Secret ingredients to quality software

SSW Foursquare

Rules to Better Active Directory - 10 Rules

  1. Do you add staff profile pictures into AD?

    You can upload staff profile pictures into Active Directory. Exchange and Lync will automatically use these profile pictures.

    Using a free third party tool AD Photo Edit tool which can be downloaded from you can upload staff profile pictures into AD. You need to run the application with Domain Admin rights. After you have uploaded the picture for a user it will take some time for the change to be replicated through to Exchange and Lync if you have use these solutions.

    Figure: Profile picture imported from AD into Exchange

    Figure: Profile picture imported from AD into Lync

  2. When a user is created in Active Directory (AD) a Global Unique Identifier (GUID) is also created. As the name suggests this is Unique for each user and is never duplicated in a Domain.

    Figure: GUID for User Steven Andrews

    When adding a user to CRM they are assigned with an Employee ID, this is linked to the AD account’s GUID.

    Figure: AD User StevenAndrews is tied to STA Employee ID through AD GUID

    When a user leaves many companies go through the process of disabling the CRM account and then deleting the AD User.The problem that arises from deleting the AD user is that if the Employee that left comes back to the company and a new AD account is created for them, they are no longer able to be associated with the previously created CRM account. Instead they will need a new CRM user with a different Employee ID.

    This in turn make reporting on a user that has returned more difficult. So to get around this it is disabling and moving the user to a "Disable Users" Organizational Unit (OU) in AD is much easier, so that in the event that the return, the AD and CRM user can just be re-enabled.

    NOTE: It is important to make sure that users that have left are disabled, and that they are removed from any security groups so that any permissions they had are revoked.

  3. What is a postmaster account?

    It is an RFC mandated specification email address use to identify the administrator of a mail server. Any errors in email processing are directed to the postmaster address.

    The email received at this address is sent to the mail server administrator, in our case the SysAdmins.

    At SSW we have configured as a distribution group, with mail server administrators as members of this distribution group.

    Figure: Group members of

  4. Do you standardize AD group names?

    The use of standardized AD Group names is a simple yet crucial step towards building more manageable software. Raining in on the number of AD Groups used by an application will make it simpler to manage and allow new developers to pick up an existing project faster.

    You can save yourself countless confused conversations by standardizing AD Group Names.

    For example, this is a list of AD groups associated with products:


    Figure: Bad Example – It is difficult to know the correct name for an AD group


    Figure: Good Example – By standardizing the names of AD groups it saves confusion

    Note: For large organizations, a better way is to use a type of group (eg. Local or Global)... then the entity it is associated to… then the resource (or service).


    • L-LocalGroupName-SYD-EntityName-SP-Sharepoint- becomes L-SYD-SP-SSW-Users
    • G-GlobalGroupName-SYD-EntityName-SP-Sharepoint- becomes G-SYD-SP-SSW-Users

    Note: You would not use this naming convention for distribution groups – as they would display to users.

    It is recommended by default to have two AD groups per product. The following table should be used as a guide for naming them:

    SSW<ProductName>Distribution groupThis email is used to send emails to the development team for a product.
    SSW <ProductName>EventsMailboxActs as the collection point for all automatic notifications. For example notifications from Elmah and/or application insights.
  5. Group Policy is simply the easiest way to reach out and configure computer and user settings on network based on Active Directory Domain Services (AD DS). If your business is not using Group Policy, you are missing a huge opportunity to reduce costs, control configuration, keep users productive and happy, and harden security. Think of Group Policy as "touch once, configure many."

    You can manage all aspects of Group Policy by using the Group Policy Management Console (GPMC). You start the GPMC from the Start menu: Click Start, All Programs, Administrative Tools, Group Policy Management. You can also click Start, type Group Policy Management, and then click Group Policy Management in the Programs section of the Start menu. Windows Server 2008 onwards include the GPMC when they are running the AD DS role.


    Figure: Group Policy Management Console showing GPO

  6. It is important as a Network Administrator to know when and where failed login attempts are coming from. Through Group Policy you can enable "Audit logon events".

    1. Create a group policy called 'Logon Auditing Policy'
    2. Right click on 'Logon Auditing Policy' and click on Edit to bring up Group Policy Management Editor
    3. Select 'Audit account logon events' from Computer Configuration | Policies | Windows Settings | Local Policies | Audit Policy and set to Success, Failure
    4. Select 'Audit logon events' from Computer Configuration | Policies | Windows Settings | Local Policies | Audit Policy and set to Success, Failure

    failed login 1
    Figure: Select 'Audit logon events'

    1. Select 'Audit: Force audit policy...' from Computer Configuration | Policies | Windows Settings | Local Policies | Security Options and set to Enabled

    failed login 2
    Figure: Select 'Audit: Force audit policy...'

    failed login 3
    Figure: Successful and Failed login attempts will now appear in Event Viewer | Security

    Now when you will have access to seeing success/failed login attempts on user accounts, these can then be captured and audited with your own internal process or a third party application such as Whats Up Gold, see: Do you monitor failed login attempts?

  7. Group Policy is a fast and effective way to configure Hibernate on multiple PC's.

    To enable Hibernate option in Group Policy open up Group Policy Management.

    1. Create a new Group Policy Object and name it "EnableHibernate"
    2. Right click on "EnableHibernate" and click on Edit to bring up Group Policy Management Editor
    3. Select 'Show hibernate in the power options menu' from Computer Configuration | Policies | Administrator Templates | Windows Component | File Explorer and set to Enabled HibernateGPO
    4. Back in Group Policy Management Enable Link for "EnableHibernate"
    5. Wait for a few moment for GPO to refresh and apply. Alternatively manually force a GP Update through Command Prompt - GPUpdate /force. Check that Hibernate Option is now in Start Menu StartHibernateEnabled
  8. Do you use separate Administrator account?

    When using a single account for normal user login and admin tasks the first thing that comes to mind is all of the Group Policy settings associated with that account. This could include scripts, software installations, drive mappings, printers and many other settings that would apply when you log on to a computer in the domain. You wouldn’t want all of these to apply when log on to a Domain Controller of any other servers.

    Another reason is you may step away from your computer and forget to lock the computer. This will expose your computer for your co-workers and tinker with your system and as a consequence if that account has domain administrator privilege they can change system security and settings on any Domain Controller and other servers.

    To prevent this, at SSW we create a separate Administrator account, with the prefix Admin. This signifies that it is an Admin account and does have administrator privileges. The Admin account is also placed in a separate OU to ensure that it is not receiving unnecessary Group Policies. This allows us to setup permissions easier, only provide access to machines required, and also makes the user aware that they are doing something dangerous so they are inheritably more careful. A standard account (Non Admin prefix account) does not and should not have access to any servers.

    Figure: SSW AD Users and Computers showing Admin accounts in separate OU

  9. Do you run services on their own AD accounts?

    When using service accounts, you should have a specific AD account for each major service.

    Figure: Bad example - using the default Administrator account

    Figure: Better example - At least don't use the Administrator account, create a new account

    Figure: Best example - A specific AD account for each major server

    Figure: Bad example - using the network admin's name

    Figure: Good example - a specific SQL Server account being used (Suggestion: Make the text box wider and link to the one in 'Services')

  10. "Active directory is quickly becoming a critical failure point in any big sized company, as it is both complex and costly to secure..." - PingCastle

    PingCastle is an Active Directory auditing tool. It checks your accounts, computers and configuration in AD and gives you a great report on things that should be addressed. It is a tool that should be run periodically - we do it every 3 months - to keep AD secure.

    PingCastle is easy to install and run - see their documentation for more information. It is free to use in your own environment, or there are paid versions for MSPs and larger enterprises.

    Figure: PingCastle report

    Once you have run it, you get a great report on your Active Directory security health, with detailed recommendations of what you need to fix.

    Figure: Example item from PingCastle, with detailed description and solution

We open source. Powered by GitHub