Active Directory
-
Less default permissions for Authenticated Users & Domain Users
As a defense-in-depth measure, it would be great to apply POLA to Authenticated Users & domain users group, so that no single user can enumerate more than they require. It would help in the Reconnaissance phase of an attack.
It seems like these are enough for an Authenticated User (1):
* Read gPLink
* Read gPOptions
* List Contents
* Read permissions
Read distinguishedName
Read cn2 votes -
Add support for OAuth3/GNAP in ADDS
Add support for OAuth3/GNAP authentication protocol as a replacement for NTLM or in addition to NTLM/Keberos authentication. This is a IETF draft standard protocol for Authentication. https://oauth.xyz/
2 votes -
Temporary Password
Be able to type a temporary password. As it is now, the system generates one. We would like to use an easy to dictate one and the user then changes it.
2 votes -
Windows Domain Server incorrect-password delay
One change to security for incorrect password entry that would make it friendlier for the users and more secure against brute force password attacks would be to use a geometrically increasing delay when a specific number of wrong passwords are entered. The first delay could be one minute, the second 5 minutes, the third 25 minutes, the fourth 125 minutes, etc. Of course this would also involve a time setting for resetting the wrong passwords progression after a previous delay. This would make the initial delay for wrong passwords very short for the user, but would increase the time for…
1 vote -
Self Service Password Reset portal using whr to give a meaningful user ID example
When passing something like "?whr=customdomain.com" to the password reset page it picks up my company branding, great stuff.
However, the User ID section still carries an example text of "Example: user@contoso.onmicrosoft.com or user@contoso.com".
Could the passwordreset.microsoftonline.com pages be updated so that the domain passed by whr gets used in the example, so that the example would read (in this case): "Example: user@customdomain.com".
3 votes -
pay pal 25BSKLIM TOW KADDOURI CHOUAIB
COMPTE N0005859947 63 TOUGGOURT 30002 ALGERIA
2 votes -
LAPS - Add Cmdlets to remove permissions
Add a CMDLET to Remove LAPS Password reset and read permissions. Currently there is only a cmdlet to add permission, but not to clean up.
10 votes -
Update Active Directory Password policies to align with new NIST guidelines
Now that the new NIST 800-63B guidelines are coming together, can Active Directory be updated to follow some of the guidance in here? Specifically allowing for blacklists of breached or otherwise bad passwords, potentially allowing for a salt to be added to AD password hashes, and rate throttling instead of just account lockout?
55 votes -
Allow group managed service Accounts (gMSA) to have a dummy password
It's 2017 and there's still Server Software (even microsoft's own - like TFS), which is not able to handle gMSAs, because the password field is mandatory.
Since that software probably uses windows function to sign-in as such a user, it would be nice to have a mechanism, which allowed us to just use a dummy password for such an account - like "groupManaged" or "-" whatever else.So perhaps this is possible, that Windows Server introduces a mechanism allowing to type a password in the mandatory password fields, which signalizes the same as an empty password for gMSAs.
1 vote -
Native Biometric Support in Active Directory On-Premise (Like Windows Hello)
Built in way to have fingerprint or iris, or facial recognition and integrated into Active Directory Authentication.
32 votes -
Enhance Password Policies in Group Policy
I would like to see improved password policies to enable administrators to restrict some of the most common abuses of password policy. The main things I would like to see are:
- Specifiy minimum number of changed characters vs previous password (eg to prevent just incrementing a number)
- Ability to blacklist common bad passwords including wildcard support
- Ability to control which complexity requirements are required rather than only having a single complexity option defined by Microsoft.55 votes -
Self service password reset for users
Create a password reset self service portal function for users which can be published externally.
14 votes -
More granual account expiration and new account activation option
The standard expiry date for an account only allows you to specify a date, the account is expired at the end of that date. How about adding in a time field as well - so that an account can be set to expire at 5pm on *** date. This can already be be done via Powershell "Set-ADUser username -AccountExpirationDate "12/25/2012 5:00:00 PM" but it would be great to have it as a GUI option.
The use case is that most companies offboard staff at COB on a given date and want to restrict access at that specific time, rather than…
3 votes -
Remember Domain Logins
Most of us log into servers with domain credentials. The ability of Windows to remember previous domain logins appears to be gone in TPv2, and now requires us to type in our user name every time. Quite annoying.
26 votes
- Don't see your idea?