You would need to disable IPv6 for security in Active Directory (AD) to reduce the potential attack surface and prevent vulnerabilities unique to its implementation. Disabling unused services is a fundamental security practice, and misconfigured or unmonitored IPv6 traffic can bypass firewall rules and enable unauthorized data interception or denial-of-service attacks. However, be aware that disabling IPv6 can also cause issues with AD services and group policy processing, as some AD functions are optimized to use it for communication.
How to disable IPv6 using Active Directory
Create a new file and name it Disable-IPv6.ps1. Add the following commands to the file.
# Disable IPv6 on all network adapters
Get-NetAdapterBinding -ComponentID ms_tcpip6 | ForEach-Object {
Disable-NetAdapterBinding -Name $_.Name -ComponentID ms_tcpip6 -Confirm:$false
}
Place it in the SYSVOL scripts folder (e.g., \\domain.com\SYSVOL\domain.com\scripts).
In GPMC, edit your GPO →
Computer Configuration
> Policies
> Windows Settings
> Scripts (Startup/Shutdown)
Add the PowerShell script under Startup.