Hi joe,
Sorry to add this late (and double sorry if it's already in this
list and I missed it). While adfind works wonders for me ( ;-) ), I've
always wondered why ADUC advanced search functionality doesn't have the
"contains" condition. That would be an improvement.
Mike Thommes
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Thursday, January 26, 2006 1:34 AM
To: [email protected]
Subject: RE: [ActiveDir] ADUC updates - Was Expired Accounts
Ok this is what I collected from the notes. Everyone relatively happy?
Read
through the whole list because there are some that I think are in the
product already and responded (or someone responded) separately and
things
that I tweaked a little and then some I added to and then some that I
added
entirely while building this list.
Thanks, joe
o Different icons to flag accounts that are not currently live for
various
reasons such as locked out, expired acc, expired pwd, etc. Just like we
have
for disabled accounts. Possibly this could be column based info so it
could
be sorted?
o Easier to extend ADUC to add properties/capabilities such that it
doesn't
require extensive or maybe any programming capability. Drag and Drop RAD
type design.
o GUI tool to select attributes to add to dialogs/searches/etc (i.e. for
dialog display specifier modification).
o Choose columns that are displayed in group members view such as
displayname, employeeID, etc (Joe Addon: This sounds like ASQ)
o Add context menu option out of the box to
1. Unlock user (user context)
2. Unlock all users (domain, container, or OU context menu)
o An expert mode where labels for attributes, etc is the actual LDAP
Display
Name and not the friendly names someone else decided to use. Sort of
like
cross between ADUC and ADSIEDIT or the E55 ADMIN tool in RAW Mode.
o Allow ADUC to handle larger numbers of objects in a container without
running like a snail. (Maybe we need generic VLV in AD?)
o I'd like to be able to multi-select a bunch of objects and have a UI
to
change all the common attributes that are modifiable.
o I'd like an interface that will allow me to query for where a
particular
security principal is referred to in an explicit ACE on an ACL.
What I mean is say I have a group. I want to know at with points in the
AD
that group is referred to in an ACL. I want to know what object it was
applied to and what rights were allowed or denied. I don't want to see
any
of the inherited stuff, just the places where I may want to modify or
remove
it. What would be really nice would be a get a list of all the places
where
user accounts were added explicitly to ACLs so I can get rid of them
all.
o I'd like an extension of the Advanced Security dialog that allowed me
to
specify a security principal, highlight a right and click a button to
find
out how/why that principal has that right.
o I'd like an easy way to search by managedBy that didn't require full
DNs.
I'd like to be able to specify the canonical name and have it figure out
the
DN for me. That's because canonical name is copy-able from the UI.
o Use the disabled account icon for disabled accounts that show up in
the
find object dialog results pane.
o When I copy an account I would like to be prompted to update the info
on
the profile tab if any exists.
o I would like to be able to set up template accounts that don't resolve
variables until the accounts are created.
o The acctinfo.dll to be standard and have a next DC button to query
user
properties on the next DC-effectively enabling a DC scroll through.
I would also like to see the additional information exposed by
installing
acctinfo.dll be made standard (built-in) rather than by having to
install an
additional dll and the information it exposes be viewable on the user
object
when that user is found via a search.
o Maybe the ability to change the security context for certain
operations
within a session? Like a task-specific "run-as". I haven't thought this
all
the way through in terms of security implications, but usually when I
fire
up ADUC it's with a non-privileged account, and then I have to go back
with
a different account or different tool in a privileged context if I need
to
make a change. (several folks liked this one too)
o I'd like the ability to customize the display pane differently for
each
node in the tree. For example, specifying different widths for the same
column in different nodes and choosing different sets of columns to
display
for different nodes in the tree. For instance if I had an OU of users
and
one of computers, I might like to display Name and Office for the user
OU
and Name and OS for the computers OU. Granted OS isn't even an option
to
choose, which is addressed below.
o I'd also like more options to choose columns from, ideally any
attribute
of an object. Prolly would work best by having a slightly expanded list
than what's there now, by default, but also having an advanced button to
access the rest.
o The next is best described with an example. When changing the Managed
By
attribute of a group, I click change and "Select User, Contact, or
Group"
search box comes up. In order to search for a group, I have to click
"Object Types" and check the box next to groups. Ignoring the fact that
this is slightly inconsistent with the title of the search box, I would
like
the option to change whether that's selected by default.
o Finally, its probably more an issue with the mmc than aduc, but my
view
pane often changes to large icon mode instead of detail. It seems to
happen
when I return from a different snap-in.
o Add employeeid to one of the property sheets
o When you search for objects, you should be able to right-click the
object
and select an option to take you to the object in the hierarchy. (like
Explorer Open Containing Window Maybe?)
o If I'm in a hurry and use the ADUC to find an object, I select the
domain,
select the find option, conduct my search, find the object then go look
for
the object tab to see where it is.... NO... the object field is only
avaialbe in the advanced features. So kill everything, click advanced
features, go though the steps again...
The location of an object is important! Lets put it everywhere and not
try
to hide it!
o I would like ADUC to maintain a log of command-line equivalents for
all
it's operations, so I can learn how to script it better. (Several folks
like
that)
o How about when viewing Groups as containers, in the resulting window
after
clicking on it it shows the group members.
o option to view the domains in a real tree-like fashion (not needing to
switch between various ADUC instances when handling multi-domain
environments)
o option in the UI to disable the filter for "groups that are remote to
the
user", so that universal group memberships are displayed from any domain
in
the forest when connected to a GC (basically the way that it worked in
Win2k; naturally I'd also want the local group memberships from the
other
domains, but I won't ask for too much at once...)
o easy way to disable drag & drop without the need to set a flag in the
config-container. And disable drag & drop by default. (another request
said
same thing but asked for GPO setting)
o an "Advanced Tab" in the New Users dialog-box that allows to enter all
or
at least an extended list of attributes (incl. group-memberships)
o ability to select specific (or all) users from a search and
right-click =>
"add to group" context option
o replace the Delegation Wizard with something useful. How about
something
that understands the "roles" that it sets and can actually display them
when
viewing the security on objects.
o normalize the way that objects are displayed and handled in search
results
with how they are handled when browsing to the object (e.g. same
property
pages, same context functions)
o ability to copy group-memberships and "paste" them to another group -
same
for "memberOf" links from one User/Computer/Group object to another.
o I hate how ADUC refreshes the view and gets you back to the root of
the
domain just because I've added a different column to the view or have
selected the Advanced View option. That is sooooooo anoying. I'd like it
just to refresh the view I'm currently on, or if it must basically
re-read
the tree-structure (and close all of those nodes that I've opened until
then), at least bring me back to where I was...
o Undo/Redo
o option to enable the ability to consistently remember the last domain
controller I connected to, and reconnect to it when I start it back up.
o I want an Undelete button that says "Hey, if you click me, I will let
you
undelete anything that you accidentally deleted within the last 60 days
and
you don't have to do an Authoritative Restore or a Non-Authoritative
Restore
or a Tombstone Re-animation or a Guido-ism or a joeware tool or
anything.
Click it and go home and watch College Basketball like you were planning
and
relax. I'll take care of it."
o Move to MMC2.0
o Ability to add custom attributes to the list view easily, different
per
client a.s.o.
o Ability to modify attributes in the list view, such as Exchange. Keep
this
possibility off by default, but enable admins to individually switch it
on
per client. For more changes it would be so cool just to change the
phone-numbers or anything else in the list view. Click it, F2-Change it,
then press Arrow-Down to move to the same property of the next user (Or
Enter / Arrow-right for the next attribute of the same user). (Joe
addon: I
could also visualize a CTRL-D option like there is in Excel which will
copy
a value down through all of the highlighted cells...)
o I haven't seen huge implementations where the waiting period for
returning
queries is really long... but if there was a cancel button that would
return
you to the interface rather than make you wait until it returns the 9000
members of the container you just clicked by accident, that might be
nice...
o Ability to bulk set passwords, I have 6 generic limited access
accounts
for users that forget their smartcards, but the passwords are generated
on a
daily basis, and I just hate setting it on all 6, I suppose a simple
script
would do this, but I would love to see integrated so that I do not have
to
modify the schema display specifiers.
o Easily add fields to the ADUC property pages, I believe this was
mentioned
in being MMC2.
o This may be more of an Exchange management add-in, but it sure would
be
nice to be able to go into Exchange Tasks from ADUC and do an export of
a
mailbox.or is there some exmerge plug-in to do this
---
And some that I just came up with while sitting here.
o Sizeable dialogs. You have a 21" monitor in 1600x1200 and you have
tiny
popup dialog for security or something else that has scroll bars and it
is
only taking a tiny square of space, should be able to enlarge it.
o An expand/collapse property set properties granted in Advanced ACL mod
dialog. What exactly is being delegated if I select Property Set X?
There is
a plus next to the property sets and when you click it a new set of rows
slightly offset pops up or maybe a separate dialog pops up listing the
properties (bonus, indicate which props are already delegated to the
principal (directly and inherited, not through anything else say like
group
memberships, etc)).
o Minimum ACE Wizard. You check what attributes and what access and it
scans
the property sets and determines the minimum number of ACEs to
accomplish
the goal. Say you list 20 attribs and it pops out use this prop set and
that
prop set and these three attribs and asks if it should be applied.
Alternatively, just allow an attribute to be in multiple property sets
and
allow someone with the permissions to create the property sets on the
fly
from ADUC. (wink wink call it role based security...).
o Somehow indicate the confidential attributes in the security editor so
it
is very clear and make it so you can modify the CA/RP for attribute
easily
in it.
o Maybe a super advanced ACL editor that shows you the real ordering of
the
ACLs, not something sorted by some attribute of the ACEs.
o In ACL editor where it tells you where an ACE was inherited from,
allow me
to right click and go to security dialog for that container and maybe
even
highlight that specific ACE. Yeah this is a lazy one. Just thinking
about
the chaining that goes on with users and groups when you are poking
around
in the dialog screens. :)
o Domain level (and maybe forest) option (in directory) to specify a
specific owner for every object created in ADUC instead of setting the
user
who created the object as the owner. I would actually like this globally
for
all create mechanisms but probably easier to get into the GUI tools
first.
Plus other mechanisms built inhouse can be programmed to do it that way.
o Build out saved queries to handle things like dates etc so you can
EASILY
have fixed queries for locked, expired pwd, expired account, old
computers,
old users, users created in last 24 hours, computers created in last 24
hours, groups created in last 24 hours, (insert whatever)'s
updated/deleted
in last 24 hours, (Insert whatever)'s that haven't been updated in
6/9/12/18
months.
o Have lost and found change to RED BOLD font when it has something in
it.
Maybe make it blink too. :)
o Copy and paste OU structures. Haven't thought this one out entirely,
what
SD to you lay down? Possibly have template OU structures with groups in
them
that are named based on the OUs themselves? And Security is applied
after
the OUs are created and groups are created with their offical OU- type
name
and then the ACLs defined for the structure is layed down.
o And the final for the night, right click on some structure and select
export. You then get a dialog asking what the export is for, what
objects,
maybe what attributes, ready picks for simple backup of all attributes
that
could be reimported or export for duplicating in another test type
domain.
Output is LDIF file (with proper values to be changed in some VAR format
for
easy replace (basically I am talking Domain portion of DNs) that can be
imported into ADUC in other domain or just applied as an LDIF file.
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Thursday, January 19, 2006 1:21 PM
To: [email protected]
Subject: RE: [ActiveDir] ADUC updates - Was Expired Accounts
LOL.
Ok, so has this thread finished up? If so, I will try to go through them
and
summarize and then send off to the appropriate folks at MS.
Bueller...
Bueller..........
Bueller.....................
BTW, I just received a hard copy version of Active Directory Third
Edition
from FedEx so it looks like the book is now being printed. Doesn't
appear to
be on Amazon yet though it is on the O'Reilly site (and has been for a
bit
actually).
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rich Milburn
Sent: Monday, January 16, 2006 9:13 AM
To: [email protected]
Subject: RE: [ActiveDir] ADUC updates - Was Expired Accounts
> Note that the ones you don't submit will most likely not be
implemented...
Ah but that's not necessarily true - there are about 10 ideas I
remembered
about right after they were posted, so I didn't have to post them myself
:)
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Saturday, January 14, 2006 6:06 PM
To: [email protected]
Subject: RE: [ActiveDir] ADUC updates - Was Expired Accounts
> I have hundreds of more ideas, but not enough time to put them all
down.
Thanks for what you did submit. Note that the ones you don't submit will
most likely not be implemented. ;o)
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Marc A.
Mapplebeck
Sent: Saturday, January 14, 2006 4:32 PM
To: [email protected]
Subject: RE: [ActiveDir] ADUC updates - Was Expired Accounts
OK, Here goes:
1. Ability to bulk set passwords, I have 6 generic limited access
accounts
for users that forget their smartcards, but the passwords are generated
on a
daily basis, and I just hate setting it on all 6, I suppose a simple
script
would do this, but I would love to see integrated so that I do not have
to
modify the schema display specifiers.
2. Easily add fields to the ADUC property pages, I believe this was
mentioned in being MMC2.
3. Easily add items to the context menu without having to manually edit
the
display specifier of the schema.
I have hundreds of more ideas, but not enough time to put them all down.
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: January 12, 2006 11:22
To: [email protected]
Subject: RE: [ActiveDir] ADUC updates - Was Expired Accounts
Well, ok, lets do this.
Everyone who has an idea for a change to ADUC post to the ideas to this
thread. Don't be shy, you may have thought of something no one else
would
think of that once seeing it would go this is very cool. Then when the
thread seems to die (or some point after that when I catch up :oP ) I
will
summarize to make sure I understand and then post to LadyBug as
improvements
that could be made. Also, you may or may not be shocked to hear that
many of
the folks working on the stuff in Redmond actually watch this list on a
regular basis too so they may see it directly. I know the conversation
we
had previously about suggested improvements to AD was watched pretty
closely
and generated several DCRs without me even arguing with anyone.
So let's hear it. First item on the table is different icons flagging
accounts (and I am stating this generically) that are not currently
live.
This includes disabled, locked, expired passwords, expired accounts?
Would
this be better to add maybe as additional columns that you could tell
the
GUI to sort on? Or the icons are best?
Note to Dean: This is D's bailywick now isn't it? I think I recall us
having
this conversation at BB.
joe
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Thommes,
Michael M.
Sent: Thursday, January 12, 2006 9:18 AM
To: [email protected]
Subject: RE: [ActiveDir] Expired Accounts
I believe it would be helpful if different icons could be used for
disabled
accounts, expired account, expired password, etc.
Mike Thommes
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Thursday, January 12, 2006 7:51 AM
To: [email protected]
Subject: RE: [ActiveDir] Expired Accounts
Philosophical question really. How do you want the GUI to present things
to
you. The developers or whomever wrote the spec for the developers didn't
feel it should. You also have to ask if accounts with locked passwords
should show up that way and define if you mean expired accounts or
expired
passwords on accounts and whether or not you would differentiate them in
that marking.
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. Long
Sent: Thursday, January 12, 2006 8:35 AM
To: [email protected]
Subject: [ActiveDir] Expired Accounts
Shouldn't expired accounts show up with a red X just like a disabled
account?
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
