7 Active Directory Management Tips and Tricks

Featured article by Anton Pozdnyakov, CMO at Softerra

Active Directory management is a complex task that involves a thousand little bits and pieces that need to add up properly. In this article we’ll discuss seven tips and tricks that are designed to help you keep things just right in your AD environment by following simple and straightforward rules.

1. Don’t Share Admin Accounts

Sharing accounts is a common problem for a lot of environments. Not only users do that, but, what’s even worse, administrators as well. That’s one of the most horrible things you can think of both in terms of security and usability. Avoid something like that happening in your environment at all costs.

Putting aside the obvious security risks that are associated with shared credentials, there’s another big reason why nobody should ever do it. If somebody does something wrong from a shared account, it’s usually almost impossible to determine, who exactly it was. You don’t want to have a situation like that in your environment.

2. Read-Only Fridays

Not performing any changes on Fridays is a general practice that can often save your weekend. If something goes wrong, it can easily turn your Saturday and even Sunday into troubleshooting hell.

Apart from the selfish motives of securing your weekend rest, making changes on Fridays can be harmful for everybody else as well. If something gets broken and effects a lot of users, it can create a lot of support/help desk requests. This is no good, especially if your support lines either operate at lower capacity or even are completely unavailable during weekends.

3. Always Have At Least Two Scripters

Never let one person to be in charge of all scripts and automation workflows. Not only because it’s generally better and more efficient to have another pair of eyes on any type work, but also because it can be really dangerous.

People are generally unreliable, so you need to have some redundancy in your system. Make sure that at least two (the more, the better) people are always aware of any scripts as well as other automation processes. This way, if one of them leaves or becomes unavailable for any other reason, you won’t be left spending hours and hours trying to figure out how things actually work.

4. Add Descriptions to Groups

When you create a new Active Directory group that has an obvious purpose, it’s often tempting to leave it without a description. You’ll never forget why you created it, right? Wrong!

Always add detailed descriptions to any Active Directory group that you create, no matter how dull it seems for you now. The future you will be very thankful for that after a couple of weeks or even months. Also, remember that a lot of other people will be interacting with the group. A detailed description will help them better understand its purpose and avoid any potential misunderstandings and mistakes.

5. Don’t Forget About Physical Security

Security of your system shouldn’t stop at just the virtual level. Physical security of your servers is equally important but often forgotten. If somebody gains access to your DC or other server, no firewall or other security measure that you have installed will no longer stop them.

So, protect your equipment and make sure that only authorized personnel can get to it. Also, if, for example, you are not sure, how safe is a particular domain controller (e.g. it can be in a remote location), it’s better to make it a RODC. They replicate only one-way and do not store passwords by default, which makes them good for deployment in places with lack of security.

6. Delegate Tasks Whenever You Can

A major problem for a lot of IT pros out there is that they can’t delegate tasks. It’s easier to just do them yourself than to teach somebody else how to do that and pass it on. But if that happens too often, it will inevitably lead to accumulation of simple but time-consuming tasks, cluttering your everyday routines and quietly eating up all of your time.

The rule of thumb is that if you know that something can be delegated it, it should be delegated. As simple as that. This can keep the IT department doing something useful and continuing to improve your systems instead of staying buried under tons of routine operations.

7. Educate Your Users

That last but not least advise it to educate your users. Especially when it comes to security. Remember, that however reliable your security systems are, they are always only as strong as their weakest link. Which in 95% of cases are your users. Inventing more complicated procedures to improve security or efficiency will never work unless your users follow them properly. They can do all sorts of stupid things like writing passwords on sticky notes on their monitors. To make sure that doesn’t happen, you need to explain the consequences. Make sure they understand the responsibility and the potential results of a breach.

Explanation and education is the only proper way to make things right with end-users. Spread the best practices: meetings, email newsletters, brochures, trainings — find a creative and comprehensive way to reach them. It can be hard, but it’s a necessary evil.

More AD Tips

These were the seven advices that can make your AD management life a bit easier. For even more tips and tricks, check out our Twitter account which provides them on a regular basis.

Anton Pozdnyakov is CMO at Softerra. Softerra provides Adaxes, a management and automation solution for Active Directory, Exchange and Office 365 environments. It allows organizations of all sizes to reduce the workload on IT departments, minimize time wastages, increase security and much more. Try it yourself with a free 30-day trial.