Audit active directory
Active Directory security is not a single setting; it is a compilation of settings that is multifaceted and can become very complex Regardless of the size of the company, a firm grasp of Active Directory security settings is necessary to ensure a secure and stable IT infrastructure.
During the design phase of Active Directory, the security of Active Directory objects should be considered and documented. The objects that need to be considered for security include:
Domain controllers Servers Client computers User accounts Group accounts OUs GPOs
Directory
administration for Windows Active Directory spans well beyond the Active Directory database. With Active Directory, security needs to be considered for all aspects of object management, GPO management, DNS management, and general domain controller management.
If
the AD implementation is allowed to progress without considering the security related to delegation of administration, the process to rearrange the objects to support a desired delegation model becomes very difficult. There are general guidelines that you need to keep in mind as you consider the security of the directory administration:
The rules that applied to NT usually don’t apply to Win2K and WS2K3 AD. This idea is difficult for many companies and administrators to get past. Much of the failure to consider this reasoning is that the NT methods have been in place for years and seem to work well. The AD security design needs to take full advantage of the power of AD. It is a shame to have companies spend so much time, effort, and money moving from NT to Win2K and WS2K3 AD to then not take advantage of the power that AD provides. The power of AD is in the ability to reduce the number of domains, which in turn, reduces the number of domain controllers, administrators, and trusts (administrative overhead) and increases the ability to centrally administer the environment. The group