MicrosoftAppreciate the blogpost and information but also have to mind a gap between theory and practice.
How about including intelligent wizards into Windows Server 2025 to achieve and checking this?
Honestly not seeing many customers using Active Directory Administrative Center (DSAC) plus Server Manager to make use of some concept like permissions claims. Neither on NTFS file systems nor beyond. These do not even span to the SharePoint on-premises or cloud, nor Entra ID.
Microsoft learn.microsoft.com still refers to Active Directory Users and Computers (DSUC) quite ubiquitously.
And they newer tools are barely known how to use them.
It's fine to write up complex issues in theory everyday admins need intelligent and GUI based wizards to help them modelling and applying security layers in practice and how to shift away from not so good designs. Security concepts never been a serious part of the Server Manager / PowerShell BPA module.
That said DSAC made it harder to delegate AD permissions based on RBAC and ADDS or particular OUs, leave alone the need to fall back to the old DSUC Tool.
Up-to-date it's not the admins fault that Domain Admins or higher needlessly become part of local admin group of each domain-joined Windows device. Why there's no seperation by default?
If we consider the multi-part videos of 0rinThomas on YouTube on security and auditing Active Directory, why these aren't the default settings, again with centralized dashboard to monitor relevant events.
Even new tools like Windows Admin Center Gateway offer no real RBAC unless in Azure Portal.
There's lots that can be done but many things are disabled or not configured by default and handy wizards, like Azure security score etc. aren't a thing on-premises.
So how can Microsoft help to the User, pardon Admin adaption of these principles?
