If you're an Active Directory administrator dealing with Maintenance and Cleanup of your systems, you know what a daunting task it can be. To help, we've come up with a list of Best Practices / Tips that every admin should know:
Users
User objects are often tied directly to different application and
service licensing agreements. Many organization get around this
issue by negotiating to an official employee count. Beyond licensing,
user objects left in AD create overhead for the directory backup,
restore, and other application synchronization tasks. They make
finding the right user more difficult, which leads to wrong users
being added to resources, security groups, and distribution groups.
The impact to your messaging environment includes a growing
Global Address List, longer download times for mobile users,
misdirected email messages, and extra disk space that’s required for
abandoned mailboxes and system processing when email is returned
from mailboxes that are at capacity. Cleaning up stale and unneeded
user objects reduces the operational impact, end user experience,
unintentional actions, and also reduces security exposure where
older accounts are prime targets for hackers.
TIP 1: Combat these risks by using each user object’s Last Logon to
Domain timestamp as an indicator to find stale and unneeded
employee, contractor, and service accounts.
TIP 2: Survey managers at least on an annual basis to re-certify these
accounts and/or request permission to disable and/or delete them.
Computers
Computer objects are continually added for servers, workstations,
and mobile devices. Much like user objects, these are usually tied
directly to different application and service licensing agreements.
Inaccurate system counts can lead to gross overpayments for
applications and services. Active Directory is supposed to be the
authoritative source for understanding and securing what’s in your
infrastructure, but when these stale objects are not maintained, the
information becomes unreliable. Any application that relies on the
systems stored within AD will begin to have issues with finding and
interacting with systems, which may cause failures or delays due to
processing times. Cleaning up stale and unneeded computer objects
reduces operational impact, administrative time, and unintentional
actions. It also reduces security risks, as older accounts are prime
targets for hackers.
TIP 3: Combat risk by using each computer object’s Last Logon to
Domain timestamp as an indicator to find stale and unneeded
servers, workstations, and mobile devices.
Tip 4: Survey managers at least on an annual basis to re-certify these
accounts and/or request permission to disable and delete them.
Tip 5: Track and trend system administrators/custodians while
systems are in production for reference when systems are offline,
having issues, missing, or being retired.
Distribution Groups
Having an excessive amount of stale or unneeded Distribution
Groups causes situations where mail can be misdirected, and
increases the potential for security leaks, where sensitive
information gets sent to inappropriate individuals, groups, or even
outside parties.
Tip 6: Track and trend message logs for a review of who is sending to
what distribution groups, as well as, what distribution groups are no
longer being sent to at all.
Tip 7: Review distribution groups that are nested inside other
distribution groups to identify exceptions of direct mailing statistics.
Tip 8: Survey managers at least on an annual basis to re-certify
groups and their direct and effective membership, and/or request
permission to delete any that are no longer needed.
Security Groups
Security Groups, in addition to their user accounts, define what
individuals have access to within the infrastructure—including
computers, applications, and data. Stale or unneeded Security
Groups in the environment present confusion, and often there’s no
oversight to ensure that direct and effective group memberships are
accurate.
Tip 9: Review the last Direct or Effective Member Change Date as an
indicator of security groups that have gotten stale or are no longer
needed.
Tip 10: Survey managers at least on an annual basis to re-certify
groups, their direct and effective membership, and/or request
permission to delete any that are no longer needed.
To see the rest of the tips, an introduction to Active Directory Cleanup, and an overview of how tools like StealthAUDIT can help you with your maintenance processes, visit our Active Directory page!
