Change Control in an AD setup

Posted on 2009-07-01
Last Modified: 2013-11-05
Can anybody offer me some advice on ultra secure change control for changes made to Active Directory settings? I am really after an opinion on what works for you (in your setup, and essentially so we can use some of the advice to form some ultra secure change control processes that satisfy our auditors.

We have a 3rd party IT FM, and recently an independent security review raised concerns the process of change control in the our network should be improved. I take there advice on board, and I really want to go to town ensuring change control procedures are super efficient and secure here, so I wondered if there are any good advice you can give us, i.e. the level of review and authorisation before a change goes live into our domains, the level of testing before a change goes live, the documented procedures we need to have in place from our side, and what the IT FM need on there side etc etc.

Any best practice will be helpful, or even any lessons learnt you found at your setup which perhaps failed audits / security reviews, and how you plugged the gaps to get your change control procedures ultra secure and satisfying these security reviews / external audits?
Question by:pma111
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 10

Assisted Solution

Kieran_Burns earned 100 total points
ID: 24753048
What your auditors are after is accountability at all stages of the Change process, and the process itself ( :-) )
Really, an ideal start would be to look at the ITIL change management process (used wher I work...oddly a 3rd party IT FM firm) will get you started.
Auditing requires documentation and process control - what you need to do is define what the SLA requirements are and from that define the OLA levels of responsibility - all this will be in the change process
Read through the ITIL guide and that will get you going in the right direction - it's not a bible, just a guidance

Accepted Solution

graystoke earned 150 total points
ID: 24762066
enable Active Directory Auditing.  (for Win2k3, see

you probably have multiple DCs.  If you want to collect all AD oject access in one place, you'll need either:

a. scripting ability
b. a third party log collection tool
c. upgrade to Windows 2008 which has Event Subscription capability (viz. one DC can serve as the collection point for event logs from multiple DC's)

The way you implement Change Control is affected by solid topology design

I consulted in a well designed web-dev & hosting environment recently, where each stage in the deployment process was matched by a separate forest.  DEV, STAGING, UAP, PRODUCTION, BUSINESS (where all active admin accounts were stored).  Security boundaries were traversed using ADFS.  A well managed deployment process was directed by Sharepoint-based templates.  The environment, although apparently complex, maintained a set of uniform management protocols, which meant that each forest (and sub-domain) was managed in exactly the same way. The orderly & well documented design encouraged technical staff to maintain the change control process throughout.

You probably don't want to redesign your network topology to add loads of forests (sic!) but the above example illustrates, that a clear design with well thought out security boundaries, lends itself to keeping hold of the change-control reins.   Maybe you could accomplish a similar thing as my client by using separate domains.

3. KISS Principle
Change Control is also affected by the number & complexity of documents, forms, screens that must be completed to achieve change approval.  Simplify, simplify, simplify.  

Give your tech staff clear directions on which changes CAN be short-cutted and which require stricter change control.  eg. You only need manager approval via email to add a user to a AD group, but you may need full change control approval to add a new group to AD or to apply a new GPO to an OU.

Make sure your change-control directions come from an approved source.

eg. While consulting at a local government institution in the UK recently, I was gob-smacked to see a blind eye turned when 10 applications were rolled onto a live production Citrix farm of around 70 servers, sans change control!!   The "argument" was made (2 weeks later!) that the project had not been "fully commissioned" yet, even though over 2500 users were connecting to it every day!  

On the other hand, one week later, the ill-informed Helpdesk Manager sent a sternly worded message to Support staff insisting that no-one was to use Active Directory anymore, as some change control 3rd party software would now handle all AD changes.  All 3rd-liners cocked their heads, raised their eyebrows, wagged their fingers and sent the message to Deleted Items.

ITIL outlines change management process ideals, interalia.   I have worked within a number of organisations at various stages of ITIL-compliance, with vastly differing take-up.  One so-called ITIL organisation allowed infrastructure engineers to log on to all domain servers as the domain administrator!  Imagine what an encouragement that was to fill out change control forms & spreadsheets which were overly complex & tedious to fill out.

At the end of the day, if you make it hard (read complicated & long-winded) for staff to adhere to good change control procedures, and if you make it easy for them to thwart the same, your ITIL change-control procedures may be largely ignored.

Featured Post

MS Dynamics Made Instantly Simpler

Make Your Microsoft Dynamics Investment Count  & Drastically Decrease Training Time by Providing Intuitive Step-By-Step WalkThru Tutorials.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed. Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…
This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.
Suggested Courses

624 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question