[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now


AD change control examples

Posted on 2012-09-07
Medium Priority
Last Modified: 2012-09-07
Can you give some examples of changes to your active directory that go through change control, and those that typically wouldn’t require going through change control as they are low risk? I have been tasked with doing some change control audit checks but a list of perhaps 5-10 issues that do need to go through change control and 5-10 that don’t, that would be a very good starting point. Maybe Microsoft has some suggestions for standard changes that don’t need to go through full change control, and others that do, but I couldn’t find such a list.
Question by:pma111
  • 3
  • 3
LVL 39

Accepted Solution

Krzysztof Pytko earned 2000 total points
ID: 38375858
I would plan changes for:

1) Adding new Domain Controller
2) Decommissioning old/broken Domain Controller
3) New Site configuration or existing Site reconfiguration
4) Creating new domain
5) Schema extension
6) Raising Domain/Forest Functional Levels
7) Modifying universal group members
8) Non-authoritative/Authoritative restore of Domain Controller or any other domain objects
9) AD database maintenance work
10) Bulk user/group import/delete

that's all I can think of now :)


Author Comment

ID: 38375870
Ok thanks, what kind of common AD changes do you get that wouldnt typically need a formal change control record/backout plans, just so I can visualise which do and which dont, I assume the above 10 are potentially high risk changes whereas other issues are trivial in terms of risk?

Author Comment

ID: 38375874
Modifying universal group members - whats the definition of univeral, any security group in your AD?
Fill in the form and get your FREE NFR key NOW!

Veeam is happy to provide a FREE NFR server license to certified engineers, trainers, and bloggers.  It allows for the non‑production use of Veeam Agent for Microsoft Windows. This license is valid for five workstations and two servers.

LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 38375883
Yes, other tasks are low risk and you can do changes to record activities or just skip them if you wish.

AD groups have 3 scopes:
- Domain local
- Global
- Universal

if your group in AD is configured as universal and you have more than 1 domain, I would suggest to plan updates because each universal group modification is directly replicated between all domains. Regular and massive changes in that/those groups may lead to much AD replication traffic within a network


Author Comment

ID: 38375891
>>Yes, other tasks are low risk and you can do changes to record activities or just skip them if you wish.

Could you provide a few examples?
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 38375908
1) New user/group creation
2) Non-universal group membership changes
3) Performing system state backup of domain controllers
4) Adding static records to DNS
5) Disabling stale user accounts
6) AD database replication
7) DHCP server authorization/unauthorization

and few more about risk
11) Domain Controller restart (risk/low risk depends on how many DCs are available)
12) DNS zone reconfiguration (enabling aging and scavenging, bulk records creation/deletion)


Featured Post

Free Backup Tool for VMware and Hyper-V

Restore full virtual machine or individual guest files from 19 common file systems directly from the backup file. Schedule VM backups with PowerShell scripts. Set desired time, lean back and let the script to notify you via email upon completion.  

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Microsoft Office 365 is a subscriptions based service which includes services like Exchange Online and Skype for business Online. These services integrate with Microsoft's online version of Active Directory called Azure Active Directory.
High user turnover can cause old/redundant user data to consume valuable space. UserResourceCleanup was developed to address this by automatically deleting user folders when the user account is deleted.
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question