Active Directory Best Practices
– 10 ways to improve your Active Directory

Active Directories are inevitable for IT-technicians and they often come with a set of tedious tasks that need to be done sooner or later. After speaking to several technicians and experiencing multiple Active Directories at first hand, I realized that a lot of AD’s don’t follow the Active Directory best practices and are a mess. But in some cases it can definitely be worth it! An overly complex and outdated AD can tie up a lot of time from your technicians. So in this article, I decided to list the Active Directory best practices and go over 10 ways to improve an Active Directory, and hopefully help IT-departments get more efficient.

1. Organize your Active Directory

The structure of your AD, how it’s set up and organized are very important factors for a successful administration. If everything has been done correctly, your AD environment should be fully documented and anybody on the IT team should have a clear understanding of where everything can be found.

With an organized Active Directory, you don’t need to spend hours hopelessly wandering around the AD looking for an object. And every time a new object is created, you and your team knows exactly how to handle it. Setting up the optimal AD structure and what to think about when doing so is a whole another article in itself. In fact, if you are interested you can read more about it here.

2. Implement the Least Privilege Principle

When you’re happy with how your Active Directory is set up you can start doing minor changes and improvements. First thing you need to be sure of is that the human resources in your environment follow the “Least Privilege Principle”, i.e. at any given point of time, all users must have the exact amount of permissions and access that they need. No more and no less.

What sounds like an easy task, can snowball into an avalanche when the number of users grows. This can be solved by applying a Role-Based Access model, which means that you don’t assign permissions straight to users. First, you assign permissions to a role and then assign the role to a user. So if you want to change user’s access rights, you change his/her role. In the future, if you want to modify a role, you do it in a single place instead of doing it manually for every single user.

3. Establish a Self Service Portal

Another way to reduce time wasted on mundane tasks, such as changing the personal information of a single user, is to set up a self-service portal where users can change certain information by themselves. A simple yet effective solution for making your AD more autonomous and self-supporting. But be careful and aware of the security risks that may arise.

4. Optimize Password Resets

Now onto one of the biggest time consumers out there, resetting passwords! A survey conducted by Cyclonis showed that 50 % of the respondents forget their passwords at least four times each year and another 27 % forget their passwords 10 or more times a year.

Imagine an organization with 1000 employees. Let’s assume 50% of all employees forgets their password 4 times a year and it takes 5 minutes for the service desk to reset the password. That ends up taking 10000 minutes of the technicians time, or roughly 7 days a year! And this doesn’t even take the 27% into account. This is in no way, shape or form an efficient way of handling password resets.

Instead, give the users an opportunity to reset their passwords by themselves. There are several ways to do this, for example by entering an SMS code that gets sent to their work phone or answering a couple of security questions. Additionally, if you already have a self-service portal, this function can just be added onto the platform. This way your technicians can do real IT work that actually creates value for your employees and customers.

5. Utilize Multiple Global Catalogs

For organizations operating Active Directories with information for multiple sites, it’s important to have a global catalog at each site. This way AD clients will not need to traverse long distances to look up information and the amount of traffic trying to access a single global catalog is reduced, potentially improving the speed and performance of the AD.

6. Use Dedicated Domain Controllers

In an effort to save some money, a lot of organizations have their domain controller servers running several roles. But to follow Active Directory best practices, your domain controllers should run on dedicated servers. While you might be saving some money you are putting your domain controller at risk by affecting the server’s performance, reducing security, and complicating the process of backing up or restoring the server.

7. Have Multiple DNS Servers

Another common mistake that smaller organizations can be guilty of is only having one DNS server. Sure, some costs are saved, however, the AD which is dependent upon the DNS service will be at a standstill if the DNS server fails. Compare the potential loses that may occur if the DNS server is down with the cost of having another DNS server, and you’ll quickly see the benefits.

8. Apply 2-factor Authentication

Using two-factor authentication (2FA) is a simple way to make your Active Directory more secure. 2FA is supported in the Active Directory and it basically means that users need to present something in addition to their password when logging in to their account to prove their authenticity. This prevents password theft from giving hackers access to AD accounts. If this sounds too complicated for your organization as a whole, contemplate implement 2FA for at least the domain admins.

9. Schedule Routine Clean-Ups

Last but not least, clean up your Active Directories. Something so simple can have massive effects! Don’t let stuff pile up until it’s all an incomprehensible mess that nobody wants to navigate through. This does not mean that you need to clean up every day, week or month. But consider having routine clean-ups every 6 or 12 months. A clean AD also makes onboarding of newcomers much easier.

10. Get vScope!

If you’re already following most of these tips, congratulations! Your active directory is better than most out there, and if you’re not don’t worry, vScope is here to help! Combine the power of vScope’s Inventory & Reporting with the Active Directory Documentation Pack and you’ll get a detailed overview of your Active Directory right away! With vScope its easier than ever to get the information you need ,when you need it.

If you are more interested in optimizing and improving the security of your Active Directory, the Optimization or Security pack might be more suitable for you. The Active Directory Security pack is filled with analyses that help you improve the overall security of your AD, while the Optimization pack analyses help you streamline and clean up your AD.


September 23, 2019

Soroush Pourhadi

Soroush Pourhadi

Customer Success

Stars and review
vScope is a Great Place to Work