If you’re an Active Directory administrator dealing with Maintenance and Cleanup of your systems, you know what a daunting task it can be. To help, we’ve come up with a list of Best Practices / Tips that every admin should know:
Users – User objects are often tied directly to different application andservice licensing agreements. Many organization get around this issue by negotiating to an official employee count. Beyond licensing, user objects left in AD create overhead for the directory backup, restore, and other application synchronization tasks. They make finding the right user more difficult, which leads to wrong users being added to resources, security groups, and distribution groups.
The impact to your messaging environment includes a growing Global Address List, longer download times for mobile users, misdirected email messages, and extra disk space thatÌs required for abandoned mailboxes and system processing when email is returned from mailboxes that are at capacity. Cleaning up stale and unneeded user objects reduces the operational impact, end user experience, unintentional actions, and also reduces security exposure where older accounts are prime targets for hackers.
TIP 1: Combat these risks by using each user object’s Last Logon to Domain timestamp as an indicator to find stale and unneeded employee, contractor, and service accounts.
TIP 2: Survey managers at least on an annual basis to re-certify these accounts and/or request permission to disable and/or delete them.
Computers – Computer objects are continually added for servers, workstations, and mobile devices. Much like user objects, these are usually tied directly to different application and service licensing agreements. Inaccurate system counts can lead to gross over payments for applications and services. Active Directory is supposed to be the authoritative source for understanding and securing what’s in your infrastructure, but when these stale objects are not maintained, the information becomes unreliable. Any application that relies on the systems stored within AD will begin to have issues with finding and interacting with systems, which may cause failures or delays due to processing times. Cleaning up stale and unneeded computer objects reduces operational impact, administrative time, and unintentional actions. It also reduces security risks, as older accounts are prime targets for hackers.
TIP 3: Combat risk by using each computer object’s Last Logon to Domain timestamp as an indicator to find stale and unneeded servers, workstations, and mobile devices.
TIP 4: Survey managers at least on an annual basis to re-certify these accounts and/or request permission to disable and delete them.
TIP 5: Track and trend system administrators/custodians while systems are in production for reference when systems are offline, having issues, missing, or being retired.
Distribution Groups – Having an excessive amount of stale or unneeded Distribution Groups causes situations where mail can be misdirected, and increases the potential for security leaks, where sensitive information gets sent to inappropriate individuals, groups, or even outside parties.
TIP 6: Track and trend message logs for a review of who is sending to what distribution groups, as well as, what distribution groups are no longer being sent to at all.
TIP 7: Review distribution groups that are nested inside other distribution groups to identify exceptions of direct mailing statistics.
TIP 8: Survey managers at least on an annual basis to re-certify groups and their direct and effective membership, and/or request permission to delete any that are no longer needed.
Security Groups – Security Groups, in addition to their user accounts, define what individuals have access to within the infrastructure–including computers, applications, and data. Stale or unneeded Security Groups in the environment present confusion, and often there’s no oversight to ensure that direct and effective group memberships are accurate.
TIP 9: Review the last Direct or Effective Member Change Date as an indicator of security groups that have gotten stale or are no longer needed.
TIP 10: Survey managers at least on an annual basis to re-certify groups, their direct and effective membership, and/or request permission to delete any that are no longer needed.
To see the rest of the tips, an introduction to Active Directory Cleanup, and an overview of how tools like StealthAUDIT can help you with your maintenance processes, visit our Active Directory Mananagement and Security page.