Ok this is what I collected from the notes. Everyone relatively happy? Read
through the whole list because there are some that I think are in the
product already and responded (or someone responded) separately and things
that I tweaked a little and then some I added to and then some that I added
entirely while building this list.
Thanks, joe
o Different icons to flag accounts that are not currently live for various
reasons such as locked out, expired acc, expired pwd, etc. Just like we have
for disabled accounts. Possibly this could be column based info so it could
be sorted?
o Easier to extend ADUC to add properties/capabilities such that it doesn't
require extensive or maybe any programming capability. Drag and Drop RAD
type design.
o GUI tool to select attributes to add to dialogs/searches/etc (i.e. for
dialog display specifier modification).
o Choose columns that are displayed in group members view such as
displayname, employeeID, etc (Joe Addon: This sounds like ASQ)
o Add context menu option out of the box to
1. Unlock user (user context)
2. Unlock all users (domain, container, or OU context menu)
o An expert mode where labels for attributes, etc is the actual LDAP Display
Name and not the friendly names someone else decided to use. Sort of like
cross between ADUC and ADSIEDIT or the E55 ADMIN tool in RAW Mode.
o Allow ADUC to handle larger numbers of objects in a container without
running like a snail. (Maybe we need generic VLV in AD?)
o I'd like to be able to multi-select a bunch of objects and have a UI to
change all the common attributes that are modifiable.
o I'd like an interface that will allow me to query for where a particular
security principal is referred to in an explicit ACE on an ACL.
What I mean is say I have a group. I want to know at with points in the AD
that group is referred to in an ACL. I want to know what object it was
applied to and what rights were allowed or denied. I don't want to see any
of the inherited stuff, just the places where I may want to modify or remove
it. What would be really nice would be a get a list of all the places where
user accounts were added explicitly to ACLs so I can get rid of them all.
o I'd like an extension of the Advanced Security dialog that allowed me to
specify a security principal, highlight a right and click a button to find
out how/why that principal has that right.
o I'd like an easy way to search by managedBy that didn't require full DNs.
I'd like to be able to specify the canonical name and have it figure out the
DN for me. That's because canonical name is copy-able from the UI.
o Use the disabled account icon for disabled accounts that show up in the
find object dialog results pane.
o When I copy an account I would like to be prompted to update the info on
the profile tab if any exists.
o I would like to be able to set up template accounts that don't resolve
variables until the accounts are created.
o The acctinfo.dll to be standard and have a next DC button to query user
properties on the next DC-effectively enabling a DC scroll through.
I would also like to see the additional information exposed by installing
acctinfo.dll be made standard (built-in) rather than by having to install an
additional dll and the information it exposes be viewable on the user object
when that user is found via a search.
o Maybe the ability to change the security context for certain operations
within a session? Like a task-specific "run-as". I haven't thought this all
the way through in terms of security implications, but usually when I fire
up ADUC it's with a non-privileged account, and then I have to go back with
a different account or different tool in a privileged context if I need to
make a change. (several folks liked this one too)
o I'd like the ability to customize the display pane differently for each
node in the tree. For example, specifying different widths for the same
column in different nodes and choosing different sets of columns to display
for different nodes in the tree. For instance if I had an OU of users and
one of computers, I might like to display Name and Office for the user OU
and Name and OS for the computers OU. Granted OS isn't even an option to
choose, which is addressed below.
o I'd also like more options to choose columns from, ideally any attribute
of an object. Prolly would work best by having a slightly expanded list
than what's there now, by default, but also having an advanced button to
access the rest.
o The next is best described with an example. When changing the Managed By
attribute of a group, I click change and "Select User, Contact, or Group"
search box comes up. In order to search for a group, I have to click
"Object Types" and check the box next to groups. Ignoring the fact that
this is slightly inconsistent with the title of the search box, I would like
the option to change whether that's selected by default.
o Finally, its probably more an issue with the mmc than aduc, but my view
pane often changes to large icon mode instead of detail. It seems to happen
when I return from a different snap-in.
o Add employeeid to one of the property sheets
o When you search for objects, you should be able to right-click the object
and select an option to take you to the object in the hierarchy. (like
Explorer Open Containing Window Maybe?)
o If I'm in a hurry and use the ADUC to find an object, I select the domain,
select the find option, conduct my search, find the object then go look for
the object tab to see where it is.... NO... the object field is only
avaialbe in the advanced features. So kill everything, click advanced
features, go though the steps again...
The location of an object is important! Lets put it everywhere and not try
to hide it!
o I would like ADUC to maintain a log of command-line equivalents for all
it's operations, so I can learn how to script it better. (Several folks like
that)
o How about when viewing Groups as containers, in the resulting window after
clicking on it it shows the group members.
o option to view the domains in a real tree-like fashion (not needing to
switch between various ADUC instances when handling multi-domain
environments)
o option in the UI to disable the filter for "groups that are remote to the
user", so that universal group memberships are displayed from any domain in
the forest when connected to a GC (basically the way that it worked in
Win2k; naturally I'd also want the local group memberships from the other
domains, but I won't ask for too much at once...)
o easy way to disable drag & drop without the need to set a flag in the
config-container. And disable drag & drop by default. (another request said
same thing but asked for GPO setting)
o an "Advanced Tab" in the New Users dialog-box that allows to enter all or
at least an extended list of attributes (incl. group-memberships)
o ability to select specific (or all) users from a search and right-click =>
"add to group" context option
o replace the Delegation Wizard with something useful. How about something
that understands the "roles" that it sets and can actually display them when
viewing the security on objects.
o normalize the way that objects are displayed and handled in search results
with how they are handled when browsing to the object (e.g. same property
pages, same context functions)
o ability to copy group-memberships and "paste" them to another group - same
for "memberOf" links from one User/Computer/Group object to another.
o I hate how ADUC refreshes the view and gets you back to the root of the
domain just because I've added a different column to the view or have
selected the Advanced View option. That is sooooooo anoying. I'd like it
just to refresh the view I'm currently on, or if it must basically re-read
the tree-structure (and close all of those nodes that I've opened until
then), at least bring me back to where I was...
o Undo/Redo
o option to enable the ability to consistently remember the last domain
controller I connected to, and reconnect to it when I start it back up.
o I want an Undelete button that says "Hey, if you click me, I will let you
undelete anything that you accidentally deleted within the last 60 days and
you don't have to do an Authoritative Restore or a Non-Authoritative Restore
or a Tombstone Re-animation or a Guido-ism or a joeware tool or anything.
Click it and go home and watch College Basketball like you were planning and
relax. I'll take care of it."
o Move to MMC2.0
o Ability to add custom attributes to the list view easily, different per
client a.s.o.
o Ability to modify attributes in the list view, such as Exchange. Keep this
possibility off by default, but enable admins to individually switch it on
per client. For more changes it would be so cool just to change the
phone-numbers or anything else in the list view. Click it, F2-Change it,
then press Arrow-Down to move to the same property of the next user (Or
Enter / Arrow-right for the next attribute of the same user). (Joe addon: I
could also visualize a CTRL-D option like there is in Excel which will copy
a value down through all of the highlighted cells...)
o I haven't seen huge implementations where the waiting period for returning
queries is really long... but if there was a cancel button that would return
you to the interface rather than make you wait until it returns the 9000
members of the container you just clicked by accident, that might be nice...
o Ability to bulk set passwords, I have 6 generic limited access accounts
for users that forget their smartcards, but the passwords are generated on a
daily basis, and I just hate setting it on all 6, I suppose a simple script
would do this, but I would love to see integrated so that I do not have to
modify the schema display specifiers.
o Easily add fields to the ADUC property pages, I believe this was mentioned
in being MMC2.
o This may be more of an Exchange management add-in, but it sure would be
nice to be able to go into Exchange Tasks from ADUC and do an export of a
mailbox.or is there some exmerge plug-in to do this
---
And some that I just came up with while sitting here.
o Sizeable dialogs. You have a 21" monitor in 1600x1200 and you have tiny
popup dialog for security or something else that has scroll bars and it is
only taking a tiny square of space, should be able to enlarge it.
o An expand/collapse property set properties granted in Advanced ACL mod
dialog. What exactly is being delegated if I select Property Set X? There is
a plus next to the property sets and when you click it a new set of rows
slightly offset pops up or maybe a separate dialog pops up listing the
properties (bonus, indicate which props are already delegated to the
principal (directly and inherited, not through anything else say like group
memberships, etc)).
o Minimum ACE Wizard. You check what attributes and what access and it scans
the property sets and determines the minimum number of ACEs to accomplish
the goal. Say you list 20 attribs and it pops out use this prop set and that
prop set and these three attribs and asks if it should be applied.
Alternatively, just allow an attribute to be in multiple property sets and
allow someone with the permissions to create the property sets on the fly
from ADUC. (wink wink call it role based security...).
o Somehow indicate the confidential attributes in the security editor so it
is very clear and make it so you can modify the CA/RP for attribute easily
in it.
o Maybe a super advanced ACL editor that shows you the real ordering of the
ACLs, not something sorted by some attribute of the ACEs.
o In ACL editor where it tells you where an ACE was inherited from, allow me
to right click and go to security dialog for that container and maybe even
highlight that specific ACE. Yeah this is a lazy one. Just thinking about
the chaining that goes on with users and groups when you are poking around
in the dialog screens. :)
o Domain level (and maybe forest) option (in directory) to specify a
specific owner for every object created in ADUC instead of setting the user
who created the object as the owner. I would actually like this globally for
all create mechanisms but probably easier to get into the GUI tools first.
Plus other mechanisms built inhouse can be programmed to do it that way.
o Build out saved queries to handle things like dates etc so you can EASILY
have fixed queries for locked, expired pwd, expired account, old computers,
old users, users created in last 24 hours, computers created in last 24
hours, groups created in last 24 hours, (insert whatever)'s updated/deleted
in last 24 hours, (Insert whatever)'s that haven't been updated in 6/9/12/18
months.
o Have lost and found change to RED BOLD font when it has something in it.
Maybe make it blink too. :)
o Copy and paste OU structures. Haven't thought this one out entirely, what
SD to you lay down? Possibly have template OU structures with groups in them
that are named based on the OUs themselves? And Security is applied after
the OUs are created and groups are created with their offical OU- type name
and then the ACLs defined for the structure is layed down.
o And the final for the night, right click on some structure and select
export. You then get a dialog asking what the export is for, what objects,
maybe what attributes, ready picks for simple backup of all attributes that
could be reimported or export for duplicating in another test type domain.
Output is LDIF file (with proper values to be changed in some VAR format for
easy replace (basically I am talking Domain portion of DNs) that can be
imported into ADUC in other domain or just applied as an LDIF file.
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Thursday, January 19, 2006 1:21 PM
To: [email protected]
Subject: RE: [ActiveDir] ADUC updates - Was Expired Accounts
LOL.
Ok, so has this thread finished up? If so, I will try to go through them and
summarize and then send off to the appropriate folks at MS.
Bueller...
Bueller..........
Bueller.....................
BTW, I just received a hard copy version of Active Directory Third Edition
from FedEx so it looks like the book is now being printed. Doesn't appear to
be on Amazon yet though it is on the O'Reilly site (and has been for a bit
actually).
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rich Milburn
Sent: Monday, January 16, 2006 9:13 AM
To: [email protected]
Subject: RE: [ActiveDir] ADUC updates - Was Expired Accounts
> Note that the ones you don't submit will most likely not be
implemented...
Ah but that's not necessarily true - there are about 10 ideas I remembered
about right after they were posted, so I didn't have to post them myself :)
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Saturday, January 14, 2006 6:06 PM
To: [email protected]
Subject: RE: [ActiveDir] ADUC updates - Was Expired Accounts
> I have hundreds of more ideas, but not enough time to put them all
down.
Thanks for what you did submit. Note that the ones you don't submit will
most likely not be implemented. ;o)
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Marc A.
Mapplebeck
Sent: Saturday, January 14, 2006 4:32 PM
To: [email protected]
Subject: RE: [ActiveDir] ADUC updates - Was Expired Accounts
OK, Here goes:
1. Ability to bulk set passwords, I have 6 generic limited access accounts
for users that forget their smartcards, but the passwords are generated on a
daily basis, and I just hate setting it on all 6, I suppose a simple script
would do this, but I would love to see integrated so that I do not have to
modify the schema display specifiers.
2. Easily add fields to the ADUC property pages, I believe this was
mentioned in being MMC2.
3. Easily add items to the context menu without having to manually edit the
display specifier of the schema.
I have hundreds of more ideas, but not enough time to put them all down.
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: January 12, 2006 11:22
To: [email protected]
Subject: RE: [ActiveDir] ADUC updates - Was Expired Accounts
Well, ok, lets do this.
Everyone who has an idea for a change to ADUC post to the ideas to this
thread. Don't be shy, you may have thought of something no one else would
think of that once seeing it would go this is very cool. Then when the
thread seems to die (or some point after that when I catch up :oP ) I will
summarize to make sure I understand and then post to LadyBug as improvements
that could be made. Also, you may or may not be shocked to hear that many of
the folks working on the stuff in Redmond actually watch this list on a
regular basis too so they may see it directly. I know the conversation we
had previously about suggested improvements to AD was watched pretty closely
and generated several DCRs without me even arguing with anyone.
So let's hear it. First item on the table is different icons flagging
accounts (and I am stating this generically) that are not currently live.
This includes disabled, locked, expired passwords, expired accounts?
Would
this be better to add maybe as additional columns that you could tell the
GUI to sort on? Or the icons are best?
Note to Dean: This is D's bailywick now isn't it? I think I recall us having
this conversation at BB.
joe
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M.
Sent: Thursday, January 12, 2006 9:18 AM
To: [email protected]
Subject: RE: [ActiveDir] Expired Accounts
I believe it would be helpful if different icons could be used for disabled
accounts, expired account, expired password, etc.
Mike Thommes
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Thursday, January 12, 2006 7:51 AM
To: [email protected]
Subject: RE: [ActiveDir] Expired Accounts
Philosophical question really. How do you want the GUI to present things to
you. The developers or whomever wrote the spec for the developers didn't
feel it should. You also have to ask if accounts with locked passwords
should show up that way and define if you mean expired accounts or expired
passwords on accounts and whether or not you would differentiate them in
that marking.
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. Long
Sent: Thursday, January 12, 2006 8:35 AM
To: [email protected]
Subject: [ActiveDir] Expired Accounts
Shouldn't expired accounts show up with a red X just like a disabled
account?
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
