Active Directory Setup

Posted on 2013-01-02
Last Modified: 2013-01-03

I started working at a new company and got the task of reorganising there AD

I know what AD is and how it runs but in my reorganisation does any one have tips or tricks?

I can tell you the following about the company

1) 5 administrators all use the builtin Domain admin account to do everything
2) Apps that need access to the domain or servers use that same admin account
3) Users are stored under there office OU
4) computers have a computer OU then Office OU then PC or Mac and laptop or Desktop
5) they don't have a remote deployment system so the use AD To install a lot of tools on to the pc
6) startup script is used to add printers, network shares, ...
7) We have one main DC in Hemel and all the branches have a local DC
8) group names are just names this will be changed so they are uniform but they are not in one OU they are spread all over the AD

Any tips or tricks that you have are welcome. things i need to remember or watch out for. Things i should change and things not to change everything is welcome.
Question by:cornilm
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 20

Accepted Solution

Russ Suter earned 300 total points
ID: 38739178
Well I can offer advice on some of these...

1) Every user should have his/her own domain account. No two users should EVER share a single domain account. In our office our domain admins have 2 accounts, one for everyday work and a second for admin functions. You should set password strength and expiration requirements by group policy.
2) For applications that need domain access, create a service level account with a password that either doesn't expire or expires less frequently than user account passwords. Ideally each application should have its own service level account. That way you can audit the auth log to see if any applications are misbehaving.
3) Store users and computers in OUs that make sense. You can then set group policies and assign them by OU. This is much easier to administer.
4) I'm a little confused about this but it sounds like nested OUs. There's nothing wrong with this as long as it makes logical sense. Consider what, if any, group policies you need to apply to the computers and organize accordingly.
5) I got nothing here... there are so many ways to interpret this statement. It's just too vague for me to follow.
6) Rather than startup scripts, use group policies. That way they can be assigned as needed. They're also very easy to administer once you get the hang of it.
7) need more info
8) Keep groups consolidated in a single, easy to locate, place. This makes organization much better.

I've used ManageEngine tools in the past to work with AD stuff. They're not free but they're worth every penny. I'd recommend at least getting ADAuditPlus for the reporting functions you'll get out of it.
LVL 16

Assisted Solution

terencino earned 200 total points
ID: 38739206
Looks like you have already identified a few issues. Before you make any changes, take a professional approach, setup an AD Rebuild Program, get a list of best practices together, get a formal audit done if you can,  discuss with all your admins and make sure they are all agreed, seek their input, look at the potential downsides and recovery/fallback procedures if things don't work out. There are a few AD best practise lists out there that will help with your own list eg:
AD Design: Best Practices
Update for the AD DS Best Practices Analyzer rules in Windows Server 2008 R2
Aim to complete a practice manual for your AD administration, including how to handle new users, computers, shares, access, using powershell to make changes, group policy etc.

This is just a general list, my AD was pretty well sorted when I came on board

Author Comment

ID: 38739233

thx for the inputs with this i can do a lot.

for point 5 the thing i want to point out is that we have several tools like smartconnect, outlook addins, rental software that is installed the first time the users logs on a computer meaning that it takes a very long time to login.
and i was wondering if there are other ways to let that run in the background.

Featured Post

Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Active Directory security has been a hot topic of late, and for good reason. With 90% of the world’s organization using this system to manage access to all parts of their IT infrastructure, knowing how to protect against threats and keep vulnerabil…
Had a business requirement to store the mobile number in an environmental variable. This is just a quick article on how this was done.
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

687 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question