?
Solved

Active Directory Best Practices

Posted on 2013-12-26
11
Medium Priority
?
2,002 Views
Last Modified: 2014-01-14
Is there a url or guide of best practices for Active Directory?  Currently, when a user resigns from our company, we rebuild their computer immediately and provide to another user.  

From a best practice perspective, should we delete the computername from AD and then rebuild and join to the Domain?  Are there other best practices for AD that we should be following for on-boarding and off-boarding users?  What are your thoughts?
0
Comment
Question by:rmessing171
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
  • +4
11 Comments
 
LVL 18

Expert Comment

by:awawada
ID: 39740309
0
 
LVL 35

Expert Comment

by:Seth Simmons
ID: 39740333
there really isn't a best practice for that specifically; could be more of a business requirement than technical in terms of the specific accounts.  at my last place we used to disable a user account and move to a separate OU (there were a few occasions when the person later came back).  but for a computer account i made sure it was removed from the domain before rebuilding it else you will have to do some cleanup later - more of a time saver than anything else

the last 2 links above are additional useful information regarding other aspects of AD you might find useful in your environment.  the first link (technet) has broken links or obsolete information around windows 2003
0
 
LVL 37

Expert Comment

by:Mahesh
ID: 39740359
Does your computer names also need to be changed as user resigns as per your company security policy ?
If that's not the case, you can disable that computer account and after certain period of time you can remove those computer accounts.
The idea behind is to just reuse same existing computer names if user in out is frequent and to avoid creation of frequent new computer accounts

if replacement user is available immediately in place of resigned employee, you can just backup all user data and wipe out user profile, the computer will become new for new users
Also if as per your company policy if computer must need to be formatted for new joinee, then still you can keep same name as previous, just reset computer account in AD and then just join formatted computer to domain, it will work without any issues

In case of user accounts, in some bigger companies, they never delete user accounts, just disable them as resigned employees may re-join at any time in future and they don't want to create new accounts for them every time which might integrated with SAP. ERP and so forth.
In normal scenarios, you can disable user accounts and after certain period you can delete them.

below guide is for securing active directory best practises
http://www.microsoft.com/en-in/download/details.aspx?id=38815

Mahesh
0
Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 
LVL 70

Expert Comment

by:KCTS
ID: 39740390
Why do you need to re-build the computer - this is not necessary,
0
 

Author Comment

by:rmessing171
ID: 39740411
Thank you Mahesh and seth2740 for your immediate responses!

seth2740 - You referenced that I will have to do some cleanup later if I didn't remove the computer from AD.  Is the cleanup deleting the old computer from AD or would there be more tasks to perform?
0
 
LVL 6

Expert Comment

by:Brad Held
ID: 39740653
If the computer name does not change and you are going to rebuild it then, reset the computer account in ad which will break the secure channel with the domain - move that computer account to the correct OU for the next user, wipe and reload the PC, rejoin the domain. As stated previously this is more of a business requirement then a technical requirement, if your users are just users and not computer admins, then signing in as another user would be enough without the rebuild of the PC. But without knowing the environment or business needs this would be hard to quantify in the forum.
0
 
LVL 26

Expert Comment

by:Leon Fester
ID: 39741432
What you are discussing is not an Active Directory best practise but a security best practise.

In terms of deleting the computer account...you can simply reset the computer account instead of deleting it if you are going to rebuild the computer.

Regarding the user account, AD best practice recommends that you disable the user account for a period of time, typically 1 - 3 months.
This is just in case you need to recover a mailbox or data or copy permissions that may have been overlooked.

After the 'disabled period' you can then safely delete the user account.
Typically your HR department would inform you timeously when they've received a user termination request so you can set the account to expire at that date to prevent accounts from being active after the user has left...just in case somebody wants to do malicious actions on the old username.

My favourite place to find best practise advise is the Friday Mailsack blog for the Active Directory team.
http://blogs.technet.com/b/askds/archive/2010/07/17/friday-mail-sack-saturday-edition.aspx

Also check some of the best practice recommendations from the following site:
http://technet.microsoft.com/en-us/library/cc759279(v=ws.10).aspx
0
 

Author Comment

by:rmessing171
ID: 39741998
Thank you for all of the info everyone posted.  It has helped me significantly.  We rebuild our PCs to refresh the Windows 7 Operating system, install applications (each department gets certain apps) and the PC gets a computername based on the user's name.  The reason I am asking about removing the PC from AD and SCCM is because I am trying to use  SCCM 2007 SP2 R3 to keep better Computer and Software inventory control.  SCCM is using the AD Discovery method and since we have not deleted any computers from AD or SCCM when user resigns, I have a lot of old computers and software being reported on.  What is the proper/recommended method to clean up the old computers in AD and SCCM?  Any thoughts?
0
 
LVL 6

Expert Comment

by:Brad Held
ID: 39742217
So the real question is how to AD cleaned up, and maintain going forward - Check for pc's that have not changed its password in say 60+ days, computers by default will change the password every 30 days when connected to the network.

http://blogs.technet.com/b/ken_brumfield/archive/2008/09/16/identifying-stale-user-and-computer-accounts.aspx

Once the existing environment is cleaned then as users come and go - it should be part of the off-boarding process to disable the user account and move to a special OU, this should also happen for the computer account. A note could be added on the description attribute of when the computer was disabled, to make cleanup easier. Every now and then I would go cleanup that OU and remove old computer accounts.
0
 

Author Comment

by:rmessing171
ID: 39742248
Bradheld - Thank you for the immediate response and the info!

Quick Question - When off-boarding an employee, should the computername (resource) be deleted from the SCCM - All Systems collection, or will it automatically get removed from SCCM when I disable the computer account in AD?  What are your thoughts?
0
 
LVL 37

Accepted Solution

by:
Mahesh earned 1500 total points
ID: 39742734
In SCCM You can enable a predefined task under Site settings -> Site Maintenance. There is a task called "Delete obsolete client data"
This might helps, otherwise there is no automated way to remove disabled computers from SCCM
You can use below script if you have 2008 R2 Domain Controllers
http://myitforum.com/cs2/blogs/matbe/archive/2011/05/03/delete-computers-from-sccm-that-have-been-removed-from-ad.aspx
http://gallery.technet.microsoft.com/scriptcenter/Remove-old-Active-7fc40c61

There is lot of difference between AD best practises and AD clean-up
Unless you tell us exact requirement \ problem at 1st place, Experts cannot provide you correct solution and all solutions provided are directionless and meaning less then

Mahesh
0

Featured Post

Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article shows the method of using the Resultant Set of Policy Tool to locate Group Policy that applies a particular setting.
Uncontrolled local administrators groups within any organization pose a huge security risk. Because these groups are locally managed it becomes difficult to audit and maintain them.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
Suggested Courses

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question