Active Directory Setup

Posted on 2013-01-02
Last Modified: 2013-01-03

I started working at a new company and got the task of reorganising there AD

I know what AD is and how it runs but in my reorganisation does any one have tips or tricks?

I can tell you the following about the company

1) 5 administrators all use the builtin Domain admin account to do everything
2) Apps that need access to the domain or servers use that same admin account
3) Users are stored under there office OU
4) computers have a computer OU then Office OU then PC or Mac and laptop or Desktop
5) they don't have a remote deployment system so the use AD To install a lot of tools on to the pc
6) startup script is used to add printers, network shares, ...
7) We have one main DC in Hemel and all the branches have a local DC
8) group names are just names this will be changed so they are uniform but they are not in one OU they are spread all over the AD

Any tips or tricks that you have are welcome. things i need to remember or watch out for. Things i should change and things not to change everything is welcome.
Question by:cornilm
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 20

Accepted Solution

Russ Suter earned 300 total points
ID: 38739178
Well I can offer advice on some of these...

1) Every user should have his/her own domain account. No two users should EVER share a single domain account. In our office our domain admins have 2 accounts, one for everyday work and a second for admin functions. You should set password strength and expiration requirements by group policy.
2) For applications that need domain access, create a service level account with a password that either doesn't expire or expires less frequently than user account passwords. Ideally each application should have its own service level account. That way you can audit the auth log to see if any applications are misbehaving.
3) Store users and computers in OUs that make sense. You can then set group policies and assign them by OU. This is much easier to administer.
4) I'm a little confused about this but it sounds like nested OUs. There's nothing wrong with this as long as it makes logical sense. Consider what, if any, group policies you need to apply to the computers and organize accordingly.
5) I got nothing here... there are so many ways to interpret this statement. It's just too vague for me to follow.
6) Rather than startup scripts, use group policies. That way they can be assigned as needed. They're also very easy to administer once you get the hang of it.
7) need more info
8) Keep groups consolidated in a single, easy to locate, place. This makes organization much better.

I've used ManageEngine tools in the past to work with AD stuff. They're not free but they're worth every penny. I'd recommend at least getting ADAuditPlus for the reporting functions you'll get out of it.
LVL 16

Assisted Solution

terencino earned 200 total points
ID: 38739206
Looks like you have already identified a few issues. Before you make any changes, take a professional approach, setup an AD Rebuild Program, get a list of best practices together, get a formal audit done if you can,  discuss with all your admins and make sure they are all agreed, seek their input, look at the potential downsides and recovery/fallback procedures if things don't work out. There are a few AD best practise lists out there that will help with your own list eg:
AD Design: Best Practices
Update for the AD DS Best Practices Analyzer rules in Windows Server 2008 R2
Aim to complete a practice manual for your AD administration, including how to handle new users, computers, shares, access, using powershell to make changes, group policy etc.

This is just a general list, my AD was pretty well sorted when I came on board

Author Comment

ID: 38739233

thx for the inputs with this i can do a lot.

for point 5 the thing i want to point out is that we have several tools like smartconnect, outlook addins, rental software that is installed the first time the users logs on a computer meaning that it takes a very long time to login.
and i was wondering if there are other ways to let that run in the background.

Featured Post

Edgartown IT Case Study

Learn about Edgartown's quest to ensure the safety and security of the entire town's employee and citizen data. Read the case study!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article shows how to deploy dynamic backgrounds to computers depending on the aspect ratio of display
Always backup Domain, SYSVOL etc.using processes according to Microsoft Best Practices. This is meant as a disaster recovery process for small environments that did not implement backup processes and did not run a secondary domain controller that ne…
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question