Active Directory

Naming Your Domain

Microsoft strongly recommends that you register a public domain and use subdomains for the internal DNS Technet Article. So, register a public DNS name, so you own it. Then create subdomains for internal use (like,,, and make sure you've got your DNS configuration setup correctly.

Domain Security

Prevent non-admins from joining computers to your domain:

  1. Right click your domain name and select Properties
  2. Click the Attribute Editor tab
  3. Find ms-DS-MachineAccountQuota and change the value to 0.


When a user account is no longer needed, don't delete the user, just disable it and if desired put it in a “Disabled” folder. If after a period of time the account hasn't been needed you can then delete the account.


Always assign permissions to a group rather than to individual users, even if it means creating a group for one user. This greatly streamlines administration during employee turnover and re-assignments.

Use a name that describes the purpose and permissions of the group. For example Access to Scans Folder (M) would be providing access/modify permissions on the scans folder.