Pau Lo
asked on
AD change control examples
Can you give some examples of changes to your active directory that go through change control, and those that typically wouldn’t require going through change control as they are low risk? I have been tasked with doing some change control audit checks but a list of perhaps 5-10 issues that do need to go through change control and 5-10 that don’t, that would be a very good starting point. Maybe Microsoft has some suggestions for standard changes that don’t need to go through full change control, and others that do, but I couldn’t find such a list.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Modifying universal group members - whats the definition of univeral, any security group in your AD?
Yes, other tasks are low risk and you can do changes to record activities or just skip them if you wish.
AD groups have 3 scopes:
- Domain local
- Global
- Universal
if your group in AD is configured as universal and you have more than 1 domain, I would suggest to plan updates because each universal group modification is directly replicated between all domains. Regular and massive changes in that/those groups may lead to much AD replication traffic within a network
Krzysztof
AD groups have 3 scopes:
- Domain local
- Global
- Universal
if your group in AD is configured as universal and you have more than 1 domain, I would suggest to plan updates because each universal group modification is directly replicated between all domains. Regular and massive changes in that/those groups may lead to much AD replication traffic within a network
Krzysztof
ASKER
>>Yes, other tasks are low risk and you can do changes to record activities or just skip them if you wish.
Could you provide a few examples?
Could you provide a few examples?
1) New user/group creation
2) Non-universal group membership changes
3) Performing system state backup of domain controllers
4) Adding static records to DNS
5) Disabling stale user accounts
6) AD database replication
7) DHCP server authorization/unauthorizat
and few more about risk
11) Domain Controller restart (risk/low risk depends on how many DCs are available)
12) DNS zone reconfiguration (enabling aging and scavenging, bulk records creation/deletion)
Krzysztof
2) Non-universal group membership changes
3) Performing system state backup of domain controllers
4) Adding static records to DNS
5) Disabling stale user accounts
6) AD database replication
7) DHCP server authorization/unauthorizat
and few more about risk
11) Domain Controller restart (risk/low risk depends on how many DCs are available)
12) DNS zone reconfiguration (enabling aging and scavenging, bulk records creation/deletion)
Krzysztof
ASKER