Active Directory Setup

Posted on 2013-01-02
Medium Priority
Last Modified: 2013-01-03

I started working at a new company and got the task of reorganising there AD

I know what AD is and how it runs but in my reorganisation does any one have tips or tricks?

I can tell you the following about the company

1) 5 administrators all use the builtin Domain admin account to do everything
2) Apps that need access to the domain or servers use that same admin account
3) Users are stored under there office OU
4) computers have a computer OU then Office OU then PC or Mac and laptop or Desktop
5) they don't have a remote deployment system so the use AD To install a lot of tools on to the pc
6) startup script is used to add printers, network shares, ...
7) We have one main DC in Hemel and all the branches have a local DC
8) group names are just names this will be changed so they are uniform but they are not in one OU they are spread all over the AD

Any tips or tricks that you have are welcome. things i need to remember or watch out for. Things i should change and things not to change everything is welcome.
Question by:cornilm
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 20

Accepted Solution

Russ Suter earned 1200 total points
ID: 38739178
Well I can offer advice on some of these...

1) Every user should have his/her own domain account. No two users should EVER share a single domain account. In our office our domain admins have 2 accounts, one for everyday work and a second for admin functions. You should set password strength and expiration requirements by group policy.
2) For applications that need domain access, create a service level account with a password that either doesn't expire or expires less frequently than user account passwords. Ideally each application should have its own service level account. That way you can audit the auth log to see if any applications are misbehaving.
3) Store users and computers in OUs that make sense. You can then set group policies and assign them by OU. This is much easier to administer.
4) I'm a little confused about this but it sounds like nested OUs. There's nothing wrong with this as long as it makes logical sense. Consider what, if any, group policies you need to apply to the computers and organize accordingly.
5) I got nothing here... there are so many ways to interpret this statement. It's just too vague for me to follow.
6) Rather than startup scripts, use group policies. That way they can be assigned as needed. They're also very easy to administer once you get the hang of it.
7) need more info
8) Keep groups consolidated in a single, easy to locate, place. This makes organization much better.

I've used ManageEngine tools in the past to work with AD stuff. They're not free but they're worth every penny. I'd recommend at least getting ADAuditPlus for the reporting functions you'll get out of it.

LVL 16

Assisted Solution

terencino earned 800 total points
ID: 38739206
Looks like you have already identified a few issues. Before you make any changes, take a professional approach, setup an AD Rebuild Program, get a list of best practices together, get a formal audit done if you can,  discuss with all your admins and make sure they are all agreed, seek their input, look at the potential downsides and recovery/fallback procedures if things don't work out. There are a few AD best practise lists out there that will help with your own list eg:
AD Design: Best Practices
Update for the AD DS Best Practices Analyzer rules in Windows Server 2008 R2
Aim to complete a practice manual for your AD administration, including how to handle new users, computers, shares, access, using powershell to make changes, group policy etc.

This is just a general list, my AD was pretty well sorted when I came on board

Author Comment

ID: 38739233

thx for the inputs with this i can do a lot.

for point 5 the thing i want to point out is that we have several tools like smartconnect, outlook addins, rental software that is installed the first time the users logs on a computer meaning that it takes a very long time to login.
and i was wondering if there are other ways to let that run in the background.

Featured Post

Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Always backup Domain, SYSVOL etc.using processes according to Microsoft Best Practices. This is meant as a disaster recovery process for small environments that did not implement backup processes and did not run a secondary domain controller that ne…
For anyone that has accidentally used newSID with Server 2008 R2 (like I did) and hasn't been able to get the server running again because you were unlucky (as I was) and had no backups - I was able to get things working by doing a Registry Hive rec…
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…
Suggested Courses
Course of the Month12 days, 16 hours left to enroll

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question