nice list joe - 10% of these features in the next version of ADUC would already be a _substantial_ improvement for the tool...
-----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Donnerstag, 26. Januar 2006 08:34 To: [email protected] Subject: RE: [ActiveDir] ADUC updates - Was Expired Accounts Ok this is what I collected from the notes. Everyone relatively happy? Read through the whole list because there are some that I think are in the product already and responded (or someone responded) separately and things that I tweaked a little and then some I added to and then some that I added entirely while building this list. Thanks, joe o Different icons to flag accounts that are not currently live for various reasons such as locked out, expired acc, expired pwd, etc. Just like we have for disabled accounts. Possibly this could be column based info so it could be sorted? o Easier to extend ADUC to add properties/capabilities such that it doesn't require extensive or maybe any programming capability. Drag and Drop RAD type design. o GUI tool to select attributes to add to dialogs/searches/etc (i.e. for dialog display specifier modification). o Choose columns that are displayed in group members view such as displayname, employeeID, etc (Joe Addon: This sounds like ASQ) o Add context menu option out of the box to 1. Unlock user (user context) 2. Unlock all users (domain, container, or OU context menu) o An expert mode where labels for attributes, etc is the actual LDAP Display Name and not the friendly names someone else decided to use. Sort of like cross between ADUC and ADSIEDIT or the E55 ADMIN tool in RAW Mode. o Allow ADUC to handle larger numbers of objects in a container without running like a snail. (Maybe we need generic VLV in AD?) o I'd like to be able to multi-select a bunch of objects and have a UI to change all the common attributes that are modifiable. o I'd like an interface that will allow me to query for where a particular security principal is referred to in an explicit ACE on an ACL. What I mean is say I have a group. I want to know at with points in the AD that group is referred to in an ACL. I want to know what object it was applied to and what rights were allowed or denied. I don't want to see any of the inherited stuff, just the places where I may want to modify or remove it. What would be really nice would be a get a list of all the places where user accounts were added explicitly to ACLs so I can get rid of them all. o I'd like an extension of the Advanced Security dialog that allowed me to specify a security principal, highlight a right and click a button to find out how/why that principal has that right. o I'd like an easy way to search by managedBy that didn't require full DNs. I'd like to be able to specify the canonical name and have it figure out the DN for me. That's because canonical name is copy-able from the UI. o Use the disabled account icon for disabled accounts that show up in the find object dialog results pane. o When I copy an account I would like to be prompted to update the info on the profile tab if any exists. o I would like to be able to set up template accounts that don't resolve variables until the accounts are created. o The acctinfo.dll to be standard and have a next DC button to query user properties on the next DC-effectively enabling a DC scroll through. I would also like to see the additional information exposed by installing acctinfo.dll be made standard (built-in) rather than by having to install an additional dll and the information it exposes be viewable on the user object when that user is found via a search. o Maybe the ability to change the security context for certain operations within a session? Like a task-specific "run-as". I haven't thought this all the way through in terms of security implications, but usually when I fire up ADUC it's with a non-privileged account, and then I have to go back with a different account or different tool in a privileged context if I need to make a change. (several folks liked this one too) o I'd like the ability to customize the display pane differently for each node in the tree. For example, specifying different widths for the same column in different nodes and choosing different sets of columns to display for different nodes in the tree. For instance if I had an OU of users and one of computers, I might like to display Name and Office for the user OU and Name and OS for the computers OU. Granted OS isn't even an option to choose, which is addressed below. o I'd also like more options to choose columns from, ideally any attribute of an object. Prolly would work best by having a slightly expanded list than what's there now, by default, but also having an advanced button to access the rest. o The next is best described with an example. When changing the Managed By attribute of a group, I click change and "Select User, Contact, or Group" search box comes up. In order to search for a group, I have to click "Object Types" and check the box next to groups. Ignoring the fact that this is slightly inconsistent with the title of the search box, I would like the option to change whether that's selected by default. o Finally, its probably more an issue with the mmc than aduc, but my view pane often changes to large icon mode instead of detail. It seems to happen when I return from a different snap-in. o Add employeeid to one of the property sheets o When you search for objects, you should be able to right-click the object and select an option to take you to the object in the hierarchy. (like Explorer Open Containing Window Maybe?) o If I'm in a hurry and use the ADUC to find an object, I select the domain, select the find option, conduct my search, find the object then go look for the object tab to see where it is.... NO... the object field is only avaialbe in the advanced features. So kill everything, click advanced features, go though the steps again... The location of an object is important! Lets put it everywhere and not try to hide it! o I would like ADUC to maintain a log of command-line equivalents for all it's operations, so I can learn how to script it better. (Several folks like that) o How about when viewing Groups as containers, in the resulting window after clicking on it it shows the group members. o option to view the domains in a real tree-like fashion (not needing to switch between various ADUC instances when handling multi-domain environments) o option in the UI to disable the filter for "groups that are remote to the user", so that universal group memberships are displayed from any domain in the forest when connected to a GC (basically the way that it worked in Win2k; naturally I'd also want the local group memberships from the other domains, but I won't ask for too much at once...) o easy way to disable drag & drop without the need to set a flag in the config-container. And disable drag & drop by default. (another request said same thing but asked for GPO setting) o an "Advanced Tab" in the New Users dialog-box that allows to enter all or at least an extended list of attributes (incl. group-memberships) o ability to select specific (or all) users from a search and right-click => "add to group" context option o replace the Delegation Wizard with something useful. How about something that understands the "roles" that it sets and can actually display them when viewing the security on objects. o normalize the way that objects are displayed and handled in search results with how they are handled when browsing to the object (e.g. same property pages, same context functions) o ability to copy group-memberships and "paste" them to another group - same for "memberOf" links from one User/Computer/Group object to another. o I hate how ADUC refreshes the view and gets you back to the root of the domain just because I've added a different column to the view or have selected the Advanced View option. That is sooooooo anoying. I'd like it just to refresh the view I'm currently on, or if it must basically re-read the tree-structure (and close all of those nodes that I've opened until then), at least bring me back to where I was... o Undo/Redo o option to enable the ability to consistently remember the last domain controller I connected to, and reconnect to it when I start it back up. o I want an Undelete button that says "Hey, if you click me, I will let you undelete anything that you accidentally deleted within the last 60 days and you don't have to do an Authoritative Restore or a Non-Authoritative Restore or a Tombstone Re-animation or a Guido-ism or a joeware tool or anything. Click it and go home and watch College Basketball like you were planning and relax. I'll take care of it." o Move to MMC2.0 o Ability to add custom attributes to the list view easily, different per client a.s.o. o Ability to modify attributes in the list view, such as Exchange. Keep this possibility off by default, but enable admins to individually switch it on per client. For more changes it would be so cool just to change the phone-numbers or anything else in the list view. Click it, F2-Change it, then press Arrow-Down to move to the same property of the next user (Or Enter / Arrow-right for the next attribute of the same user). (Joe addon: I could also visualize a CTRL-D option like there is in Excel which will copy a value down through all of the highlighted cells...) o I haven't seen huge implementations where the waiting period for returning queries is really long... but if there was a cancel button that would return you to the interface rather than make you wait until it returns the 9000 members of the container you just clicked by accident, that might be nice... o Ability to bulk set passwords, I have 6 generic limited access accounts for users that forget their smartcards, but the passwords are generated on a daily basis, and I just hate setting it on all 6, I suppose a simple script would do this, but I would love to see integrated so that I do not have to modify the schema display specifiers. o Easily add fields to the ADUC property pages, I believe this was mentioned in being MMC2. o This may be more of an Exchange management add-in, but it sure would be nice to be able to go into Exchange Tasks from ADUC and do an export of a mailbox.or is there some exmerge plug-in to do this --- And some that I just came up with while sitting here. o Sizeable dialogs. You have a 21" monitor in 1600x1200 and you have tiny popup dialog for security or something else that has scroll bars and it is only taking a tiny square of space, should be able to enlarge it. o An expand/collapse property set properties granted in Advanced ACL mod dialog. What exactly is being delegated if I select Property Set X? There is a plus next to the property sets and when you click it a new set of rows slightly offset pops up or maybe a separate dialog pops up listing the properties (bonus, indicate which props are already delegated to the principal (directly and inherited, not through anything else say like group memberships, etc)). o Minimum ACE Wizard. You check what attributes and what access and it scans the property sets and determines the minimum number of ACEs to accomplish the goal. Say you list 20 attribs and it pops out use this prop set and that prop set and these three attribs and asks if it should be applied. Alternatively, just allow an attribute to be in multiple property sets and allow someone with the permissions to create the property sets on the fly from ADUC. (wink wink call it role based security...). o Somehow indicate the confidential attributes in the security editor so it is very clear and make it so you can modify the CA/RP for attribute easily in it. o Maybe a super advanced ACL editor that shows you the real ordering of the ACLs, not something sorted by some attribute of the ACEs. o In ACL editor where it tells you where an ACE was inherited from, allow me to right click and go to security dialog for that container and maybe even highlight that specific ACE. Yeah this is a lazy one. Just thinking about the chaining that goes on with users and groups when you are poking around in the dialog screens. :) o Domain level (and maybe forest) option (in directory) to specify a specific owner for every object created in ADUC instead of setting the user who created the object as the owner. I would actually like this globally for all create mechanisms but probably easier to get into the GUI tools first. Plus other mechanisms built inhouse can be programmed to do it that way. o Build out saved queries to handle things like dates etc so you can EASILY have fixed queries for locked, expired pwd, expired account, old computers, old users, users created in last 24 hours, computers created in last 24 hours, groups created in last 24 hours, (insert whatever)'s updated/deleted in last 24 hours, (Insert whatever)'s that haven't been updated in 6/9/12/18 months. o Have lost and found change to RED BOLD font when it has something in it. Maybe make it blink too. :) o Copy and paste OU structures. Haven't thought this one out entirely, what SD to you lay down? Possibly have template OU structures with groups in them that are named based on the OUs themselves? And Security is applied after the OUs are created and groups are created with their offical OU- type name and then the ACLs defined for the structure is layed down. o And the final for the night, right click on some structure and select export. You then get a dialog asking what the export is for, what objects, maybe what attributes, ready picks for simple backup of all attributes that could be reimported or export for duplicating in another test type domain. Output is LDIF file (with proper values to be changed in some VAR format for easy replace (basically I am talking Domain portion of DNs) that can be imported into ADUC in other domain or just applied as an LDIF file. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, January 19, 2006 1:21 PM To: [email protected] Subject: RE: [ActiveDir] ADUC updates - Was Expired Accounts LOL. Ok, so has this thread finished up? If so, I will try to go through them and summarize and then send off to the appropriate folks at MS. Bueller... Bueller.......... Bueller..................... BTW, I just received a hard copy version of Active Directory Third Edition from FedEx so it looks like the book is now being printed. Doesn't appear to be on Amazon yet though it is on the O'Reilly site (and has been for a bit actually). -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rich Milburn Sent: Monday, January 16, 2006 9:13 AM To: [email protected] Subject: RE: [ActiveDir] ADUC updates - Was Expired Accounts > Note that the ones you don't submit will most likely not be implemented... Ah but that's not necessarily true - there are about 10 ideas I remembered about right after they were posted, so I didn't have to post them myself :) -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Saturday, January 14, 2006 6:06 PM To: [email protected] Subject: RE: [ActiveDir] ADUC updates - Was Expired Accounts > I have hundreds of more ideas, but not enough time to put them all down. Thanks for what you did submit. Note that the ones you don't submit will most likely not be implemented. ;o) -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Marc A. Mapplebeck Sent: Saturday, January 14, 2006 4:32 PM To: [email protected] Subject: RE: [ActiveDir] ADUC updates - Was Expired Accounts OK, Here goes: 1. Ability to bulk set passwords, I have 6 generic limited access accounts for users that forget their smartcards, but the passwords are generated on a daily basis, and I just hate setting it on all 6, I suppose a simple script would do this, but I would love to see integrated so that I do not have to modify the schema display specifiers. 2. Easily add fields to the ADUC property pages, I believe this was mentioned in being MMC2. 3. Easily add items to the context menu without having to manually edit the display specifier of the schema. I have hundreds of more ideas, but not enough time to put them all down. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: January 12, 2006 11:22 To: [email protected] Subject: RE: [ActiveDir] ADUC updates - Was Expired Accounts Well, ok, lets do this. Everyone who has an idea for a change to ADUC post to the ideas to this thread. Don't be shy, you may have thought of something no one else would think of that once seeing it would go this is very cool. Then when the thread seems to die (or some point after that when I catch up :oP ) I will summarize to make sure I understand and then post to LadyBug as improvements that could be made. Also, you may or may not be shocked to hear that many of the folks working on the stuff in Redmond actually watch this list on a regular basis too so they may see it directly. I know the conversation we had previously about suggested improvements to AD was watched pretty closely and generated several DCRs without me even arguing with anyone. So let's hear it. First item on the table is different icons flagging accounts (and I am stating this generically) that are not currently live. This includes disabled, locked, expired passwords, expired accounts? Would this be better to add maybe as additional columns that you could tell the GUI to sort on? Or the icons are best? Note to Dean: This is D's bailywick now isn't it? I think I recall us having this conversation at BB. joe -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Thursday, January 12, 2006 9:18 AM To: [email protected] Subject: RE: [ActiveDir] Expired Accounts I believe it would be helpful if different icons could be used for disabled accounts, expired account, expired password, etc. Mike Thommes -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, January 12, 2006 7:51 AM To: [email protected] Subject: RE: [ActiveDir] Expired Accounts Philosophical question really. How do you want the GUI to present things to you. The developers or whomever wrote the spec for the developers didn't feel it should. You also have to ask if accounts with locked passwords should show up that way and define if you mean expired accounts or expired passwords on accounts and whether or not you would differentiate them in that marking. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. Long Sent: Thursday, January 12, 2006 8:35 AM To: [email protected] Subject: [ActiveDir] Expired Accounts Shouldn't expired accounts show up with a red X just like a disabled account? List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
