What is Active Directory management and its benefits?

Establish a sound AD structure — or cleaning up the one you already have — is essential to efficient, effective Active Directory management. It will dramatically simplify your ability to manage your Group Policy, help you properly delegate administrative permissions to spread out the management workload without sacrificing security, and streamline common tasks like user account provisioning and reporting.

Establish domains

The basic unit of AD management is the Active Directory domain — a group of related users, computers, printers and other AD objects stored in a single AD database. Domains should be fairly stable entities, so set them up thoughtfully. For example, you might have a domain for your company’s Chicago office and a separate domain for your San Francisco office. Since a domain is a management boundary, your Chicago admins can’t delete users from your San Francisco domain, and your San Francisco admins can’t modify the permissions of users in the Chicago domain.

Create organizational units

To simplify AD management, group the objects in each domain into organizational units (OUs). OUs often mirror the organization's structure; for instance, you might have an OU for each department in your Chicago office: Sales, Marketing, IT, Legal and so on. Some OUs can be temporary — you might create OUs for different projects and dissolve them when the projects are over. However, it’s essential that these changes be made systematically; allowing ad-hoc modifications invariably results in a jumbled AD structure that’s much harder to understand and manage.

Define your schema

Think through your database schema. The schema contains formal definitions of every object class that can be created and every attribute that an AD object can have. Active Directory comes with a default schema, but you will likely need to adapt it to suit your specific business needs. Be sure to design your schema carefully during the planning phase, since changing it later can dramatically disrupt your business, because of the central role AD plays in authentication and authorizations.

Employ standard naming

Across all of levels – domain, OUs, schema – be sure to develop and follow standardized naming practices. That way, it’s easier for everyone to, for example, contact the right user or identify the machine in a particular conference room. It’s especially important to be systematic about naming AD security groups, so you can provision and re-provision users easily and accurately. It’s smart to also add a clear description of the purpose of each security group. It takes only a few seconds and can help you avoid serious problems later.

An IT environment is a dynamic place; you can’t simply set up your Active Directory and forget it, no matter how perfectly you plan your domains, OUs, schemas and so on. Users, computers, printers and other AD objects come and go, so you’ll need procedures for provisioning and deprovisioning, which should be automated as much as possible through approval-based workflows. You should also regularly identify inactive user and computer accounts so you can clean them up before they can be misused.

More broadly, you also need to monitor the health of your domain controllers and the replication of data between them in real time. Otherwise, users might very well experience problems logging in or accessing the resources they need to do their jobs.

Microsoft provides several Active Directory management tools, including Windows PowerShell, Active Directory Users and Computers (ADUC), Local Users and Groups, and the Active Directory Schema snap-ins for Microsoft Management Console (MMC). However, the functionality of native tools is limited; it’s awkward at best to keep switching between tools; and tasks are often manual, time-consuming and error-prone.

Closely track service accounts

Scripts and applications often need more access rights than a typical user account has. But you should not use an administrative account; that often grants the application more access than it needs and puts your admin account at increased risk of being compromised. Instead, the best practice is to create a service account for each application, and grant that account only the permissions it needs, as required by least privilege.

But don’t forget about these accounts. Since service accounts have access to important resources in your IT environment, it’s essential to track what each service account is doing. Proactively look for any unusual or unwarranted activity, which could be a sign that the account has been compromised and is being misused.

Manage Group Policy

Another critical aspect of Active Directory management is administering Group Policy. Group Policy is a set of policies, called Group Policy objects (GPOs), that can be applied to an entire domain or just to certain OUs. For instance, you can use Group Policy to require all users in your Chicago domain to use complex passwords, or to disallow the use of removable media on all computers in just the Finance OU of the Chicago domain. Microsoft provides hundreds of GPOs you can configure.

Group Policy is extremely powerful, so it’s critical to set it up right and carefully manage changes to it. A single improper change to a GPO could lead to downtime or a security breach. Unfortunately, native tools don’t make it easy to keep Group Policy under control.

• Disable PST file creation
• Add frequently used sites to users’ browsers
• Map useful network drives
• Set custom registry values on all computers
• Deploy standard operating systems and other software to all Windows Server machines and other computers
• Run certain scripts on computer startup or shutdown or user login or logout

Implement change control

Any improper change to Active Directory or Group Policy — whether it’s deliberate or accidental — can disrupt critical services and block legitimate user access to resources, hurting business operations. To avoid issues, be sure to plan, document and test all changes, and be sure you can roll back any change that causes unexpected issues.

In addition, it’s invaluable to be able to prevent changes to your most important AD objects, including powerful administrative security groups and crucial GPOs. Quest Change Auditor and GPOADmin streamline change control to strengthen Active Directory management.

Active Directory is central to the success of any modern business. Check out these additional helpful pages to learn best practices for the most critical areas of Active Directory:

• What is Active Directory?
• Active Directory security
• Active Directory migration
• Active Directory reporting
• Active Directory monitoring