Active Directory Management Best Practices for Good Housekeeping: A Place for Everything, Everything in its Place

Active Directory plays a critical role in an organization’s IT infrastructure, as it authenticates and authorizes all users and computers in a Windows domain network, assigning and enforcing security policies for all computers and installing or updating software.

The role of Active Directory also involves helping organize pretty much everything, from which computers belong on which network, to what systems users have access to. As such, it enables the centralized, secure management of an entire network, whether that network spans a building, a city, or multiple locations throughout the world.

So it’s easy to see why keeping Active Directory clean is important to your network security. In this blog post, we’ll go over some of the top Active Directory Management best practices that will help you establish good housekeeping to help keep your network secure by reducing your risk exposure.

Active Directory Management Best Practices

1 Keep the Domain Admins Group Tidy

Domain Admins have local admin rights on every domain joined system, so it’s important to keep things locked down. Under no circumstances should you ever have any accounts just sitting in the Domain Admins Group, except for the Domain Administrator account (which we’ll touch on here as well). Only place accounts into the Domain Admin group temporarily, and make a habit of removing them once they are no longer required. This simple step will greatly increase the security of your network.

3 Disable Accounts for Employees on Extended Leave

One can never be entirely sure what’s going on with an employee on extended leave, so it’s essential to always disable their accounts, as an AD Management best practice. Leaving Active Directory accounts live for employees that are not in the office is just inviting opportunities for the accounts to be abused, either by that employee or by someone else who gets access to their credentials.

Disabling an Active Directory account means that account will be unusable throughout the duration of the employee’s leave. The account can then be re-enabled once they’re back to work.

5 Enforce a Password Expiration Policy

Make sure to set a minimum password age policy (in days) so that the system requires your users to change their password often enough. Do not allow the creation of passwords with no expiration date. Sure, it may be a minor nuisance for the end-user, but it’s one of the simplest best practices that goes a long way in the security of your network.

7 Keep Guest Access Disabled

The guest account exists on every Windows system. It’s a low-privilege Windows account that’s available to users who need occasional access to a Windows system.

Guest accounts allow users to access the network without a password. Therefore, it’s a common attack vector for malicious actors. Admins should disable guest account services altogether when they’re not needed. In fact, it’s good policy to set guest accounts as disabled by default and rename them.

9 Don’t Forget to Purge Stale Accounts

An inactive user, or stale account, is one that hasn’t accessed data or logged into the network for 90 days or more. These accounts represent a serious security risk. However, it can be a challenge for IT organizations to keep tabs on their changing user base, and there is always a risk of an account falling through the cracks— a Varonis study found that as many as 26% of all accounts belong to inactive users. Active Directory reporting can be used to spot these accounts before they become a problem.

11 Automate User Provisioning and Deprovisioning

There are multiple steps involved with provisioning and de-provisioning users. A number of those steps can be automated in order to reduce the risk of manual errors. For example, when an employee is terminated you can create a workflow to execute the following steps:

  • Generate a Group Membership report — A simple report showing you which Active Directory Groups the targeted user(s) are members of.
  • Logoff all active/current sessions — An action that ends the targeted user(s) active sessions and displays a message to the user.
  • Generate a User Login History report — A simple report showing you the targeted user(s) login history. This tells you the machines the user(s) has been using.
  • Clean up Active Directory — An action that sets the password to expired, sets the user account to disabled, and moves the user to the “terminated user” Organizational Unit.
  • Remove Group Memberships — An action that removes all the AD Group memberships for the targeted user(s).

2 Back-up Active Directory for AD Forest Recovery

For incident recovery, it is important for the admin to be able to recover the entire Active Directory forest. For this reason, it’s a best practice to save your Active Directory in various states so that it can be recovered from the last trusted backup whenever and wherever it’s required.

When this occurs, admins need the password for the Domain Admin account. Accordingly, they should always have the Administrator and Directory Services Restore Mode (DSRM) password stored in a safe place.

This emergency scenario reinforces the importance of keeping Active Directory clean. If you are forced to restore your Active Directory from a backup, you don’t want to discover you have reinstated outdated credentials and opened up a potential attack vector.

4 Disable, then Purge Accounts for Ex-Personnel

When an employee leaves the company, how soon should you delete their account? The short answer is it depends, but you shouldn’t take too long. It’s common policy to disable Active Directory accounts right away, without actually deleting them. This is because the employee’s manager may still need to monitor the communications sent to the ex-employee’s inbox for a set period of time. Another AD Management best practice is to delete the account once that period expires.

6 Only Activate Local Admin Accounts as Needed

For day-to-day tasks, you should only be using your individual account while keeping the local admin account disabled. If you need to use the Local Admin credentials, boot in Safe Mode, and then boot again in Normal Mode to disable it (which is the default).

8 Don’t Let Groups Get Cluttered

Do you have groups with no active users that are not default Active Directory groups?If so, you should delete the entire group to mitigate any potential vulnerabilities. You should also consider consolidating near-empty groups whenever possible. On top of this, admins must also monitor admin group membership changes and remove any inactive accounts.

10 Use Reporting and Set-up Alerts to Audit Active Directory

Regularly auditing your Active Directory is essential as it will help you spot manual errors or out of compliance users.

Goverlan Reach makes it easy to create reports on Active Directory objects. You can check the status of the user, account or password, the group memberships, as well as the last time a user logged in. As a result, you can create reports to pinpoint:

  • Users whose passwords never expire
  • Users who haven’t logged in for more than past 90 days
  • Computers with no activity for more than 90 days
  • Disabled accounts
  • Changes made to user group memberships
  • Non-compliant local administrators

You can also create an IT process Automation workflow to scan your Active Directory on a daily basis to detect out of compliance users or accounts. Upon discovery, an automated email can be sent to alert the admins or to create an incident management request in your ticketing system.


Following best practices is a good start to allow your team to keep a clean Active Directory. However, good housekeeping requires constant monitoring of actions taken to reduce the risk of manual errors or configuration drifts. Having a tool that allows you to easily create reports or automate processes can not only save you time, but also drastically improve security by enforcing IT compliance in your organization.

Leave a Reply