Active Directory

Naming Your Domain

Microsoft strongly recommends that you register a public domain and use subdomains for the internal DNS Technet Article. So, register a public DNS name, so you own it. Then create subdomains for internal use (like ad.example.org, corp.example.org, dmz.example.org, extranet.example.org) and make sure you've got your DNS configuration setup correctly.

Groups

Always assign permissions to a group rather than to individual users, even if it means creating a group for one user. This greatly streamlines administration during employee turnover and re-assignments.

Use a name that describes the purpose and permissions of the group. For example Access to Scans Folder (M) would be providing access/modify permissions on the scans folder.

Accounts

For security purposes create dedicated users with only required permissions for things like running scheduled tasks, services and devices like copiers.

When a user account is no longer needed, don't delete the user, just disable it and if desired put it in a "Disabled" folder. If after a period of time the account hasn't been needed you can then delete the account.

When cleaning up AD you can use these PowerShell commands to find any scheduled tasks that may be running as users you're removing/changing passwords for:

ViewScheduledTasksRunningAsAUser.ps1
$schtask = schtasks.exe /Query /S localhost /V /FO CSV | ConvertFrom-CSV | Where { $_.TaskName -ne "TaskName" }
$schtask | where { $_."Run As User" -notin "SYSTEM","LOCAL SERVICE","NETWORK SERVICE","INTERACTIVE","Administrators","Authenticated Users","Everyone","Users" } | Select TaskName,"Task To Run","Run As User" | Out-Gridview

Domain Security

Prevent non-admins from joining computers to your domain:

  1. Right click your domain name and select Properties
  2. Click the Attribute Editor tab
  3. Find ms-DS-MachineAccountQuota and change the value to 0.

Active Directory Recycle Bin

By default the Active Directory Recycle Bin is disabled, enable it: