As a defense-in-depth measure, it would be great to apply POLA to Authenticated Users & domain users group, so that no single user can enumerate more than they require. It would help in the Reconnaissance phase of an attack.

It seems like these are enough for an Authenticated User (1):
* Read gPLink
* Read gPOptions
* List Contents
* Read permissions
 Read distinguishedName
 Read cn

(1) https://community.spiceworks.com/topic/1457668-securing-our-ad-by-removing-authenticated-users-from-an-ou-breaks-group-policy

Add support for OAuth3/GNAP authentication protocol as a replacement for NTLM or in addition to NTLM/Keberos authentication. This is a IETF draft standard protocol for Authentication. https://oauth.xyz/

Be able to type a temporary password. As it is now, the system generates one. We would like to use an easy to dictate one and the user then changes it.

When passing something like "?whr=customdomain.com" to the password reset page it picks up my company branding, great stuff.

However, the User ID section still carries an example text of "Example: user@contoso.onmicrosoft.com or user@contoso.com".

Could the passwordreset.microsoftonline.com pages be updated so that the domain passed by whr gets used in the example, so that the example would read (in this case): "Example: user@customdomain.com".

COMPTE N0005859947 63 TOUGGOURT 30002 ALGERIA

Add a CMDLET to Remove LAPS Password reset and read permissions. Currently there is only a cmdlet to add permission, but not to clean up.

Now that the new NIST 800-63B guidelines are coming together, can Active Directory be updated to follow some of the guidance in here? Specifically allowing for blacklists of breached or otherwise bad passwords, potentially allowing for a salt to be added to AD password hashes, and rate throttling instead of just account lockout?

https://pages.nist.gov/800-63-3/sp800-63b.html

It's 2017 and there's still Server Software (even microsoft's own - like TFS), which is not able to handle gMSAs, because the password field is mandatory.
Since that software probably uses windows function to sign-in as such a user, it would be nice to have a mechanism, which allowed us to just use a dummy password for such an account - like "groupManaged" or "-" whatever else.

So perhaps this is possible, that Windows Server introduces a mechanism allowing to type a password in the mandatory password fields, which signalizes the same as an empty password for gMSAs.

Built in way to have fingerprint or iris, or facial recognition and integrated into Active Directory Authentication.

I would like to see improved password policies to enable administrators to restrict some of the most common abuses of password policy. The main things I would like to see are:
- Specifiy minimum number of changed characters vs previous password (eg to prevent just incrementing a number)
- Ability to blacklist common bad passwords including wildcard support
- Ability to control which complexity requirements are required rather than only having a single complexity option defined by Microsoft.

Create a password reset self service portal function for users which can be published externally.

Most of us log into servers with domain credentials. The ability of Windows to remember previous domain logins appears to be gone in TPv2, and now requires us to type in our user name every time. Quite annoying.