An IT environment is a dynamic place; you can’t simply set up your Active Directory and forget it, no matter how perfectly you plan your domains, OUs, schemas and so on. Users, computers, printers and other AD objects come and go, so you’ll need procedures for provisioning and deprovisioning, which should be automated as much as possible through approval-based workflows. You should also regularly identify inactive user and computer accounts so you can clean them up before they can be misused.
More broadly, you also need to monitor the health of your domain controllers and the replication of data between them in real time. Otherwise, users might very well experience problems logging in or accessing the resources they need to do their jobs.
Microsoft provides several Active Directory management tools, including Windows PowerShell, Active Directory Users and Computers (ADUC), Local Users and Groups, and the Active Directory Schema snap-ins for Microsoft Management Console (MMC). However, the functionality of native tools is limited; it’s awkward at best to keep switching between tools; and tasks are often manual, time-consuming and error-prone.
Scripts and applications often need more access rights than a typical user account has. But you should not use an administrative account; that often grants the application more access than it needs and puts your admin account at increased risk of being compromised. Instead, the best practice is to create a service account for each application, and grant that account only the permissions it needs, as required by least privilege.
But don’t forget about these accounts. Since service accounts have access to important resources in your IT environment, it’s essential to track what each service account is doing. Proactively look for any unusual or unwarranted activity, which could be a sign that the account has been compromised and is being misused.
Another critical aspect of Active Directory management is administering Group Policy. Group Policy is a set of policies, called Group Policy objects (GPOs), that can be applied to an entire domain or just to certain OUs. For instance, you can use Group Policy to require all users in your Chicago domain to use complex passwords, or to disallow the use of removable media on all computers in just the Finance OU of the Chicago domain. Microsoft provides hundreds of GPOs you can configure.
Group Policy is extremely powerful, so it’s critical to set it up right and carefully manage changes to it. A single improper change to a GPO could lead to downtime or a security breach. Unfortunately, native tools don’t make it easy to keep Group Policy under control.
Any improper change to Active Directory or Group Policy — whether it’s deliberate or accidental — can disrupt critical services and block legitimate user access to resources, hurting business operations. To avoid issues, be sure to plan, document and test all changes, and be sure you can roll back any change that causes unexpected issues.
In addition, it’s invaluable to be able to prevent changes to your most important AD objects, including powerful administrative security groups and crucial GPOs. Quest Change Auditor and GPOADmin streamline change control to strengthen Active Directory management.
To ensure productivity and business continuity, you need to regularly back up your AD and be able to quickly recover from any incident or disaster at the object and attribute level, the directory level and the operating system level across the entire forest . While the AD Recycle Bin enables quick recovery of some recently deleted objects, it is not — and was never meant to be — an enterprise backup and recovery solution.
The value of having complete and reliable backups of Active Directory is aptly illustrated by the case of international shipping giant Maersk, which was a victim of the NotPetya attack in 2017. Within hours of the malware being released into its network, Maersk was effectively crippled. Nearly every one of its 150 domain controllers worldwide was down — and the company didn’t have a single backup of Active Directory to use to restore operations. Fortunately for the company, one DC in Ghana happened to be offline when the malware struck, which meant its data was still intact. However, the bandwidth at the Ghana office was so slow that uploading the data from the DC would have taken days, and no one there had a British visa, so the recovery team had to undertake a kind of relay race involving multi-hour flights to bring the precious machine to the company’s UK headquarters. But finally, they were able to use the machine to rebuild the other DCs.
Many Active Directory management tasks are quite tedious and time-consuming, which increases the risk that they will be put off or done incorrectly. Automation can slash IT workload while eliminating human error and ensuring timely completion of important but routine tasks. For example, all of the following tasks are prime candidates for at least some level of automation:
Quest is the go-to vendor for Active Directory solutions. We can help you manage, secure, migrate and report on your AD environment to drive your business forward. Here’s where you can learn more:
Microsoft service accounts are a critical part of your Windows ecosystem. Learn what they are and 10 best practices for managing them efficiently.
Group Policy objects (GPOs) are prime targets for hackers. Learn how and why they target this critical feature of your Active Directory environment.
Learn how Azure AD Connect works, what data it syncs and best practices to apply when using it in your Active Directory environments.
Learn what KRBTGT is, when to update it and get answers to the toughest questions about how to minimize your organization’s authentication vulnerabilities.
In Part 1 of our Quest Security Assessment series, we focus on the top vulnerabilities we have discovered in Active Directory: Service Accounts.
Discover the different models of Active Directory (AD) security, including the Red Forest and Orange Forest models, Greenfield migrations and Blue Team.