Happy Thanksgiving! I hope everyone reading enjoys too much turkey, ham (my favorite), stuffing (my favorite), mashed potatoes, sweet potatoes (my favorite), and pie. I also hope you are able to spend time with those who you have not seen much of over the year due to work and distance.
This week, I want to plant a seed for you admins who work in an environment where most of the employees will be off of work; but you must stay and keep the technology up and running as the company must still make money and there are some employees still working. I remember when I was in this position, and it was rather boring. So, instead of being bored, why not take a few administrative actions on Active Directory that will make you feel as if you accomplished something (which you will) and also give you piece of mind as you move into 2015?
Back Up Your Group Policy Objects (GPOs)
I find that many administrators have not backed up their GPOs. I feel that two tasks should be done around this, not just one. Both are VERY SIMPLE and will take no time at all. The end result could save you months of time trying to recover. First, use the GPMC or the GPMC scripts to back up your GPOs. This will create a backed up version of each GPO and store it in a folder somewhere of your choosing on the network. Second, create a report of each GPO, again either using the GPMC or a GPMC script. This will give you an HTML version of each GPO, in case you have to recreate one or more GPOs from a disaster that occurs.
Clean Up Privileged Groups
There is always a little drift with your privileged groups. There is no need to go into why it occurs; we all know there is a rather large list there. Instead, just go through and ensure that the privileged groups are lean and true. The groups that I highly recommend include:
– Enterprise Admins (actually I suggest this group be empty!)
– Schema Admins (again, empty on a daily basis!)
– Domain Admins
– Administrators
– Group Policy Creator Owners
– DNSAdmins
– Account Operators (I prefer you don’t use this group in lieu of delegation!)
– Third-party privileged groups (SQL, Exchange, SCCM, etc.)
Verify Active Directory Delegations
The delegation wizard in Active Directory Users and Computers is a horrible tool. I will get into why I feel it is horrible in another blog, but the tool is like a sledgehammer in a nick-knack store! You can use the dsacls tool to verify that the delegations that you want in place (and think are in place) are actually in place. I would run dsacls against the domain node and all organizational units.
Verify Password Policy Settings Are Correct
My last tip is to ensure that the password policies for users is setup properly. If you only have a single password policy for your domain, then this will be quick and easy. First, run secpol.msc against one domain controller in your domain to ensure that the password policy is what you think it should be. Then, just create a test user and ensure that this user can’t create a “weaker” password than the policy defines.
If you have (or think you have) more than one password policy in your domain, verify that the password policy settings are active for each type of user. I can tell you right now that there is no way to use Microsoft technologies to have more than one password policy in a domain! If you use Microsoft technology, you must use fine-grained password policies. You can also get a third-party product to have multiple password policies in a domain. No matter what you have, be sure to test each policy to ensure that it works as you think it works.
Summary
Don’t let idle time get the best of you. If you can do some double checks and verifications of security of your Active Directory settings, you will feel as if you accomplished great things and your time will go faster. In the end, enjoy work, enjoy Thanksgiving, and enjoy your family and friends during this holiday week.