Adaxes Blog

Active Directory Management A to Z

In this article we cover Active Directory management top to bottom. A to Z. Literally. 

Automation not only saves time and effort by streamlining manual procedures but also reduces the number of possible mistakes in your system.

Basic security measures recommend renaming the default administrator and disabling the guest account.

Creating an account in AD is the first step that can be used as a trigger for automated onboarding procedures.

Delegation can be made much safer if you add approvals to security-sensitive operations. This way you never lose control.

Extending Active Directory Schema is a serious step. Any changes you apply are irreversible. But it doesn’t mean that you should never do it.

Finding inactive user and computer accounts should be a regular automated task that keeps your AD tidy and protects you from potential attacks.

Groups with similar names could be a source of confusion. This can be fixed by having a centralized comprehensive naming convention and adding descriptions.

Human factor is one of the major problems in AD management, which can be easily eliminated by automation and user input validation.

Initial password communication is a procedure that often lacks security. Generating a random password, enabling the User must change password at next logon account option and sending it to the user’s personal phone number via SMS, should be enough to fix it. 

Job title property is often used as a condition to automatically add users to necessary Active Directory groups during onboarding or as users are updated during their lifecycle.

Keeping too much sensitive data in Active Directory is a common mistake. Some information (e.g. SSNs) just doesn’t belong there.

Let the group owners manage their own Active Directory groups. Leaving it to the IT department creates unnecessary load on your admins. 

Make sure at least two people always have full access to all the scripts in your environment. Think about what happens if one of them leaves the company.

Notify your users about their passwords expiring via email. If they still don’t change it, you can also start automatically dropping emails to their managers after a certain time.

OU structure should be constantly maintained. You can create a scheduled task that will regularly check your environment and move the objects that are in the wrong place.

People are always the weakest link of any IT system. It’s really important to educate them and make sure that are aware of the best practices and understand why they work.

Question yourself regularly about possible improvements that can be introduced to boost efficiency levels. This is the easiest way to keep up with the constantly changing world of IT management.

Role-Based delegation model allows you to efficiently assign permissions and gives you a centralized place to store and manage them.

Sharing admin credentials is probably the worst imaginable way to reduce the number of privileged accounts. Never ever do this.

Think about physical security of your servers. If you have sensitive information somewhere, walls are equally important as firewalls are.

Uniqueness on the email alias stored in Active Directory is not guaranteed. But you generate email address from the sAMAccountName property which has to be unique among all security principals across the domain.

Virtual OUs provided by Adaxes can combine objects from all managed domains based on the rules you define. Can be really useful for delegating permissions.

Write your own PowerShell scripts to automate custom scenarios or use the ones from out Script Repository.

X-out all the unwanted scripts and automation rules that are no longer needed in your environment. Don’t make a mess of your systems.

Your Active Directory should contain separate OUs for protected accounts and normal user accounts.

Zombie users are not welcome. Automate user offboarding, so no ex-employees will have access to your AD after they are terminated.

comments powered by Disqus

See how Adaxes works