Active Directory

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Dynamic Security Groups

    Managing group memberships has always been a pain, and given the manual nature of managing security groups we tend to just leave them alone and let them multiply like rabbits. It would be awesome if Active Directory would finally after all these years introduce the concept of Security Groups that have dynamic membership based on, well, any other AD Attribute and support logic similar to the new ADFS Access Control rules

    6 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Flag idea as inappropriate…  ·  Admin →
  2. Automatic DNS Record Priority via Inter-Site Transport Cost

    Non-Windows Kerberos clients authenticating against AD typically find an AS by querying DNS, e.g. for a SRV record at "kerberos.tcp.myrealm." Unfortunately, the default query reply does not do a good job of prioritizing the results. In a default configuration, the DNS priority for the results will all be the same. Although there are some workarounds (netmask ordering), these may not be appropriate for all scenarios -- as when the client subnets are in a random order.

    I propose that Windows DNS have an option to return results with a calculated priority based on the inter-site transport cost between…

    4 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  3. Allow group managed service Accounts (gMSA) to have a dummy password

    It's 2017 and there's still Server Software (even microsoft's own - like TFS), which is not able to handle gMSAs, because the password field is mandatory.
    Since that software probably uses windows function to sign-in as such a user, it would be nice to have a mechanism, which allowed us to just use a dummy password for such an account - like "groupManaged" or "-" whatever else.

    So perhaps this is possible, that Windows Server introduces a mechanism allowing to type a password in the mandatory password fields, which signalizes the same as an empty password for gMSAs.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Logon, Passwords  ·  Flag idea as inappropriate…  ·  Admin →
  4. WhatIf switch does not work on cmdlet Install-AdcsCertificationAuthority

    The whatif switch is not working when installing a ADCS with the cmdlet Install-AdcsCertificationAuthority. The cmdlet is executed in full.
    I blogged about it here:
    https://mssec.wordpress.com/2016/02/18/installing-ca-via-powershell-whatif-not-working/
    Jeffery Snover himself asked me on Twitter to submit a bug reort on this, see here:
    https://twitter.com/jsnover/status/827524167465525249

    2 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Management Tools  ·  Flag idea as inappropriate…  ·  Admin →
  5. Get-ADObject LDAP Extended Controls parameter

    I would like the option to use LDAP Extended Controls with the Get-ADObject cmdlet.

    As of Server 2016 you can use Get-ADGroup with -ShowMemberTimeToLive to see the TTL for expiring links or Get-ADObject with -IncludeDeletedObjects to include deleted objects.

    However you can't use Get-ADGroup for Shadow Principals (used for Privileged Access Management) and Get-ADObject doesn't have the ShowMemberTimeToLive parameter.

    So I suggest adding an ExtendedControls parameter to get Get-ADObject cmdlet, so you can pass the LDAP Extended Control OID you need to it.

    At the very least add "ShowMemberTimeToLive" to Get-ADObject.

    LDAP Extended Controls:
    https://msdn.microsoft.com/en-us/library/cc223320.aspx

    4 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Management Tools  ·  Flag idea as inappropriate…  ·  Admin →
  6. New-ADuser fails when the path contains brackets.

    If you have an OU name '1) Accounts' so the whole path is something like:
    OU=1) Accounts,OU=sitename,DC=companyname,DC=com
    New-ADUser -path will fail.
    A workaround is to create the user and then move them later using something like:
    Get-ADUser -Identity newuser | Move-ADObject -TargetPath OU=1) Accounts,OU=sitename,DC=companyname,DC=com

    1 vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Management Tools  ·  Flag idea as inappropriate…  ·  Admin →
  7. Show DisplayName and Description in the Members tab on a group in ADUC

    When viewing a group membership in ADUC, it would be extremely helpful to show additional columns like DisplayName and Description directly instead of having to open up each CN when our usernames/CN's are not friendly when they come from an enterprise provisioning system. The ability to directly see an account type, and name of user would allow us to remove people immediately without recursion.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Management Tools  ·  Flag idea as inappropriate…  ·  Admin →
  8. Additional Information on what features require Windows Server 2016 Functional Level or Schema 87. Not currently documented.

    Documentation is missing on what features require the Windows Server 2016 Functional Level and/or Schema Version 87.

    - I found one mention in an Ignite presentation that said Windows Hello for Business requires Windows Server 2016 Functional Level.
    -Conflicting old info on non-MS sites indicate Bastion forest needs to be Server 2016, but TechNet says 2012 R2 okay.

    This link for 2016 Functional Level provides insufficient information.
    https://technet.microsoft.com/en-us/windows-server-docs/identity/ad-ds/windows-server-2016-functional-levels

    5 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  9. join domain

    Add the setting of ACL for domain join to "New-ADComputer" cmdlet.

    In MMC it is possible to create an Computer AD Account and set "The following user or group can join this computer to a domain"

    Would be nice to have it in New-ADComputer

    4 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  ADFS  ·  Flag idea as inappropriate…  ·  Admin →
  10. get-aduser error on date attribute

    The get-aduser command fails when attempting to retrieve an attribute that contains a date value in the year 2000 with the following error message:

    Get-ADUser : Year, Month, and Day parameters describe and un-representable DateTime.

    Example:

    Get-ADUser -Identity <common-name> -Properties <SomeDateField>

    where the string <SomeDateField> represents an attribute that contains a human readable date, and not an offset value.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Management Tools  ·  Flag idea as inappropriate…  ·  Admin →
  11. Get-ADPrincipalGroupMembership Raises Error if any Group Name has the "/" character

    The Get-ADPrincipalGroupMembership PowerShell cmdlet raises an error if any of the groups retrieved has the "/" character in the common name. Error message is "The server was unable to process the request due to an internal error", followed by instructions to get more details or turn on tracing.

    For example, if user "cn=Frank Madison,ou=Sales,ou=West,dc=MyDomain,dc=com" is a member of the group "cn=East/West,ou=Admin,dc=MyDomain,dc=com", then the following raises the error:

    Get-ADPrincipalGroupMembership -Identity "cn=Frank Madison,ou=Sales,ou=West,dc=MyDomain,dc=com"

    This issue is similar to the one reported here, where the "/" character is in the name of the user, not the group:
    https://windowsserver.uservoice.com/forums/301869-powershell/suggestions/11088447-get-adprincipalgroupmembership-error-with-in-p

    2 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Management Tools  ·  Flag idea as inappropriate…  ·  Admin →
  12. Set-ADDefaultDomainPasswordPolicy

    The help for the Set-ADDefaultDomainPasswordPolicy cmdlet has incorrect or misleading information about several parameters:

    -ComplexityEnabled, -LockoutDuration, -LockoutObservationWindow, -LockoutThreshold, -MinPasswordLength, -PasswordHistoryCount, and -ReversibleEncryptionEnabled

    The help is linked here:
    https://technet.microsoft.com/en-us/library/ee617251.aspx

    The help either states that the cmdlet sets a property of a password policy, or states that the ldapDisplayName of the property begins with "msDS-". The help seems to be referring to attributes of a Password Settings Object (PSO). But this cmdlet only assigns values to attributes of a domain object, corresponding to the default domain password policy. Domain objects do not have attributes that begin with "msDS-".

    The -ComplexityEnabled parameter of…

    4 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Management Tools  ·  Flag idea as inappropriate…  ·  Admin →

    Moving to Active Directory, since this is an AD cmdlet and not a PowerShell-owned cmdlet.

  13. Set-AdUser doesn't work when 'Instance' and 'WhatIf' are used at the same time

    When you use the Set-AdUser cmdlet with the -Instance parameter throws an error if you also use -WhatIf

    [1] PS G:&gt; $User = Get-ADUser -Identity joshuak

    [2] PS G:&gt; $User.GivenName = 'Josh'

    [3] PS G:&gt; Set-ADUser -Instance $User -WhatIf
    What if: Performing the operation "Set" on target "CN=Joshua King,OU=staff,OU=users,DC=example,DC=co,DC=nz".
    Set-ADUser : One of the following parameters is required 'Identity,Instance'.
    At line:1 char:1
    + Set-ADUser -Instance $User -WhatIf
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : InvalidArgument: (:) [Set-ADUser], ArgumentException
    + FullyQualifiedErrorId : ActiveDirectoryCmdlet:System.ArgumentException,Microsoft.ActiveDirectory.Management.Commands.SetADUser

    6 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)

    We’ll send you updates on this idea

    3 comments  ·  Management Tools  ·  Flag idea as inappropriate…  ·  Admin →
  14. Some AD 2012 R2 commands does not produce any errors

    We migrated from AD 2008 R2 to AD 2012 R2 and after the migration I noticed that commands like Add-ADGroupMember/Remove-ADGroupMember doesn't return any (non- or terminating) errors if the user is already in the group when you try to add it or if the user is not in the group and you try to remove it, there is not even an information in the verbose feed about it, the command just executes normally:

    Add-ADGroupMember $group $user -ErrorAction Stop -Verbose
    Remove-ADGroupMember $group $user -ErrorAction Stop -Verbose

    Normally you get this terminating error if the user is already in the group:

    Add-ADGroupMember…

    2 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Management Tools  ·  Flag idea as inappropriate…  ·  Admin →
  15. Remove reliance on RSAT

    Please remove the reliance of the AD cmdlets on RSAT. There are many times that scripts may be run from locations that do not/cannot have the RSAT tools installed just to get the AD cmdlets, including client machines that are not used for administrative purposes. Using ADSI and LDAP queries are not nearly as intuitive.

    Native PowerShell cmdlets would be much more helpful in these situations.

    5 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Management Tools  ·  Flag idea as inappropriate…  ·  Admin →
  16. active directory

    It would be so nice if you could see the difference between an active account and an expired account in Active Directory Users and Computers.

    Now only disabled accounts have an arrow in the icon. But there is no way to tell in the overview if an account is expired.

    2 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Management Tools  ·  Flag idea as inappropriate…  ·  Admin →
  17. Bug - TP5 Device Auth breaks Firefox & iOS

    In Build 14300.rs1releasesvc.160415-2143 Device Authentication in ADFS breaks Firefox on Windows and Safari on iOS. This has always been an issue with Safari on OS X as it has always been broken if Device Auth is enabled. This is a huge problem though if this latest problem makes it into RTM.

    If this is by design and iOS/Firefox/OSX aren't compatible, then please add an option to disable Device Authentication by platform easily.

    If a fix for this is already known or planned then it would be greatly appreciate if this thread could be updated.

    Thank you,
    Aaron

    1 vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  ADFS  ·  Flag idea as inappropriate…  ·  Admin →
  18. group use counter

    To make it easier to clear up stale Active Directory groups. It would be useful to be able to enable a counter to mark when group membership is queried.

    Current the only open seems to be using get-acl to list what is used on each share, which is backwards for this requirement.

    2 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Management Tools  ·  Flag idea as inappropriate…  ·  Admin →
  19. Test-Path for Groups

    I would like to be able to run Test-Path and see if a group exists or not, as AD uses a file structure format (PSDrive) it makes sense that a user would like to be able to use Test-Path to see if a user, group, OU, or computer account, exists within AD.

    3 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Management Tools  ·  Flag idea as inappropriate…  ·  Admin →
  20. ADObjects Stream Properties

    When I save AD objects in a variable and then list the contents of the variable in the shell, some additional synthetic properties get tacked onto the object. These properties have the type "ADPropertyValueCollection." Here are the repro steps:


    1. Save and AD object in a variable - this can be any object type
      PS c:&gt; $Matt = Get-ADUser -Identity Matt


    2. List the variable's value
      PS c:&gt; $Matt
      DistinguishedName : CN=Matt,OU=Matt,DC=contoso,DC=com
      Enabled : True
      GivenName : Matt
      Name : Matt User
      ObjectClass : user
      ObjectGUID : 964ff8c5-7872-41ec-b46d-9008343e1811
      SamAccountName : muser
      SID : S-1-5-21-1606980848-362288127-725345543-43472
      Surname : User
      UserPrincipalName : matt@contoso.com


    3. List the…

    2 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Management Tools  ·  Flag idea as inappropriate…  ·  Admin →
  • Don't see your idea?

Feedback and Knowledge Base