccountType is NORMALUSERACCOUNT instead of MACHINE_ACCOUNT.
1 vote -
Default location rules
After domain join, the default computer location is the Computers OU. It can be changed but it is static. It would be better if there is an option to add rules for default locations like moving recently joined Server 2016 devices into "MS Server 2016 Member Servers" OU.
1 vote -
AD-DNS-CA integrated GPG Key distribution
I assume it is possible to add GPG key creation through a CA, distribute it through AD & DNS while storing the keys in AD.
A schema extension would be required in the next forest functional level.
1 vote -
Add LDAPS as a role
Currently the only way to add LDAPS capability depends on a manual process between OpenSSL and CA. The procedure is explained here: https://ldapwiki.com/wiki/LDAPs%20and%20AD
I have implemented LDAPS following the procedure before. But thinking that OpenSSL is now a part of both Windows 10 & Server 2016, I believe it can be integrated into Windows Server as a role.
1 vote -
Add sshPublicKeys attribute -maybe sshPrivateKeys too
As sysadmins have the capability to manage non-windows clients & servers using SSH as of Windows 10, enterprise architectures shall enable sysadmins to securely store the private SSH keys and distribute public keys. It is possible to integrate these attributes with Windows Certificate store along with Credential Manager, so that after every log on the data can be synchronized allowing sysadmins connect to remote devices over SSH securely. It would simplify the SSH certificate management.
Currently the only was is explained in this blog post:
https://blog.laslabs.com/2016/08/storing-ssh-keys-in-active-directory/
Of course a simple link or junction from C:\Users<username>/.ssh/ to Certificate Store or Credential…
1 vote -
Set 802.1X as default for both wired and wireless networks
We implement 802.1x for Wired Networks utilizing RADIUS with AD. Yet, it becomes complicated for new deployments. After the OS deployment, joining the workstation o the network using a RADIUS portal, then conducting a domain join operation is time consuming.
Combining NPS role into AD role by default for next "forest functional level" would be a great leap forward for security. It would help an AD domain being "secure by default" but also the sysadmins who try to secure their clients would appreciate the saved time.
Of course, the "guest network", where non-domain guest computers should be allowed in another…
1 vote -
Add "creatorsName" and "modifiersName" attributes to the schema
Currently the only possibility to check the time and creator of a user is to check the audit logs for event 4720. Storing creation and modification date-time for an AD user is great but when the creatorsName & modifiersName information is absent, it becomes a burden.
Also RFC 4512 Lightweight Directory Access Protocol (LDAP): Directory Information Models suggests these too.
"...
Entries may contain, among others, the following operational attributes:- creatorsName: the Distinguished Name of the user who added this
entry to the directory,- createTimestamp: the time this entry was added to the directory,
- modifiersName: the Distinguished…
1 vote -
Active Directory Dark Theme
When set the Windows 10 to Dark Theme, change the color of Active Directory from the Server and from the Administrative Tools from Windows 10 to a Dark Theme also!
7 votes -
Change the default UPN for a domain
With companies changing UPN's on user accounts due to things like O365 migrations, make it possible to change and set the default UPN used for new user creation in a domain.
2 votes -
Manyou1335@gmail.com
Manyou33.page
1 vote -
DNS Conditional Forwarder and Delegation.
Hi,
To put it in a LAB scenario.
Conditional forwarder site2.location1.country1.company.org cannot be created if the Forward zones has location1.country1.company.org -> "A problem occurred while trying to add the conditional forwarder. A zone configuration problem occurred."
I delegate site2 under location1.country1.company.org pointing to external IPs - Successful.
Now if i create a Conditional forwarder site2.location1.country1.company.org it gets created and works even if i delete the delegation done in step 2.
I am not sure if this supported model, but would like to know this approach is documented anywhere? or i am wrong in understanding it.
Thank you.
1 vote -
-
Set-GpPermission - Add a "Force" parameter
The Set-GpPermission PowerShell cmdlet generates a prompt when attempting to remove the "Authenticated Users" permission from a GPO. There is no way to avoid this, which makes programmatic GPO creation very difficult. Please add a "-Force" parameter to avoid this prompt, or make the "-Confirm:$False" parameter also apply to this prompt.
2 votes -
Change Get-ADFSAccountActivity to return all users in ADFS Activity database
Change Get-ADFSAccountActivity to return all users in ADFS Activity database, like supporting a -All parameter. Then users can be searched using powershell of users that have triggered lockout or failed given amount of times. Currently users have to be retrieved one by one which is tedious at best
2 votes -
Make DCPromo GUI available for demoting a DC
Before removing the ADDS role the DC needs to be demoted to a regular server. The only way to get the link to the GUI is to create an error by trying to remove the ADDS role when you KNOW you cannot do so. Trying to do so will produce the error and the error message will give you the link.
Isn't that kind of stupid? Why first make me do something wrong to get the link to do it right?2 votes -
Get-ADUser PasswordExpirationDate
The Get-ADUser cmdlet should optionally return a "PasswordExpirationDate" attribute that is derived from "msDS-UserPasswordExpiryTimeComputed" and shown in a friendly format.
This is already done for PasswordLastSet from pwdLastSet and perhaps other attributes.
Without this enhancement, we must parse and convert the time such as:
$user = Get-ADUser -Properties msDS-UserPasswordExpiryTimeComputed sAMAccountName
([datetime]::fromfiletime([int64]::parse(($user)."msDS-UserPasswordExpiryTimeComputed"))).tostring()Or we resort to non-PowerShell tools:
net user sAMAccountName /domain10 votes -
5 votes
- Don't see your idea?