AD change control examples

Can you give some examples of changes to your active directory that go through change control, and those that typically wouldn’t require going through change control as they are low risk? I have been tasked with doing some change control audit checks but a list of perhaps 5-10 issues that do need to go through change control and 5-10 that don’t, that would be a very good starting point. Maybe Microsoft has some suggestions for standard changes that don’t need to go through full change control, and others that do, but I couldn’t find such a list.
Who is Participating?
Krzysztof PytkoConnect With a Mentor Senior Active Directory EngineerCommented:
I would plan changes for:

1) Adding new Domain Controller
2) Decommissioning old/broken Domain Controller
3) New Site configuration or existing Site reconfiguration
4) Creating new domain
5) Schema extension
6) Raising Domain/Forest Functional Levels
7) Modifying universal group members
8) Non-authoritative/Authoritative restore of Domain Controller or any other domain objects
9) AD database maintenance work
10) Bulk user/group import/delete

that's all I can think of now :)

pma111Author Commented:
Ok thanks, what kind of common AD changes do you get that wouldnt typically need a formal change control record/backout plans, just so I can visualise which do and which dont, I assume the above 10 are potentially high risk changes whereas other issues are trivial in terms of risk?
pma111Author Commented:
Modifying universal group members - whats the definition of univeral, any security group in your AD?
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Krzysztof PytkoSenior Active Directory EngineerCommented:
Yes, other tasks are low risk and you can do changes to record activities or just skip them if you wish.

AD groups have 3 scopes:
- Domain local
- Global
- Universal

if your group in AD is configured as universal and you have more than 1 domain, I would suggest to plan updates because each universal group modification is directly replicated between all domains. Regular and massive changes in that/those groups may lead to much AD replication traffic within a network

pma111Author Commented:
>>Yes, other tasks are low risk and you can do changes to record activities or just skip them if you wish.

Could you provide a few examples?
Krzysztof PytkoSenior Active Directory EngineerCommented:
1) New user/group creation
2) Non-universal group membership changes
3) Performing system state backup of domain controllers
4) Adding static records to DNS
5) Disabling stale user accounts
6) AD database replication
7) DHCP server authorization/unauthorization

and few more about risk
11) Domain Controller restart (risk/low risk depends on how many DCs are available)
12) DNS zone reconfiguration (enabling aging and scavenging, bulk records creation/deletion)

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.