Active Directory Management Best Practices for Good Housekeeping: A Place for Everything, Everything in its Place

Active Directory plays a critical role in an organization’s IT infrastructure, as it authenticates and authorizes all users and computers in a Windows domain network, assigning and enforcing security policies for all computers and installing or updating software.

The role of Active Directory also involves helping organize pretty much everything, from which computers belong on which network, to what systems users have access to. As such, it enables the centralized, secure management of an entire network, whether that network spans a building, a city, or multiple locations throughout the world.

So it’s easy to see why keeping Active Directory clean is important to your network security. In this blog post, we’ll go over some of the top Active Directory Management best practices that will help you establish good housekeeping to help keep your network secure by reducing your risk exposure.

Active Directory Management Best Practices

1 Keep the Domain Admins Group Tidy

Domain Admins have local admin rights on every domain joined system, so it’s important to keep things locked down. Under no circumstances should you ever have any accounts just sitting in the Domain Admins Group, except for the Domain Administrator account (which we’ll touch on here as well). Only place accounts into the Domain Admin group temporarily, and make a habit of removing them once they are no longer required. This simple step will greatly increase the security of your network.

3 Disable Accounts for Employees on Extended Leave

One can never be entirely sure what’s going on with an employee on extended leave, so it’s essential to always disable their accounts, as an AD Management best practice. Leaving Active Directory accounts live for employees that are not in the office is just inviting opportunities for the accounts to be abused, either by that employee or by someone else who gets access to their credentials.

Disabling an Active Directory account means that account will be unusable throughout the duration of the employee’s leave. The account can then be re-enabled once they’re back to work.

5 Enforce a Password Expiration Policy

Make sure to set a minimum password age policy (in days) so that the system requires your users to change their password often enough. Do not allow the creation of passwords with no expiration date. Sure, it may be a minor nuisance for the end-user, but it’s one of the simplest best practices that goes a long way in the security of your network.

7 Keep Guest Access Disabled

The guest account exists on every Windows system. It’s a low-privilege Windows account that’s available to users who need occasional access to a Windows system.

Guest accounts allow users to access the network without a password. Therefore, it’s a common attack vector for malicious actors. Admins should disable guest account services altogether when they’re not needed. In fact, it’s good policy to set guest accounts as disabled by default and rename them.

9 Don’t Forget to Purge Stale Accounts

An inactive user, or stale account, is one that hasn’t accessed data or logged into the network for 90 days or more. These accounts represent a serious security risk. However, it can be a challenge for IT organizations to keep tabs on their changing user base, and there is always a risk of an account falling through the cracks— a Varonis study found that as many as 26% of all accounts belong to inactive users. Active Directory reporting can be used to spot these accounts before they become a problem.

11 Automate User Provisioning and Deprovisioning

There are multiple steps involved with provisioning and de-provisioning users. A number of those steps can be automated in order to reduce the risk of manual errors. For example, when an employee is terminated you can create a workflow to execute the following steps:

  • Generate a Group Membership report — A simple report showing you which Active Directory Groups the targeted user(s) are members of.
  • Logoff all active/current sessions — An action that ends the targeted user(s) active sessions and displays a message to the user.
  • Generate a User Login History report — A simple report showing you the targeted user(s) login history. This tells you the machines the user(s) has been using.
  • Clean up Active Directory — An action that sets the password to expired, sets the user account to disabled, and moves the user to the “terminated user” Organizational Unit.
  • Remove Group Memberships — An action that removes all the AD Group memberships for the targeted user(s).

2 Back-up Active Directory for AD Forest Recovery

For incident recovery, it is important for the admin to be able to recover the entire Active Directory forest. For this reason, it’s a best practice to save your Active Directory in various states so that it can be recovered from the last trusted backup whenever and wherever it’s required.

When this occurs, admins need the password for the Domain Admin account. Accordingly, they should always have the Administrator and Directory Services Restore Mode (DSRM) password stored in a safe place.

This emergency scenario reinforces the importance of keeping Active Directory clean. If you are forced to restore your Active Directory from a backup, you don’t want to discover you have reinstated outdated credentials and opened up a potential attack vector.

4 Disable, then Purge Accounts for Ex-Personnel

When an employee leaves the company, how soon should you delete their account? The short answer is it depends, but you shouldn’t take too long. It’s common policy to disable Active Directory accounts right away, without actually deleting them. This is because the employee’s manager may still need to monitor the communications sent to the ex-employee’s inbox for a set period of time. Another AD Management best practice is to delete the account once that period expires.

6 Only Activate Local Admin Accounts as Needed

For day-to-day tasks, you should only be using your individual account while keeping the local admin account disabled. If you need to use the Local Admin credentials, boot in Safe Mode, and then boot again in Normal Mode to disable it (which is the default).

8 Don’t Let Groups Get Cluttered

Do you have groups with no active users that are not default Active Directory groups?If so, you should delete the entire group to mitigate any potential vulnerabilities. You should also consider consolidating near-empty groups whenever possible. On top of this, admins must also monitor admin group membership changes and remove any inactive accounts.

10 Use Reporting and Set-up Alerts to Audit Active Directory

Regularly auditing your Active Directory is essential as it will help you spot manual errors or out of compliance users.

Goverlan Reach makes it easy to create reports on Active Directory objects. You can check the status of the user, account or password, the group memberships, as well as the last time a user logged in. As a result, you can create reports to pinpoint:

  • Users whose passwords never expire
  • Users who haven’t logged in for more than past 90 days
  • Computers with no activity for more than 90 days
  • Disabled accounts
  • Changes made to user group memberships
  • Non-compliant local administrators

You can also create an IT process Automation workflow to scan your Active Directory on a daily basis to detect out of compliance users or accounts. Upon discovery, an automated email can be sent to alert the admins or to create an incident management request in your ticketing system.


Following best practices is a good start to allow your team to keep a clean Active Directory. However, good housekeeping requires constant monitoring of actions taken to reduce the risk of manual errors or configuration drifts. Having a tool that allows you to easily create reports or automate processes can not only save you time, but also drastically improve security by enforcing IT compliance in your organization.

589 thoughts on “Active Directory Management Best Practices for Good Housekeeping: A Place for Everything, Everything in its Place

  1. Pingback: madridbet giriş
  2. Pingback: G48 for sale
  3. Pingback: Uganda tours
  4. Pingback: learn more
  5. Pingback: Real krt
  6. Pingback: scrap cars
  7. Pingback: Marijuana delivery
  8. Pingback: madritbet
  9. Pingback: meritroyalbet
  10. Pingback: meritroyalbet
  11. Pingback: meritking
  12. Pingback: eurocasino
  13. Pingback: canadian viagra
  14. Pingback: Takeout Food
  15. Pingback: the stock market
  16. Pingback: online pharmacy
  17. Pingback: kruideniertje
  18. Pingback: canada pharmacy
  19. Pingback: eurocasino
  20. Pingback: canadian drugs
  21. Pingback: Nursing paper help
  22. Pingback: Google
  23. Pingback: junk car removal
  24. Pingback: podcast canada
  25. Pingback: canada drug
  26. Pingback: canadian cialis
  27. Pingback: Haupia strain
  28. Pingback: Watermelon haupia
  29. Pingback: cialis from canada
  30. Pingback: Bubble hash
  31. Pingback: Moroccan hash
  32. Pingback: Litto
  33. Pingback: Bubble hash
  34. Pingback: pharmacy
  35. Pingback: online drug store
  36. Pingback: canadian viagra
  37. Pingback: canada rx
  38. Pingback: canadadrugs
  39. Pingback:
  40. Pingback: madridbet
  41. Pingback: meritroyalbet
  42. Pingback: canadadrugs
  43. Pingback: canadianpharmacy
  44. Pingback: canada drugs
  45. Pingback: canada drugs
  46. Pingback: meritroyalbet
  47. Pingback: eurocasino
  48. Pingback:
  49. Pingback: bahis siteleri
  50. Pingback: 1husbandman
  51. Pingback: meritroyalbet
  52. Pingback: meritking
  53. Pingback:
  54. Pingback: University of Embu
  55. Pingback:
  56. Pingback:
  57. Pingback: buy viagra usa
  58. Pingback: canadian pharmacy
  59. Pingback:
  60. Pingback:
  61. Pingback: canadian viagra
  62. Pingback: buy cialis
  63. Pingback:
  64. Pingback:
  65. Pingback:
  66. Pingback: buy viagra now
  67. Pingback: A片
  68. Pingback: meriking
  69. Pingback: buy viagra cheap
  70. Pingback: canadian rx
  71. Pingback: buy viagra usa
  72. Pingback: canadian drugstore
  73. Pingback: ivermectina
  74. Pingback: stromectol sale
  75. Pingback: canadian drugs
  76. Pingback: canada pharmacy
  77. Pingback: canadian pharmacy
  78. Pingback: canada viagra
  79. Pingback: Northwest Pharmacy
  80. Pingback: madridbet
  81. Pingback: online drug store
  82. Pingback: logilogilogi
  83. Pingback: zamazingo1
  84. Pingback: stromectol lice
  85. Pingback: stromectol scabies
  86. Pingback: meritking
  87. Pingback: stromectol stock
  88. Pingback: stromectol biam
  89. Pingback: canada rx
  90. Pingback: grandpashabet
  91. Pingback: canada drug
  92. Pingback: Northwest Pharmacy
  93. Pingback: canada rx
  94. Pingback: canadian rx
  95. Pingback: canadian pharmacys
  96. Pingback: online pharmacies
  97. Pingback: pharmacy canada
  98. Pingback: Northwest Pharmacy
  99. Pingback: drugstore online
  100. Pingback: Grandpashabet
  101. Pingback: grandpashabet
  102. Pingback: gravatar.comkqwsh
  103. Pingback: Northwest Pharmacy
  104. Pingback: canadian pharmacys
  105. Pingback: madridbet
  106. Pingback: fuck google
  107. Pingback: canada rx
  108. Pingback: fuck google
  109. Pingback: okey oyna
  110. Pingback: fuck google
  111. Pingback: madridbet
  112. Pingback: canada pharmacies
  113. Pingback: madridbet
  114. Pingback: canadian pharmacy
  115. Pingback: cialis from canada
  116. Pingback: www.dibiz.comgdooc
  117. Pingback: drugstore online
  118. Pingback: ギャンブル
  119. Pingback: canada pharmacies
  120. Pingback: canadian cialis
  121. Pingback: canadian viagra
  122. Pingback: Homepage
  123. Pingback: child porn
  124. Pingback: meritking
  125. Pingback: child porn
  126. Pingback: madridbet
  127. Pingback: madridbet
  128. Pingback: fuck google
  129. Pingback: drugstore online
  130. Pingback: meritking giriş
  131. Pingback: canadian drugstore
  132. Pingback: grandpashabet
  133. Pingback: сука пари
  134. Pingback: child porn
  135. Pingback: sms onay

Leave a Reply