Active Directory

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Add selection of specific MFA Adapter as condition

    It would be incredibly helpful if Access Authorization Rules would allow the selection of a specific MFA Adapter or mechanism as a part of a ruleset.

    For example, if a user was authenticating from a managed device, use certificate authentication, otherwise prompt for second factor using the Azure MFA adapter, or, if a user belongs to a specific group, always use certificate authentication forst, then attempt for Azure MFA, otherwsie if a user belongs to group "B", always prompt for the Azure MFA Adapter (or any other MFA provider integrated with ADFS)

    At the moment it's an all-or-nothing option. If…

    3 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  ADFS  ·  Flag idea as inappropriate…  ·  Admin →
  2. Allow token signing and decryption on a per-relying party basis

    Currently ADFS only signs tokens with the primary token-signing certificate. This makes renewing the certificate difficult if an organization has many relying party trusts configured, as the swap has to be coordinated with multiple vendors.

    Please allow the signing certificate to be configured on a per-relying party basis. This would allow each relying party to migrate to the new certificate on their own schedules, as opposed to a single "big bang" approach.

    4 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  ADFS  ·  Flag idea as inappropriate…  ·  Admin →
  3. 2 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Flag idea as inappropriate…  ·  Admin →
  4. Support empty PSCredential with ActiveDirectory module cmdlets

    The PowerShell ActiveDirectory module cmdlets do not properly check for [System.Management.Automation.PSCredential]::Empty in the Credential parameter. If an Empty PSCredential is passed to one of the cmdlets, the result is a NullReferenceException. Instead, it should default to the current logged-in user like when the Credential parameter is omitted.

    This is particularly useful when writing our own functions with an optional Credential parameter which call various AD cmdlets.

    2 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Management Tools  ·  Flag idea as inappropriate…  ·  Admin →
  5. Set the default on a Windows trust to allow AES encryption for Kerberos

    Set the default on a Windows trust to allow AES encryption for Kerberos. By default, any trust created between two domains, does not allow AES encryption across the trust boundary. This breaks policy application and certain tools that rely on AES encryption (the default encryption type in a modern domain). It would be nice if this was the default setting rather than having to remember to check that in the trust properties.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  6. Ability to navigate PS Provider by Canonical Name

    Ability to navigate the PowerShell provider by Canonical name and refer to objects using the CN would make working with AD much more natural.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Management Tools  ·  Flag idea as inappropriate…  ·  Admin →
  7. Add support for synthetic flattening of security groups

    There are way too many "dumb" LDAP implementations out there that simply can't deal with nested group memberships in AD. This makes it really hard to implement well organized RBAC in AD without a bunch of exceptions for the bad apps.

    You can fool some of them with LDAPMATCHINGRULEINCHAIN if they give you enough access to configure the filters they're using. But others are simply stuck only caring about the flat list of users returned by the "member" attribute.

    I envision a new constructed attribute on group objects called something like memberFlattened that basically has AD…

    1 vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Flag idea as inappropriate…  ·  Admin →
  8. Saml <Subject> from AuthnRequest

    Allow rps to specify a saml <Subject>. When the rp knows the user adfs could then pre populate the username field on the login page.

    2 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  ADFS  ·  Flag idea as inappropriate…  ·  Admin →
  9. Add AD Users & Computers user property sheet tab for attributes synced to Azure AD, like proxyAddresses

    When AD users are synced to Azure AD, some attributes like proxyAddresses currently require an on-premises Exchange Server for a friendly management GUI.

    It would be nice to have a tab so we can manage Office 365 email & SIP aliases within AD Users and Computers, instead of using Exchange Server, ADSIEdit, PowerShell, or other utilities.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Management Tools  ·  Flag idea as inappropriate…  ·  Admin →
  10. Role Based Administration ADAC

    Nothing has changed about how you manage computers, groups and users in Active Directory since Server 2000. After 17 years ADUC/ADAC feels obsolate. It would be awesome if you can add Role Based Administration, something similar to Jast Enough Administraton and AD delegation.

    12 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Management Tools  ·  Flag idea as inappropriate…  ·  Admin →
  11. Allow to run LoL in different forest

    I met a customer today, who is managing multiple forests from one admin machine. Currently, LoL does automatic discovery of DCs, NCs in the forest of the "tools" machine only. We need to be able to supply a target forest and credentials however. Is this something you could implement? TIA.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Lingering Object Liquidator  ·  Flag idea as inappropriate…  ·  Admin →
  12. RSAT Tool is not replicating permission properly

    RSAT Tool is not replicating permission properly

    I had a user who said he could not access a OU in ADUC and I said well you should because you have permission to do so. in RSAT it was showing NTFS Permissions that he had full rigths. When in fact I went to the DC and he did not have delete permissions.

    So an improvement to the RSAT Tool to match ADUC would be great.

    Thanks,

    Jeff

    6 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Management Tools  ·  Flag idea as inappropriate…  ·  Admin →
  13. Implement replfix features into Lingering Object Liquidator

    Replfix is currently the only tool that will allow you to compare a DC with a writeable copy of the partition against a GC with a read-only copy of the partition.

    2 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Lingering Object Liquidator  ·  Flag idea as inappropriate…  ·  Admin →
  14. More granual account expiration and new account activation option

    The standard expiry date for an account only allows you to specify a date, the account is expired at the end of that date. How about adding in a time field as well - so that an account can be set to expire at 5pm on *** date. This can already be be done via Powershell "Set-ADUser username -AccountExpirationDate "12/25/2012 5:00:00 PM" but it would be great to have it as a GUI option.

    The use case is that most companies offboard staff at COB on a given date and want to restrict access at that specific time, rather than…

    3 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Logon, Passwords  ·  Flag idea as inappropriate…  ·  Admin →
  15. Administrative Templates language pack wrong region tag

    Finnish language pack folder name has changed in 'Administrative Templates (.admx) for Windows 10 (1703) Creators Update’ package.
    Earlier the language files folder name was fi-FI (as normal Finnish region tag in Windows systems), now it is fi-FL (I can't find region tag for that). Maybe typo; please check and correct tag in next release (1709). Reported this also directly to PG.

    2 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Bug  ·  Flag idea as inappropriate…  ·  Admin →
  16. Join the Physical and Logical Layers

    Add the BIOS UUID as a property on AD computer objects. This will finally tie the Physical and Logical layers together once and for all.

    3 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Domain join  ·  Flag idea as inappropriate…  ·  Admin →
  17. Get-ADPrincipalGroupMembership error when ADUser is 'memberoff' group name that contains the word 'deny'

    getting the below error if you run Get-ADPrincipalGroupMembership against a user that is a member of a group that contains the word "deny" in the group name

    Get-ADPrincipalGroupMembership : The server was unable to process the request due to an internal error. For more information about the error, either turn on IncludeExceptionDetailInFaults (either from ServiceBehaviorAttribute or from
    the <serviceDebug> configuration behavior) on the server in order to send the exception information back to the client, or turn on tracing as per the Microsoft .NET Framework 3.0 SDK documentation and inspect the server trace logs.
    At line:1 char:1
    + Get-ADPrincipalGroupMembership -Identity…

    1 vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Management Tools  ·  Flag idea as inappropriate…  ·  Admin →
  18. Get-AdComputer properties for OperatingSystemVersion cannot be filtered properly because Windows 10 computers filter as -lt 2

    the value for the OperatingSystemVersion of Get-ADComputer cannot be properly referenced for Windows 10 Computers. The value shows as less than 2 and not more than 6.3. This command will list only Windows 10 computers: "Get-ADComputer -Filter {OperatingSystemVersion -lt "2"} -Properties * | ft dNSHostName,OperatingSystemVersion,OperatingSystem" When it should be something more like "Get-ADComputer -Filter {OperatingSystemVersion -ge "6.3"} -Properties * | ft dNSHostName,OperatingSystemVersion,OperatingSystem"

    1 vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Management Tools  ·  Flag idea as inappropriate…  ·  Admin →
  19. Get-ADGroupMember and RODC

    Hi!

    I have a strange behaviour with Get-ADGroupMember on RODC while in a PSSession: I have to specify the server on which to made the query (in the example, Toto is domain admin):

    PS C:\Users\Toto>Enter-PSSession RemoteRODC
    Unable to contact the server. This may be because this server does not exist, it is currently down, or it does not have the Active Directory Web Services running.

    + CategoryInfo          : ResourceUnavailable: (ASimpleGroup:ADGroup) [Get-ADGroupMember], ADServerDownException
    
    + FullyQualifiedErrorId : ActiveDirectoryServer:0,Microsoft.ActiveDirectory.Management.Commands.GetADGroupMember

    I get the same behavior when invoking command:
    PS C:\Users\Toto>Invoke-Command -ComputerName RemoteRODC -ScriptBlock {Get-ADGroupMember ASimpleGroup}
    Unable to contact the server. This may be because…

    1 vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Management Tools  ·  Flag idea as inappropriate…  ·  Admin →
  20. output Subject Alternative Name extension using certutil -view

    I would like to be able to output the SAN in a certificate with the command CertUtil.

    the cmdlet get-certificate seems to do the job but only for the local store.

    thanks

    4 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Management Tools  ·  Flag idea as inappropriate…  ·  Admin →
  • Don't see your idea?

Feedback and Knowledge Base