Change Control in an AD setup

Can anybody offer me some advice on ultra secure change control for changes made to Active Directory settings? I am really after an opinion on what works for you (in your setup, and essentially so we can use some of the advice to form some ultra secure change control processes that satisfy our auditors.

We have a 3rd party IT FM, and recently an independent security review raised concerns the process of change control in the our network should be improved. I take there advice on board, and I really want to go to town ensuring change control procedures are super efficient and secure here, so I wondered if there are any good advice you can give us, i.e. the level of review and authorisation before a change goes live into our domains, the level of testing before a change goes live, the documented procedures we need to have in place from our side, and what the IT FM need on there side etc etc.

Any best practice will be helpful, or even any lessons learnt you found at your setup which perhaps failed audits / security reviews, and how you plugged the gaps to get your change control procedures ultra secure and satisfying these security reviews / external audits?
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

What your auditors are after is accountability at all stages of the Change process, and the process itself ( :-) )
Really, an ideal start would be to look at the ITIL change management process (used wher I work...oddly a 3rd party IT FM firm) will get you started.
Auditing requires documentation and process control - what you need to do is define what the SLA requirements are and from that define the OLA levels of responsibility - all this will be in the change process
Read through the ITIL guide and that will get you going in the right direction - it's not a bible, just a guidance
enable Active Directory Auditing.  (for Win2k3, see

you probably have multiple DCs.  If you want to collect all AD oject access in one place, you'll need either:

a. scripting ability
b. a third party log collection tool
c. upgrade to Windows 2008 which has Event Subscription capability (viz. one DC can serve as the collection point for event logs from multiple DC's)

The way you implement Change Control is affected by solid topology design

I consulted in a well designed web-dev & hosting environment recently, where each stage in the deployment process was matched by a separate forest.  DEV, STAGING, UAP, PRODUCTION, BUSINESS (where all active admin accounts were stored).  Security boundaries were traversed using ADFS.  A well managed deployment process was directed by Sharepoint-based templates.  The environment, although apparently complex, maintained a set of uniform management protocols, which meant that each forest (and sub-domain) was managed in exactly the same way. The orderly & well documented design encouraged technical staff to maintain the change control process throughout.

You probably don't want to redesign your network topology to add loads of forests (sic!) but the above example illustrates, that a clear design with well thought out security boundaries, lends itself to keeping hold of the change-control reins.   Maybe you could accomplish a similar thing as my client by using separate domains.

3. KISS Principle
Change Control is also affected by the number & complexity of documents, forms, screens that must be completed to achieve change approval.  Simplify, simplify, simplify.  

Give your tech staff clear directions on which changes CAN be short-cutted and which require stricter change control.  eg. You only need manager approval via email to add a user to a AD group, but you may need full change control approval to add a new group to AD or to apply a new GPO to an OU.

Make sure your change-control directions come from an approved source.

eg. While consulting at a local government institution in the UK recently, I was gob-smacked to see a blind eye turned when 10 applications were rolled onto a live production Citrix farm of around 70 servers, sans change control!!   The "argument" was made (2 weeks later!) that the project had not been "fully commissioned" yet, even though over 2500 users were connecting to it every day!  

On the other hand, one week later, the ill-informed Helpdesk Manager sent a sternly worded message to Support staff insisting that no-one was to use Active Directory anymore, as some change control 3rd party software would now handle all AD changes.  All 3rd-liners cocked their heads, raised their eyebrows, wagged their fingers and sent the message to Deleted Items.

ITIL outlines change management process ideals, interalia.   I have worked within a number of organisations at various stages of ITIL-compliance, with vastly differing take-up.  One so-called ITIL organisation allowed infrastructure engineers to log on to all domain servers as the domain administrator!  Imagine what an encouragement that was to fill out change control forms & spreadsheets which were overly complex & tedious to fill out.

At the end of the day, if you make it hard (read complicated & long-winded) for staff to adhere to good change control procedures, and if you make it easy for them to thwart the same, your ITIL change-control procedures may be largely ignored.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.