Tuesday, May 01, 2018

Active Directory Health and Security Audit

During my project to migrate users from roaming profiles to redirected folders I have been noticing errors with the Active Directory using lansweeper and the best practices analyzer. Now the organization I work for has an Active Directory that is approximately 20 years old, it was brought in during the late 90's on Windows NT version 3.5 or so I've been told. There is no documentation on the AD setup; though I think it is reasonable to assume that the domain is either a resource or user based domain based on how easy it is to manage users and computers. 

 All users were setup originally setup with roaming profiles which would be fine with small user accounts but I've successfully migrated all users to redirected folders. This really sped up our logon time but now when we are deploying new users and new systems I have been noticing errors in the Active Directory log with Errors such as this 





As an IT group we really haven’t been vigilant until recently in getting the Active Directory fixed up and in line with current best practices. To that end we are working to get the active directory setup so it doesn't need to be so micromanaged.  Currently we are having issues when creating new users, adding new machines where GP doesn't apply properly and things get missed when things are deployed.  Two excellent examples of this issue:



  1. Deploying a new computer added the machine to the domain; added it to the proper OU, did a GP update on the server, User logs in to the client and gets no redirected folders.
  2. Adding a new user for Email only access, put them into the proper security groups and OU, user is able to login to a network computer when they should be denied.

The AD has also evolved to use more then one AD controller (currently at 4) which is not necessary for an organization of this size (100 users and 100 devices) 2 are required for redundancy, but we also want a visualized domain controller for good measure and following best practices.

Issues to be rectified:

  • Offline Syncing
  • DFS Replication
  • Time Server Syncing
  • Primary Active Directory Controller (PAC) needs to be reassigned
  • Raise Domain Functionality
  • Confirm DFS Settings
  • Fix Shared Folder Names
  • Verify SYSVOL Replication
  • Make sure Best Practices Analyzer is free and clear from major errors.
  • Verify Active Directory Domain Administrator Password
  • Verify the Active Directory Backup Password
  • Remove unused Group Policies, OUs and Users
  • Setup Roll Based Administration
  • Review Global Catalog
  • Create Documentation for IT Staff

Current AD Setup



The Process to fix AD


Using lansweeper, the best practices analyzer and the Microsoft IPD Guide from the Microsoft Developer Network, IT staff intend to go over the Active Directory setup with great care and detail, documenting final results that may be lost or have changed over time such as the Active Directory Recovery Password. Using virtualization we will test and verify the schema, the forest root, design structure, scalability, ACLs, Backup/Restoration Needs, Centralized Security Management, ease of administration, user and computer rolls.

To verify these settings IT will make a mirror of our current AD in a Virtualized Private Network to test and verify settings before any fixed get applied to the production Active Directory. This will ensure the safety and validity of the processes we will use in fixing and optimizing the Active Directory. All procedures will be tested, verified and documented so they can be easily replicated.

Computers Used in Mirrored Setup:
  • Current Primary AD Controller (VM)
  • New Physical AD Controller 1
  • New Virtual AD Controller
  • New Physical AD Controller 2
  • Lansweeper
  • Windows 7 Client
  • Windows 10 Client
  • SHARE1
  • SHARE2
  • SHARE3

Following the updates to the Active Directory a Best Practices document will be created and will be checked semi-annually to verify any best practices that need to be updated and implemented.  Before implementing any changes with the AD it will be verified by the Mirrored setup using Hyper-V.

How to fix CURL call imporitng an RSS feed on a site blocking CURL calls

There is a 3rd party service provider that my organization uses called bibliocommons.  They have these nice book carousels.  However the car...