If you are reading this article, it means that you are a responsible Active Directory admin who knows that there is always a way to make your environment better, faster and more reliable. And here we will be looking at seven aspects that you can work on to improve your AD.
1. Automation
First and foremost thing that you can do is automate everything in your working environment. This idea should be deep enough in your head to cause a passion for automation in your whole life, not only work. So, what you should be aiming at, is letting the programs on your servers do whatever is needed without your intervention at all. The only time you need to touch your mouse and keyboard is when something goes wrong. So in an ideal world you never do anything at all.
Obviously, we do not live in an ideal world, but it doesn’t mean that you can’t get as close to it as you can. And despite ‘automation’ is a very broad term, that is definitely the first thing you should be considering when thinking about.
2. Script and Trigger
If you can script something, it means that it should be scripted as soon as possible. The only thing that you need for it is a really good understanding of what and why needs to happen. If you can specify what to do, just tell it to your machine in a form of script. It doesn’t matter which language you use for that, but probably PowerShell is one of the best solutions for Active Directory. Just use the Microsoft Active Directory Module.
The problem that many admins face is not the challenge to actually script some tasks, but to make them run when it’s needed. The solution for that problem is not obvious, but there is one. We will come back to it in the end of that article.
3. Keeping Order in AD
Anybody would agree that maintaining your AD structure is a very important part of successful administration. If you (or your predecessors) have done everything correctly, it means that your Active Directory environment is fully documented and you have a very clear understanding of what needs to be where. If not, you probably need to do that first.
If you maintain everything in order it means that at every moment of time you know where to search for a needed object and how it should look like or where to put a newly created object. But doing all that manually can be a big challenge. And as you company grows, it can reach a level when it will be impossible for a human to maintain without causing huge time delays. So the solution is pretty much the same, make your machines rise and work for you.
4. Least Privilege Principal
Apart from automating tasks with the help of scripts and machines it is highly important to make sure that your human resources are allocated efficiently. First thing you need to be sure is that your environment follows the Least Privilege Principle, i.e. at any given point of time all users must have the exact amount of permissions and access that they need. No more and no less.
In a small environment that’s ok to maintain all that by hand, but as the number of users grow it’s becoming unbearable. A special kind of pain comes when you try to change someone’s permissions. This can be solved by applying a Role-Based Access model, which means that you don’t assign permissions straight to users. First you assign permissions to a role and then assign the role to users. So if you want to change user’s access rights, you just change his/her role. And if you want to modify a role, you do it in a single place instead of doing it manually for each user.
5. Delegate Tasks to Lower Level Users
If you want to keep your environment healthy and efficient, a good idea is to let users with lower level of responsibility perform more tasks and therefore give time to higher level users to deal with higher level tasks. But then there is a problem with decreasing level of control.
To maintain the same security and control levels there is an elegant solution — Approval-Based Workflow. Just let lower level users do all the work, then it will be sent for approval and the higher level users will just need to say yes or no. As simple as that.
6. Self-Service Portal
To make your AD even more autonomous and self-supporting you can let your users do modifications to their own accounts instead of doing all that for them yourself. In order to give them a possibility to change personal information or e.g. to perform AD searches, you can implement a web portal that would give them access to all that. A neat and easy solution.
7. Self-Password Reset
One of the most time-consuming and boring tasks that there are, is resetting passwords and unlocking user accounts. Up to 70% of users forget their passwords every single month. And the amount of time it takes is just huge. But there is a solution for that as well. Just give those users an opportunity to reset their passwords by themselves. They can verify their identity by either answering security questions or by entering an SMS code. Once it’s done, they just reset their password or unlock account. Users are happy and help desk personnel have much more time to do real IT work.
Conclusion
After reading all that you are probably thinking something like ‘ok, all that is awesome and really cool, but how can I achieve all that?’ Luckily enough we have a simple answer for that question — Adaxes.
Adaxes includes all the improvements that we discussed and allows you to implement them into your environment in a smart and simple way. Once you install it, you can benefit from automation capabilites, role-based delegation system, approval-based workflow, web access to AD, self-service portal and much more.
To understand how good you Active Directory can really be, just try Adaxes.