Active Directory management comprises a wide range of tasks, including setting up your domains and forests, keeping your AD organized and healthy, properly managing Group Policy, and ensuring business continuity with a comprehensive backup and recovery process.
Establish a sound AD structure
Establish a sound AD structure — or cleaning up the one you already
have — is essential to efficient, effective Active Directory management.
It will dramatically simplify your ability to manage your Group Policy, help
you properly delegate administrative permissions to spread out the management
workload without sacrificing security, and streamline common tasks like user
account provisioning and reporting.
The basic unit of AD management is the Active Directory domain — a group
of related users, computers, printers and other AD objects stored in a single
AD database. Domains should be fairly stable entities, so set them up
thoughtfully. For example, you might have a domain for your company’s
Chicago office and a separate domain for your San Francisco office. Since a
domain is a management boundary, your Chicago admins can’t delete users
from your San Francisco domain, and your San Francisco admins can’t
modify the permissions of users in the Chicago domain.
Create organizational units
Create organizational units
To simplify AD management, group the objects in each domain into organizational
units (OUs). OUs often mirror the organization's structure; for instance, you
might have an OU for each department in your Chicago office: Sales, Marketing,
IT, Legal and so on. Some OUs can be temporary — you might create OUs for
different projects and dissolve them when the projects are over. However,
it’s essential that these changes be made systematically; allowing ad-hoc
modifications invariably results in a jumbled AD structure that’s much
harder to understand and manage.
Define your schema
Define your schema
Think through your database schema. The schema contains formal definitions of
every object class that can be created and every attribute that an AD object
can have. Active Directory comes with a default schema, but you will likely
need to adapt it to suit your specific business needs. Be sure to design your
schema carefully during the planning phase, since changing it later can
dramatically disrupt your business, because of the central role AD plays in
authentication and authorizations.
Employ standard naming
Employ standard naming
Across all of levels – domain, OUs, schema – be sure to develop and
follow standardized naming practices. That way, it’s easier for everyone
to, for example, contact the right user or identify the machine in a particular
conference room. It’s especially important to be systematic about naming
AD security groups, so you can provision and re-provision users easily and
accurately. It’s smart to also add a clear description of the purpose of
each security group. It takes only a few seconds and can help you avoid serious
problems later.
Monitor AD health
An IT environment is a dynamic place; you can’t simply set up your Active Directory and forget it, no matter how perfectly you plan your domains, OUs, schemas and so on. Users, computers, printers and other AD objects come and go, so you’ll need procedures for provisioning and deprovisioning, which should be automated as much as possible through approval-based workflows. You should also regularly identify inactive user and computer accounts so you can clean them up before they can be misused.
More broadly, you also need to monitor the health of your domain controllers and the replication of data between them in real time. Otherwise, users might very well experience problems logging in or accessing the resources they need to do their jobs.
Microsoft provides several Active Directory management tools, including Windows PowerShell, Active Directory Users and Computers (ADUC), Local Users and Groups, and the Active Directory Schema snap-ins for Microsoft Management Console (MMC). However, the functionality of native tools is limited; it’s awkward at best to keep switching between tools; and tasks are often manual, time-consuming and error-prone.
Scripts and applications often need more access rights than a typical user
account has. But you should not use an administrative account; that often
grants the application more access than it needs and puts your admin account
at increased risk of being compromised. Instead, the best practice is to
create a service account for each application, and grant that account only the
permissions it needs, as required by least privilege.
But don’t forget about these accounts. Since service accounts have
access to important resources in your IT environment, it’s essential to
track what each service account is doing. Proactively look for any unusual or
unwarranted activity, which could be a sign that the account has been
compromised and is being misused.
Manage Group Policy
Manage Group Policy
Another critical aspect of Active Directory management is administering
GroupPolicy. Group Policy is a set of policies, called Group Policy objects
(GPOs), that can be applied to an entire domain or just to
certain OUs. For instance, you can use Group Policy to require all users in
your Chicago domain to use complex passwords, or to disallow the use of
removable media on all computers in just the Finance OU of the Chicago domain.
Microsoft provides hundreds of GPOs you can configure.
Group Policy is extremely powerful, so it’s critical to set it up
right and carefully manage changes to it. A single improper change to a GPO
could lead to downtime or a security breach. Unfortunately, native tools
don’t make it easy to keep Group Policy under control.
Disable PST file creation
Add frequently used sites to users’ browsers
Map useful network drives
Set custom registry values on all computers
Deploy standard operating systems and other software to all Windows Server
machines and other computers
Run certain scripts on computer startup or shutdown or user login or
logout
Implement change control
Implement change control
Any improper change to Active Directory or Group Policy — whether
it’s deliberate or accidental — can disrupt critical services and
block legitimate user access to resources, hurting business operations. To
avoid issues, be sure to plan, document and test all changes, and be sure you
can roll back any change that causes unexpected issues.
In addition, it’s invaluable to be able to prevent changes to your
most important AD objects, including powerful administrative security groups
and crucial GPOs. Quest Change Auditor and GPOADmin
streamline change control to strengthen Active Directory management.
Ensure business continuity
Last but by no means least, proper Active Directory management ensures business continuity. This is achieved through reliable backup and recovery processes and automating repetitive AD tasks.
To ensure productivity and business continuity, you need to regularly back
up your AD and be able to quickly recover from any incident or disaster at the
object and attribute level, the directory level and the operating system level
across the entire forest . While the AD Recycle Bin enables quick recovery of
some recently deleted objects, it is not — and was never meant to
be — an enterprise backup and recovery solution.
The value of having complete and reliable backups of Active Directory is
aptly illustrated by the case of international shipping giant Maersk, which
was a victim of the NotPetya attack in 2017. Within hours of the malware being
released into its network, Maersk was effectively crippled. Nearly every one
of its 150 domain controllers worldwide was down — and the company
didn’t have a single backup of Active Directory to use to restore
operations. Fortunately for the company, one DC in Ghana happened to be
offline when the malware struck, which meant its data was still intact.
However, the bandwidth at the Ghana office was so slow that uploading the data
from the DC would have taken days, and no one there had a British visa, so the
recovery team had to undertake a kind of relay race involving multi-hour
flights to bring the precious machine to the company’s UK headquarters.
But finally, they were able to use the machine to rebuild the other DCs.
Automate AD tasks
Automate AD tasks
Many Active Directory management tasks are quite tedious and time-consuming,
which increases the risk that they will be put off or done incorrectly.
Automation can slash IT workload while eliminating human error and ensuring
timely completion of important but routine tasks. For example, all of the
following tasks are prime candidates for at least some level of automation:
User account creation, modification and removal
Computer provisioning and decommissioning
Software deployment and patching
Inventory
Reporting
Directory cleanup
Where can I learn more about Active Directory?
Active Directory is central to the success of any modern business. Check out these additional helpful pages to learn best practices for the most critical areas of Active Directory:
Businesses cannot operate without Active Directory up and running. Learn why and how to develop a comprehensive Active Directory disaster recovery strategy.
Active Directory delivers key authentication services so it’s critical for migrations to go smoothly. Learn 5 Active Directory migration best practices.