Link to home
Create AccountLog in
Avatar of rmessing171
rmessing171Flag for United States of America

asked on

Active Directory Best Practices

Is there a url or guide of best practices for Active Directory?  Currently, when a user resigns from our company, we rebuild their computer immediately and provide to another user.  

From a best practice perspective, should we delete the computername from AD and then rebuild and join to the Domain?  Are there other best practices for AD that we should be following for on-boarding and off-boarding users?  What are your thoughts?
Avatar of awawada

Avatar of Seth Simmons
there really isn't a best practice for that specifically; could be more of a business requirement than technical in terms of the specific accounts.  at my last place we used to disable a user account and move to a separate OU (there were a few occasions when the person later came back).  but for a computer account i made sure it was removed from the domain before rebuilding it else you will have to do some cleanup later - more of a time saver than anything else

the last 2 links above are additional useful information regarding other aspects of AD you might find useful in your environment.  the first link (technet) has broken links or obsolete information around windows 2003
Does your computer names also need to be changed as user resigns as per your company security policy ?
If that's not the case, you can disable that computer account and after certain period of time you can remove those computer accounts.
The idea behind is to just reuse same existing computer names if user in out is frequent and to avoid creation of frequent new computer accounts

if replacement user is available immediately in place of resigned employee, you can just backup all user data and wipe out user profile, the computer will become new for new users
Also if as per your company policy if computer must need to be formatted for new joinee, then still you can keep same name as previous, just reset computer account in AD and then just join formatted computer to domain, it will work without any issues

In case of user accounts, in some bigger companies, they never delete user accounts, just disable them as resigned employees may re-join at any time in future and they don't want to create new accounts for them every time which might integrated with SAP. ERP and so forth.
In normal scenarios, you can disable user accounts and after certain period you can delete them.

below guide is for securing active directory best practises

Why do you need to re-build the computer - this is not necessary,
Avatar of rmessing171


Thank you Mahesh and seth2740 for your immediate responses!

seth2740 - You referenced that I will have to do some cleanup later if I didn't remove the computer from AD.  Is the cleanup deleting the old computer from AD or would there be more tasks to perform?
If the computer name does not change and you are going to rebuild it then, reset the computer account in ad which will break the secure channel with the domain - move that computer account to the correct OU for the next user, wipe and reload the PC, rejoin the domain. As stated previously this is more of a business requirement then a technical requirement, if your users are just users and not computer admins, then signing in as another user would be enough without the rebuild of the PC. But without knowing the environment or business needs this would be hard to quantify in the forum.
What you are discussing is not an Active Directory best practise but a security best practise.

In terms of deleting the computer can simply reset the computer account instead of deleting it if you are going to rebuild the computer.

Regarding the user account, AD best practice recommends that you disable the user account for a period of time, typically 1 - 3 months.
This is just in case you need to recover a mailbox or data or copy permissions that may have been overlooked.

After the 'disabled period' you can then safely delete the user account.
Typically your HR department would inform you timeously when they've received a user termination request so you can set the account to expire at that date to prevent accounts from being active after the user has left...just in case somebody wants to do malicious actions on the old username.

My favourite place to find best practise advise is the Friday Mailsack blog for the Active Directory team.

Also check some of the best practice recommendations from the following site:
Thank you for all of the info everyone posted.  It has helped me significantly.  We rebuild our PCs to refresh the Windows 7 Operating system, install applications (each department gets certain apps) and the PC gets a computername based on the user's name.  The reason I am asking about removing the PC from AD and SCCM is because I am trying to use  SCCM 2007 SP2 R3 to keep better Computer and Software inventory control.  SCCM is using the AD Discovery method and since we have not deleted any computers from AD or SCCM when user resigns, I have a lot of old computers and software being reported on.  What is the proper/recommended method to clean up the old computers in AD and SCCM?  Any thoughts?
So the real question is how to AD cleaned up, and maintain going forward - Check for pc's that have not changed its password in say 60+ days, computers by default will change the password every 30 days when connected to the network.

Once the existing environment is cleaned then as users come and go - it should be part of the off-boarding process to disable the user account and move to a special OU, this should also happen for the computer account. A note could be added on the description attribute of when the computer was disabled, to make cleanup easier. Every now and then I would go cleanup that OU and remove old computer accounts.
Bradheld - Thank you for the immediate response and the info!

Quick Question - When off-boarding an employee, should the computername (resource) be deleted from the SCCM - All Systems collection, or will it automatically get removed from SCCM when I disable the computer account in AD?  What are your thoughts?
Avatar of Mahesh
Flag of India image

Link to home
Create an account to see this answer
Signing up is free. No credit card required.
Create Account