In my first post in this series, I explained what Active Directory (AD) is and what it’s used for. We saw that, basically, Active Directory is a database and set of services that help users get their work done in an on-premises Microsoft IT environment. Today, let’s explore some common Active Directory management tasks.
Designing and setting up Active Directory
As we saw in the last post, the basic unit of AD management is the domain — a group of related users, computers, printers and other AD objects stored in a single AD database. Domains should be fairly stable entities. For example, you might have a domain for your company’s Chicago office and a separate domain for your San Francisco office. Since a domain is a management boundary, your Chicago admins can’t delete users from your San Francisco domain, and your SF admins can’t muck around with the permissions of users in the Chicago domain.
To simplify Active Directory management, the objects in a domain are usually grouped into organizational units (OUs). OUs often mirror the organization’s structure; for instance, you might have an OU for each department in your Chicago office: Sales, Marketing, IT, Legal and so on. OUs can also be more temporary — you might create OUs for different projects and dissolve them when the projects are over.
Keeping your Active Directory clean and healthy
Of course, an IT environment is a dynamic place; you can’t simply set up your Active Directory and forget it, no matter how perfectly you plan your schema, domains, OUs and so on. Users, computers, printers and other AD objects come and go, so you’ll have regular provisioning and deprovisioning tasks to do. You should also regularly identify inactive user and computer accounts so you can clean them up before they are misused. It’s also smart to remind users to change their passwords before they expire so they don’t lose access and bombard the helpdesk with requests for password resets.
More broadly, you also need to monitor the health of your domain controllers and the replication of data between them. Otherwise, users might well experience problems logging in or accessing the resources they need to do their jobs.
Microsoft provides several Active Directory management tools, including Active Directory Users and Computers (ADUC), Local Users and Groups, and the Active Directory Schema snap-ins for Microsoft Management Console (MMC). However, the functionality of native tools is limited; it’s awkward at best to keep switching between tools; and tasks are often manual, time-consuming and error-prone.
Quest Active Administrator fills the gaps native Active Directory admin tools leave behind, enabling you to manage your Active Directory faster and more easily, all from a single pane of glass. In particular, you can automate user account provisioning and deprovisioning, audit and alert on changes to AD, and monitor and manage your DCs. Moreover, Active Administrator enables you to securely delegate AD administrative tasks, so you can split up the work of Active Directory management without giving all your admins privileges to do whatever they want across the domain.
Managing Group Policy
Another critical aspect of Active Directory management is managing Group Policy. Group Policy is a set of policies, called Group Policy objects (GPOs), that can be applied to an entire domain or just to certain OUs. For instance, you can use Group Policy to require all users in your Chicago domain to use complex passwords, or to disallow the use of removable media on all the computers in the Finance OU in the Chicago domain. Microsoft provides hundreds of GPOs you can configure; here are just a few of things you can do:
- Disable PST file creation
- Add frequently used sites to users’ browsers
- Map useful network drives
- Set custom registry values on all computers
- Deploy standard software to all computers
- Run certain scripts on computer startup or shutdown or user login or logout
Group Policy is extremely powerful, so it’s critical to set it up right and carefully manage changes to it. A single improper change to a GPO could lead to downtime or a security breach. Unfortunately, native tools don’t make it easy to keep Group Policy under control.
Quest offers two tools that simplify and streamline Group Policy management. Active Administrator, which I mentioned above, enables you to edit and test GPOs in a secure offline environment and easily roll back a GPO to a previous known state, so you can quickly recover from any errant modifications or unexpected effects.
We also offer a tool purpose-built for Group Policy management: GPOADmin. This award-winning solution automates critical Group Policy management tasks to reduce costs and eliminate manual processes. You can compare versions of a GPO side by side to verify settings, quickly roll back to a known good GPO version, lock certain GPOs or GPO settings so they cannot be changed, and much more. You can even establish an approval-based workflow for GPO management, complete with email-based approval or rejection and rollout scheduling. Plus, GPOADmin can optionally extend the Microsoft Group Policy Management Console (GPMC) so you can use a familiar interface for GPO management.
Backup and recovery
Last but by no means least, proper Active Directory management requires reliable backup and recovery. To ensure productivity and business continuity, you need to be able to regularly back up your AD and be able to quickly restore particular settings or attributes, entire AD objects, an entire domain, or even the entire forest. While the AD Recycle Bin enables quick recovery of some recently deleted objects, it is not — and was never meant to be — an enterprise backup and recovery solution.
Recovery Manager for Active Directory is. Reliable, automated backups ensure you have a recent copy of your invaluable Active Directory data, and automated, granular recovery capabilities ensure you can quickly restore users, groups, attributes, permissions and more — without taking Active Directory offline. You’ll be equally well prepared for a minor error on the part of an admin and for a major disaster or AD corruption. With Recovery Manager, you can also create a virtual lab to test your disaster recovery plan and provide stakeholders with detailed reports on a recovery effort.