Solved

Active Directory Setup

Posted on 2013-01-02
3
414 Views
Last Modified: 2013-01-03
Hi,

I started working at a new company and got the task of reorganising there AD

I know what AD is and how it runs but in my reorganisation does any one have tips or tricks?

I can tell you the following about the company

1) 5 administrators all use the builtin Domain admin account to do everything
2) Apps that need access to the domain or servers use that same admin account
3) Users are stored under there office OU
4) computers have a computer OU then Office OU then PC or Mac and laptop or Desktop
5) they don't have a remote deployment system so the use AD To install a lot of tools on to the pc
6) startup script is used to add printers, network shares, ...
7) We have one main DC in Hemel and all the branches have a local DC
8) group names are just names this will be changed so they are uniform but they are not in one OU they are spread all over the AD

Any tips or tricks that you have are welcome. things i need to remember or watch out for. Things i should change and things not to change everything is welcome.
0
Comment
Question by:cornilm
3 Comments
 
LVL 20

Accepted Solution

by:
Russ Suter earned 300 total points
ID: 38739178
Well I can offer advice on some of these...

1) Every user should have his/her own domain account. No two users should EVER share a single domain account. In our office our domain admins have 2 accounts, one for everyday work and a second for admin functions. You should set password strength and expiration requirements by group policy.
2) For applications that need domain access, create a service level account with a password that either doesn't expire or expires less frequently than user account passwords. Ideally each application should have its own service level account. That way you can audit the auth log to see if any applications are misbehaving.
3) Store users and computers in OUs that make sense. You can then set group policies and assign them by OU. This is much easier to administer.
4) I'm a little confused about this but it sounds like nested OUs. There's nothing wrong with this as long as it makes logical sense. Consider what, if any, group policies you need to apply to the computers and organize accordingly.
5) I got nothing here... there are so many ways to interpret this statement. It's just too vague for me to follow.
6) Rather than startup scripts, use group policies. That way they can be assigned as needed. They're also very easy to administer once you get the hang of it.
7) need more info
8) Keep groups consolidated in a single, easy to locate, place. This makes organization much better.

I've used ManageEngine tools in the past to work with AD stuff. They're not free but they're worth every penny. I'd recommend at least getting ADAuditPlus for the reporting functions you'll get out of it.

http://www.manageengine.com/windows-active-directory-tools.html
0
 
LVL 16

Assisted Solution

by:terencino
terencino earned 200 total points
ID: 38739206
Looks like you have already identified a few issues. Before you make any changes, take a professional approach, setup an AD Rebuild Program, get a list of best practices together, get a formal audit done if you can,  discuss with all your admins and make sure they are all agreed, seek their input, look at the potential downsides and recovery/fallback procedures if things don't work out. There are a few AD best practise lists out there that will help with your own list eg:
AD Design: Best Practices
Update for the AD DS Best Practices Analyzer rules in Windows Server 2008 R2
Aim to complete a practice manual for your AD administration, including how to handle new users, computers, shares, access, using powershell to make changes, group policy etc.

This is just a general list, my AD was pretty well sorted when I came on board
0
 

Author Comment

by:cornilm
ID: 38739233
Hi,

thx for the inputs with this i can do a lot.

for point 5 the thing i want to point out is that we have several tools like smartconnect, outlook addins, rental software that is installed the first time the users logs on a computer meaning that it takes a very long time to login.
and i was wondering if there are other ways to let that run in the background.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
In-place Upgrading Dirsync to Azure AD Connect
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…

856 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question