Maintaining a Tidy Active Directory Structure

Record owners of distribution groups

A problem we faced at the company I worked for was the lack of recorded owner for distribution groups, particularly those which had no common theme such as users in a single department or all users on the sixth floor. This made it difficult when IT was asked to add or remove a user from a distribution group whether permission was required, due to the chance of confidential information being shared on the distribution group. This was a holdover from a time when the company was smaller and had a smaller service desk, and also a lack of policies or procedures.

Knowing the owner of a distribution group is important, but it is also vital to keep the owner up-to-date if that person leaves. It is also useful to have a backup contact who can take over the distribution list if the owner goes on holiday/maternity leave.

Also where possible it may be preferable to allow the manager of the distribution list to update it themselves rather than having IT perform this action though this is probably best left to those staff who are somewhat IT literate.

Maintain sane names for distribution and security groups

Security groups should be clearly named; that is a given. Another holdover from a time when the company was smaller was inconsistent names given to groups.

Distribution groups often were at the whim of whoever asked service desk to set one up, and many of the names were years old. Operate on a common naming scheme such as (Office) (Department) (Role) or similar. (Examples include Wakefield Litigation Secretaries, Hull Facilities Team Leads, etc.).

Place computers in the correct OU

A simple one, but the company I worked for struggled with this. Partially, this was an unwillingness to provide appropriate permissions to technicians, meaning others were required to move computers to the correct location, delete from AD when necessary, etc.

Separating out by office, floor, department, etc. is useful, however maintaining the structure in the future and verifying for correctness is equally important.

Use and enforce correct asset tags

A company we merged with had a simple domain setup, however the computers had all been given the name of the user (e.g. DWILSON, MBEMBRIDGE). This works in a small office to some extent, in which a user will more than likely always be using the same computer, however it does not scale to even medium enterprise sized companies let alone large.

Another problem we had was some technicians had a habit of adding letters to the end of asset tags (e.g. M456 became M456b) due to a lack of permissions to delete existing machines from AD. This was a problem caused by not allowing technicians to delete from Active Directory.

Use sensible container structures

The creation of more OUs can cause as many problems as too few. It is important to only create new OUs when required. For example, an OU for each office in a single city is far easier to maintain than all objects in a single OU.

Redirect new computers and users

It is highly recommended to redirect any new computers and users to a holding container. These new objects have no policies applied and are probably not in the correct place within a well designed AD structure. They should then be moved to the correct location before the machine is setup for a user.

Establish procedures for users leaving

This will very much depend on the rules required of the company you work for. It is highly suggested that users are not deleted as soon as they leave as it could cause future problems if someone wishes to access the account. Audit trails may also prove more difficult if the account no longer exists.

A common theme seems to be deactivating the account once a person leaves, then delete once a time threshold is reached such as six months or one year. It is also recommended to move users to a specific OU once they have left where restrictive policies apply.