Event banner
Event details
- Not everyone can move to cloud based solutions (Azure AD / Entra / Intune) and need to run an on prem AD platform.
- With MDOP deprecation early 2026, AGPM (Advanced Group Policy Management) will go with it leaving a capability gap for on prem GPO management without moving to 3rd party offerings.
- Can Microsoft / the team responsible for Active Directory consider provision of an integrated AGPM like capability or formal adoption of AGPM itself to ensure continuity of Advanced GPO management capability within on prem AD environments.
- Lindakup
Microsoft
Thanks for this feedback Craig. I will share it to the group policy team.- Came here to ask about this and saw the comment. I wish I could do more than giving a like to this.
Cliff_FisherLinks to the bonus demos mentioned in the presentation:
https://aka.ms/ADTTDcLocPerfDemo
https://aka.ms/ADTT32kpagesdemo
https://aka.ms/adttLsaLookupDemo
https://aka.ms/adttLdapPerfDemo
https://aka.ms/adttdcLocatorDemo
- It may seem small, but I really, really do like the new DMSA feature. An ingenious way of helping customers to address the security nightmare that is ordinary service accounts. Bravo! 🙂
- As a follow on to this: What will the requirements be for us to be able to use this feature? Will it require DFL (or FFL) vNext? Will it require the member servers where the service account is being used to be running Windows Server vNext? Or will it only require one DC running Windows Server vNext?
- LindakupThere is no DFL/FFL requirement (we like to avoid that at all costs because we know it prevents adoption) however, the machines involved in the authentication flow will need to be running some new code to take advantage of the new feature. Those details are still being worked on.
- Cliff_Fisher
Link for the bonus blog entry on ESE: https://aka.ms/ESEdeepdivePart1
- I will try to give a link to a discussion we had long time ago. https://old.reddit.com/r/activedirectory/comments/ozg8v2/active_directory_feedback/ * KRBTGT Account Password Reset built-in without using 3rd Party scripts. A sane and simple PowerShell module and an integrated GUI, just a window, would be great. * The most googled question for AD Objects: Creator's and modifier's name. And the answer is always "check your event log". But those events are not even turned on by default. AD desperately needs creatorsName and modifiersName attributes.
- Cliff_FisherWe appreciate the feedback.
- Cliff_Fisher
We would love to hear your feedback! Please fill out the evaluation at https://aka.ms/ADTechTakeOff.
Thank you!
- Char_Cheesman
Community Manager
Thanks for joining us! We hope you enjoyed this session. If you missed the live broadcast, don’t worry – you can watch it on demand. And we’ll continue to answer questions here in the chat through the end of the week. There's more great content in store at the Microsoft Technical Takeoff! What do you like about the event so far? Share your feedback and help shape the direction of future events on the Tech Community!
- GiManzoThank you mates, great session and demo, I look forward for exploiting the new features! Active Directory, since 1999, our NeverEnding Story ! 🙂
- Good times GL... 🙂
- Is there any fixes planned for schema change events only going to DS schema type events like 1898 and 1899 and not creating 5136 events. Very difficult to correlate because they go into different event but also schema modification events (unlike creation) don’t even tell you what attribute was modified , example description (in the 1898 event)
Wayne_McIntyreHi Narayanan, I just checked the code and did a quick test and 1898 event (schema modification) includes the schema object being modified. Internal event: The following schema object was modified. Schema object: CN=account,CN=Schema,CN=Configuration,DC=Contoso,DC=com- Well my bad putting it in wrong words I meant the attribute
- Looking at the early builds, I can see there are now dMSAs, or delegated Managed Service accounts. Could these be explained please?
- Wayne_McIntyreHi Andrew, The session will cover dMSAs briefly as well as have a link to a short demo. This was a joint effort with our Auth/Kerberos team and they will also be publishing doc's on it and step by step instructions on usage and deployment. The main differences between a dMSA and a gMSA is: 1. dMSAs allow migration from existing user accounts that are used for services to be superseded/migrated by a dMSA. 2. dMSAs allow the credential keys to be bound to credguard 3. dMSAs keys are retrieved via kerberos 4. dMSAs passwords are never returned to client (cannot query attirbute over ldap) and password is never stored locally where dMSAs are used
How are dMSA's any different to the original MSA's (pre-cursor to gMSA's), if these are regressing from multiple computes back to singular?
