Solved

Active Directory Best Practices

Posted on 2013-12-26
11
1,756 Views
Last Modified: 2014-01-14
Is there a url or guide of best practices for Active Directory?  Currently, when a user resigns from our company, we rebuild their computer immediately and provide to another user.  

From a best practice perspective, should we delete the computername from AD and then rebuild and join to the Domain?  Are there other best practices for AD that we should be following for on-boarding and off-boarding users?  What are your thoughts?
0
Comment
Question by:rmessing171
  • 3
  • 2
  • 2
  • +4
11 Comments
 
LVL 18

Expert Comment

by:awawada
Comment Utility
0
 
LVL 34

Expert Comment

by:Seth Simmons
Comment Utility
there really isn't a best practice for that specifically; could be more of a business requirement than technical in terms of the specific accounts.  at my last place we used to disable a user account and move to a separate OU (there were a few occasions when the person later came back).  but for a computer account i made sure it was removed from the domain before rebuilding it else you will have to do some cleanup later - more of a time saver than anything else

the last 2 links above are additional useful information regarding other aspects of AD you might find useful in your environment.  the first link (technet) has broken links or obsolete information around windows 2003
0
 
LVL 35

Expert Comment

by:Mahesh
Comment Utility
Does your computer names also need to be changed as user resigns as per your company security policy ?
If that's not the case, you can disable that computer account and after certain period of time you can remove those computer accounts.
The idea behind is to just reuse same existing computer names if user in out is frequent and to avoid creation of frequent new computer accounts

if replacement user is available immediately in place of resigned employee, you can just backup all user data and wipe out user profile, the computer will become new for new users
Also if as per your company policy if computer must need to be formatted for new joinee, then still you can keep same name as previous, just reset computer account in AD and then just join formatted computer to domain, it will work without any issues

In case of user accounts, in some bigger companies, they never delete user accounts, just disable them as resigned employees may re-join at any time in future and they don't want to create new accounts for them every time which might integrated with SAP. ERP and so forth.
In normal scenarios, you can disable user accounts and after certain period you can delete them.

below guide is for securing active directory best practises
http://www.microsoft.com/en-in/download/details.aspx?id=38815

Mahesh
0
 
LVL 70

Expert Comment

by:KCTS
Comment Utility
Why do you need to re-build the computer - this is not necessary,
0
 

Author Comment

by:rmessing171
Comment Utility
Thank you Mahesh and seth2740 for your immediate responses!

seth2740 - You referenced that I will have to do some cleanup later if I didn't remove the computer from AD.  Is the cleanup deleting the old computer from AD or would there be more tasks to perform?
0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 6

Expert Comment

by:Brad Held
Comment Utility
If the computer name does not change and you are going to rebuild it then, reset the computer account in ad which will break the secure channel with the domain - move that computer account to the correct OU for the next user, wipe and reload the PC, rejoin the domain. As stated previously this is more of a business requirement then a technical requirement, if your users are just users and not computer admins, then signing in as another user would be enough without the rebuild of the PC. But without knowing the environment or business needs this would be hard to quantify in the forum.
0
 
LVL 26

Expert Comment

by:Leon Fester
Comment Utility
What you are discussing is not an Active Directory best practise but a security best practise.

In terms of deleting the computer account...you can simply reset the computer account instead of deleting it if you are going to rebuild the computer.

Regarding the user account, AD best practice recommends that you disable the user account for a period of time, typically 1 - 3 months.
This is just in case you need to recover a mailbox or data or copy permissions that may have been overlooked.

After the 'disabled period' you can then safely delete the user account.
Typically your HR department would inform you timeously when they've received a user termination request so you can set the account to expire at that date to prevent accounts from being active after the user has left...just in case somebody wants to do malicious actions on the old username.

My favourite place to find best practise advise is the Friday Mailsack blog for the Active Directory team.
http://blogs.technet.com/b/askds/archive/2010/07/17/friday-mail-sack-saturday-edition.aspx

Also check some of the best practice recommendations from the following site:
http://technet.microsoft.com/en-us/library/cc759279(v=ws.10).aspx
0
 

Author Comment

by:rmessing171
Comment Utility
Thank you for all of the info everyone posted.  It has helped me significantly.  We rebuild our PCs to refresh the Windows 7 Operating system, install applications (each department gets certain apps) and the PC gets a computername based on the user's name.  The reason I am asking about removing the PC from AD and SCCM is because I am trying to use  SCCM 2007 SP2 R3 to keep better Computer and Software inventory control.  SCCM is using the AD Discovery method and since we have not deleted any computers from AD or SCCM when user resigns, I have a lot of old computers and software being reported on.  What is the proper/recommended method to clean up the old computers in AD and SCCM?  Any thoughts?
0
 
LVL 6

Expert Comment

by:Brad Held
Comment Utility
So the real question is how to AD cleaned up, and maintain going forward - Check for pc's that have not changed its password in say 60+ days, computers by default will change the password every 30 days when connected to the network.

http://blogs.technet.com/b/ken_brumfield/archive/2008/09/16/identifying-stale-user-and-computer-accounts.aspx

Once the existing environment is cleaned then as users come and go - it should be part of the off-boarding process to disable the user account and move to a special OU, this should also happen for the computer account. A note could be added on the description attribute of when the computer was disabled, to make cleanup easier. Every now and then I would go cleanup that OU and remove old computer accounts.
0
 

Author Comment

by:rmessing171
Comment Utility
Bradheld - Thank you for the immediate response and the info!

Quick Question - When off-boarding an employee, should the computername (resource) be deleted from the SCCM - All Systems collection, or will it automatically get removed from SCCM when I disable the computer account in AD?  What are your thoughts?
0
 
LVL 35

Accepted Solution

by:
Mahesh earned 500 total points
Comment Utility
In SCCM You can enable a predefined task under Site settings -> Site Maintenance. There is a task called "Delete obsolete client data"
This might helps, otherwise there is no automated way to remove disabled computers from SCCM
You can use below script if you have 2008 R2 Domain Controllers
http://myitforum.com/cs2/blogs/matbe/archive/2011/05/03/delete-computers-from-sccm-that-have-been-removed-from-ad.aspx
http://gallery.technet.microsoft.com/scriptcenter/Remove-old-Active-7fc40c61

There is lot of difference between AD best practises and AD clean-up
Unless you tell us exact requirement \ problem at 1st place, Experts cannot provide you correct solution and all solutions provided are directionless and meaning less then

Mahesh
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

There are two modes of restricted groups GPOs. Replacing mode:   Additive mode:   How do they work? Replacing mode: Everything (users, groups, computers) that is member of the local administrators group will be cleared out. After th…
Installing a printer using group policy preferences is not that hard let’s take a look at it. First lets open up your group policy console and edit the policy you want to add it to. I recommend creating a new policy for each printer makes it a l…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now