7 tips to simplify Active Directory

management

Vivin SathyanTechnical consultant, Active Directory Solutions

Agenda

Part 1: Gaining insight on Active Directory

Part 2: Delegation demystified

Part 3: Let’s automate Active Directory

Question and answers

Part 1: Gaining insight on Active Directory

Tip 1 – Check for nested groups

Avoid unnecessary elevation of

permissions

Active Directory Users and

Computers doesn’t give you

enough visibility

Formatting issues with Powershell

Nested groups

User’s direct groups User’s nested groups

Tip 2 – Permission cleanup

Find out who has access to

confidential data

What level of access?

Investigate subfolder permissions

Assign permissions only for

appropriate users

Tip 3 – Users who have never logged on

A security issue

ADUC provides the option of saved

queries

‘When created’ should be taken

into consideration

Tip 4 – Privileged accounts with unchanged

passwords

Chances of account

compromise

Monitor the password activity

Force them to change

password immediately

Part 2: Delegation demystified

Tip 5 – Have a checklist before delegating

actions

Clarity of rights

Precise restrictions

Easy to revoke

Handle native permissions

Track changes

Delegation of control wizard - Microsoft

Delegation of control wizard - Microsoft

Shortcomings of the DoC wizard

Supports a small set of delegation tasks, by default

It’s a minute-to-minute delegation

Modify ACLs later, if required

No bird’s-eye view of delegation across your entire Active

Directory

No way to “keep track” of what delegations you’ve done

View ACLs, if required

Roles: Task controllers

Keep track of the changes

Part 3: Let’s automate Active Directory

Tip 6 – Automate user provisioning

Options that native tool offer

What are the challenges?

Account provisioning checklist

An option to supervise

account provisioning

Options that native tools offer

Active Directory users and computers Scripts

Import-Csv .\usercreationfile.csv | foreach-object { $userprinicpalname =

$_.SamAccountName + "@{domainname}.com" New-ADUser -SamAccountName

$_.SamAccountName -UserPrincipalName $userprinicpalname -Name $_.name -

DisplayName $_.name -GivenName $_.cn -SurName $_.sn -Department

$_.Department -Path "CN=Users,DC=biogen,DC=com" -AccountPassword

(ConvertTo-SecureString "Microsoft~1;" -AsPlainText -force) -Enabled $True -

PasswordNeverExpires $True -PassThru }

Sample script for user creation

What are the challenges?

The confirmation messages (Success/ failure) aren't helpful

Maintaining uniformity

Handling duplicate entries

Time consuming

Creating accounts (AD, Office 365, Exchange, Lync, Google apps.)

User creation templates

Automation: User creation

Tip 7 – Remove inactive objects

Benefits,

Improves security for your domain

Inactive user objects (Admin accounts)

Inactive computer objects (Avoid name conflicts)

Effective utilization of licenses (Applications that are licensed

by number of users)

Create your own logic for automation

Supervise and execute automations

How to use ADManager Plus for

• User creation and modification

– Create a CSV file

– Use a template for creating accounts (Manual and automatic)

• Delegation

– Create a console for the HR

– Impose restrictions (OU, Group, Attribute level restrictions)

• Workflow

– HR raises a request IT Tech approves the request (After adding values)

Summary

Script-free methods for retrieving information

Non-invasive delegation model

Advanced account provisioning methods

Automating and supervising account de-provisioning in Active

Directory

Time to choose the right tools!

Vielen Dank

vivin.sathyan@manageengine.com