Active Directory

Naming Your Domain

Microsoft strongly recommends that you register a public domain and use subdomains for the internal DNS Technet Article. So, register a public DNS name, so you own it. Then create subdomains for internal use (like ad.example.org, corp.example.org, dmz.example.org, extranet.example.org) and make sure you've got your DNS configuration setup correctly.

Domain Security

Prevent non-admins from joining computers to your domain:

  1. Right click your domain name and select Properties
  2. Click the Attribute Editor tab
  3. Find ms-DS-MachineAccountQuota and change the value to 0.

Accounts

When a user account is no longer needed, don't delete the user, just disable it and if desired put it in a “Disabled” folder. If after a period of time the account hasn't been needed you can then delete the account.

Groups

Always assign permissions to a group rather than to individual users, even if it means creating a group for one user. This greatly streamlines administration during employee turnover and re-assignments.

Use a name that describes the purpose and permissions of the group. For example Access to Scans Folder (M) would be providing access/modify permissions on the scans folder.