How to Keep Your AD Up and Running
By Adam Fowler
Microsoft's Active Directory has been around for a very long time, since its debut as part of Windows Server 2000. Since those early days, there have been plenty of changes, improvements and schema updates to improve the platform which has become so popular, and a key component of most Windows based environments. However, there hasn't been much of a focus on ways to clean up the Organizational Units (OUs) and objects inside them; that is left up to you to do for yourself.
Similar to a network share left open for everyone to use and abuse as they please, Active Directory can slowly turn into an unmanageable mess. Poorly named objects, placed in areas they shouldn't go, or Group Policies not applying to the right users or computers are a big risk. This leads to an environment that worsens the experience for all involved while potentially opens up security risks in all different ways.
Assuming you're looking at a mess like this in front of you, where do you start, and how do you maintain a clean Active Directory?
First is making sure your OU structure makes sense. Check out my writeup of designing an organization unit structure here. If it's too hard or messy to repair what you have, build a whole new structure in a single sub OU with your new design.
The next step is to re-link the Group Policies you have to the new structure. If you're happy with what you have there, this one is easy - just link them to the new OUs. If you're not happy, then again, it's a case of either creating new policies from scratch or modifying copies of each policy object, giving them a new name to identify they're part of your new design, and then linking to those to the new OUs.
Third is the actual moving of your objects (users, computers, groups etc.) into your new structure. Start slow and test as you go; there's probably something you missed, and it's also easy to migrate the objects back to where they came from for more complex issues that may arise. Make sure all the objects in the old structure have somewhere to go in the new one; if it's not clear where it should go, then you may need to rename or create more OUs.
Finally, once you're happy with the new structure you can start deleting the old OUs. Another benefit of creating a new OU structure is that you'll have a much easier security baseline to work with - all folders should have same security and delegation settings, so you can start blocking or allowing access based on staff requirements. If possible, use group membership that defines the role required when applying security settings rather than doing it user by user, as it'll make audits and changes much easier in the future.
Now that your AD is clean, how do you keep it that way? Hopefully you've locked down OUs as above to stop people making mistakes about putting objects in the wrong spot, but even better is to have automated workflows for changes. When someone adds a computer to the domain, can you make sure it's always placed in the correct OU so the computer receives the Group Policies it's supposed to, rather than the special in-built 'Computers' container that has no policies? What about the creation of a new email distribution list, will it be created with a name that makes sense and an owner applied, while being placed where it's supposed to be?
Having a documented process for the above is a good start, but an automated workflow process removes the risk of human error or negligence. You can achieve this in many ways, including creating your own PowerShell scripts for standard functions, as well as frequent reports of existing or changed objects in Active Directory. Adaxes can help with this as well of course, providing an easy way for IT staff to perform those common tasks, and making sure that the end result is exactly what you expect. You can even have approval workflows, or notifications of changes emailed automatically as they're performed.
Abandoned objects is the other major item to look at when making sure your Active Directory is clean; having a user cleanup process and making sure computers are removed if they're unused for a certain time are tasks that should be automated - rarely will people want to perform these tasks manually and repeatedly. Again, Adaxes is a good option here where a scheduled task can be run frequently to report and clean up the objects you no longer want.
It's a big job to both clean up Active Directory and implement a system that makes sense to keep it clean, but it's not a difficult one. Having an OU and Group Policy structure in place that makes sense to everyone who looks at it, combined with ongoing reports and cleanup processes will help keep order in your environment, rather than having controlled chaos that everyone delicately steps around and pretends isn't there.