Solved

Active Directory Setup

Posted on 2013-01-02
3
407 Views
Last Modified: 2013-01-03
Hi,

I started working at a new company and got the task of reorganising there AD

I know what AD is and how it runs but in my reorganisation does any one have tips or tricks?

I can tell you the following about the company

1) 5 administrators all use the builtin Domain admin account to do everything
2) Apps that need access to the domain or servers use that same admin account
3) Users are stored under there office OU
4) computers have a computer OU then Office OU then PC or Mac and laptop or Desktop
5) they don't have a remote deployment system so the use AD To install a lot of tools on to the pc
6) startup script is used to add printers, network shares, ...
7) We have one main DC in Hemel and all the branches have a local DC
8) group names are just names this will be changed so they are uniform but they are not in one OU they are spread all over the AD

Any tips or tricks that you have are welcome. things i need to remember or watch out for. Things i should change and things not to change everything is welcome.
0
Comment
Question by:cornilm
3 Comments
 
LVL 20

Accepted Solution

by:
Russ Suter earned 300 total points
ID: 38739178
Well I can offer advice on some of these...

1) Every user should have his/her own domain account. No two users should EVER share a single domain account. In our office our domain admins have 2 accounts, one for everyday work and a second for admin functions. You should set password strength and expiration requirements by group policy.
2) For applications that need domain access, create a service level account with a password that either doesn't expire or expires less frequently than user account passwords. Ideally each application should have its own service level account. That way you can audit the auth log to see if any applications are misbehaving.
3) Store users and computers in OUs that make sense. You can then set group policies and assign them by OU. This is much easier to administer.
4) I'm a little confused about this but it sounds like nested OUs. There's nothing wrong with this as long as it makes logical sense. Consider what, if any, group policies you need to apply to the computers and organize accordingly.
5) I got nothing here... there are so many ways to interpret this statement. It's just too vague for me to follow.
6) Rather than startup scripts, use group policies. That way they can be assigned as needed. They're also very easy to administer once you get the hang of it.
7) need more info
8) Keep groups consolidated in a single, easy to locate, place. This makes organization much better.

I've used ManageEngine tools in the past to work with AD stuff. They're not free but they're worth every penny. I'd recommend at least getting ADAuditPlus for the reporting functions you'll get out of it.

http://www.manageengine.com/windows-active-directory-tools.html
0
 
LVL 16

Assisted Solution

by:terencino
terencino earned 200 total points
ID: 38739206
Looks like you have already identified a few issues. Before you make any changes, take a professional approach, setup an AD Rebuild Program, get a list of best practices together, get a formal audit done if you can,  discuss with all your admins and make sure they are all agreed, seek their input, look at the potential downsides and recovery/fallback procedures if things don't work out. There are a few AD best practise lists out there that will help with your own list eg:
AD Design: Best Practices
Update for the AD DS Best Practices Analyzer rules in Windows Server 2008 R2
Aim to complete a practice manual for your AD administration, including how to handle new users, computers, shares, access, using powershell to make changes, group policy etc.

This is just a general list, my AD was pretty well sorted when I came on board
0
 

Author Comment

by:cornilm
ID: 38739233
Hi,

thx for the inputs with this i can do a lot.

for point 5 the thing i want to point out is that we have several tools like smartconnect, outlook addins, rental software that is installed the first time the users logs on a computer meaning that it takes a very long time to login.
and i was wondering if there are other ways to let that run in the background.
0

Join & Write a Comment

New Windows 7 Installations take days for Windows-Updates to show up and install. This can easily be fixed. I have finally decided to write an article because this seems to get asked several times a day lately. This Article and the Links apply to…
A safe way to clean winsxs folder from your windows server 2008 R2 editions
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now