seven tips to simplify active directory management · 7 tips to simplify active directory...
Post on 18-May-2018
216 Views
Preview:
TRANSCRIPT
7 tips to simplify Active Directory
management
Vivin SathyanTechnical consultant, Active Directory Solutions
Agenda
Part 1: Gaining insight on Active Directory
Part 2: Delegation demystified
Part 3: Let’s automate Active Directory
Question and answers
Tip 1 – Check for nested groups
Avoid unnecessary elevation of
permissions
Active Directory Users and
Computers doesn’t give you
enough visibility
Formatting issues with Powershell
Tip 2 – Permission cleanup
Find out who has access to
confidential data
What level of access?
Investigate subfolder permissions
Assign permissions only for
appropriate users
Tip 3 – Users who have never logged on
A security issue
ADUC provides the option of saved
queries
‘When created’ should be taken
into consideration
Tip 4 – Privileged accounts with unchanged
passwords
Chances of account
compromise
Monitor the password activity
Force them to change
password immediately
Tip 5 – Have a checklist before delegating
actions
Clarity of rights
Precise restrictions
Easy to revoke
Handle native permissions
Track changes
Shortcomings of the DoC wizard
Supports a small set of delegation tasks, by default
It’s a minute-to-minute delegation
Modify ACLs later, if required
No bird’s-eye view of delegation across your entire Active
Directory
No way to “keep track” of what delegations you’ve done
View ACLs, if required
Tip 6 – Automate user provisioning
Options that native tool offer
What are the challenges?
Account provisioning checklist
An option to supervise
account provisioning
Import-Csv .\usercreationfile.csv | foreach-object { $userprinicpalname =
$_.SamAccountName + "@{domainname}.com" New-ADUser -SamAccountName
$_.SamAccountName -UserPrincipalName $userprinicpalname -Name $_.name -
DisplayName $_.name -GivenName $_.cn -SurName $_.sn -Department
$_.Department -Path "CN=Users,DC=biogen,DC=com" -AccountPassword
(ConvertTo-SecureString "Microsoft~1;" -AsPlainText -force) -Enabled $True -
PasswordNeverExpires $True -PassThru }
Sample script for user creation
What are the challenges?
The confirmation messages (Success/ failure) aren't helpful
Maintaining uniformity
Handling duplicate entries
Time consuming
Creating accounts (AD, Office 365, Exchange, Lync, Google apps.)
Tip 7 – Remove inactive objects
Benefits,
Improves security for your domain
Inactive user objects (Admin accounts)
Inactive computer objects (Avoid name conflicts)
Effective utilization of licenses (Applications that are licensed
by number of users)
How to use ADManager Plus for
• User creation and modification
– Create a CSV file
– Use a template for creating accounts (Manual and automatic)
• Delegation
– Create a console for the HR
– Impose restrictions (OU, Group, Attribute level restrictions)
• Workflow
– HR raises a request IT Tech approves the request (After adding values)
Summary
Script-free methods for retrieving information
Non-invasive delegation model
Advanced account provisioning methods
Automating and supervising account de-provisioning in Active
Directory
top related