Optimize your Active Directory management by adding staff profile pictures for better visibility and disabling users instead of deleting them for improved CRM reporting. Standardize group names, utilize Group Policy for settings, enable auditing of logon attempts, and manage local administrator passwords with LAPS to enhance security and efficiency.
You can upload staff profile pictures into Active Directory. Exchange and Lync will automatically use these profile pictures.
When a user is created in Active Directory (AD), a Global Unique Identifier (GUID) is also created. As the name suggests this is unique for each user and is never duplicated in a domain.
It is an RFC mandated specification email address use to identify the administrator of a mail server. Any errors in email processing are directed to the postmaster address.
The email received at this address is sent to the mail server administrator, in our case the SysAdmins.
The use of standardized group names is a simple yet crucial step towards easier management. Reducing the number of AD groups will make it simpler to manage and allow new staff to figure out what's what faster.
You can save yourself countless confused conversations by standardizing AD Group Names.
Group Policy is simply the easiest way to reach out and configure computer and user settings on network based on Active Directory Domain Services (AD DS). If your business is not using Group Policy, you are missing a huge opportunity to reduce costs, control configuration, keep users productive and happy, and harden security. Think of Group Policy as "touch once, configure many."
It is important as a Network Administrator to know when and where failed login attempts are coming from. Through Group Policy you can enable "Audit logon events".
Group Policy is a fast and effective way to configure Hibernate on multiple PC's.
When using a single account for normal user login and admin tasks the first thing that comes to mind is all of the Group Policy settings associated with that account. This could include scripts, software installations, drive mappings, printers and many other settings that would apply when you log on to a computer in the domain. You wouldn’t want all of these to apply when log on to a Domain Controller of any other servers.
When using service accounts, you should have a specific AD account for each major service.
"Active directory is quickly becoming a critical failure point in any big sized company, as it is both complex and costly to secure..." - PingCastle
PingCastle is an Active Directory auditing tool. It checks your accounts, computers and configuration in AD and gives you a great report on things that should be addressed. It is a tool that should be run periodically - every 3-6 months - to keep AD secure.
It is important to know what to do with your employees' accounts when they leave. Getting this wrong can create security vulnerabilities - or it can make life difficult for everyone if the employee comes back to work for you again.
Keeping your Active Directory environment tidy is helpful to keep things running smoothly, but it is also important to improve your security posture.
Keeping your Active Directory (AD) environment secure is paramount for your overall security posture, so it is important to keep track of changes that are made in AD - and to have alerts for when potentially damaging changes are made.
Auditing your Active Directory environment with third-party tools offers several advantages. While this can be done with a SIEM such as Splunk or Microsoft Sentinel, these might be overkill for some companies.
There are dedicated tools just for AD Auditing, such as ManageEngine ADAudit Plus. Let’s delve into the benefits of using such tools, focusing on visibility, alerting, and reporting:
To detect and mitigate a cyber attack, the right set of events need to be collected from your domain controllers. The audit policy is a compromise between collecting too many and too few events. Logs are useful for detecting security events, but if there is too much noise, you'll miss the important information.
It is best practice to limit the number of administrator accounts in your environment, including local administrators on users' computers. However, it is necessary to have a local administrator account so the computer can be accessed if it loses connection to the domain. LAPS does exactly that.
With more companies adopting BYOD policies, it is important for SysAdmins to be able to connect to Remote Server Administrative Tools (RSAT) like Active Directory Users and Computers (ADUC) in a secure way, even if their computer is not connected to the domain.