Best Practices

Best Practices

• Always apply the theory of least privilege.

  Whenever you are configuring security on Active Directory object, assign only the least permissions needed by the users to complete their job function.

• Use a consistent model for assigning permissions.

  Do not assign permissions to individual users; rather, use a well-defined model for assigning permissions to security groups and placing user accounts into the security groups.

• Avoid assigning permissions to domain local groups.

  Domain local security groups are valid only in the domain; thus, permissions replication to the Global Catalog will not be applied as expected. Assign forestwide permissions by using universal groups. This is one of the only exceptions to assigning permissions using the A-G-DL-P model. (For more on this model, see the Implementing Role-Based Security in Windows 2000 section in Chapter 3, Securing User Accounts and Passwords. )

• Document changes made to DACLs.

  Be certain to record changes that you make to Active Directory object DACLs. This will simplify troubleshooting in the event of an error arising from the new permissions.

• Remove users from the Schema Admins security group.

  When the schema is not in the process of being extended or altered, remove users from the Schema Admins security group to ensure that the schema is not unintentionally altered and ensure that the schema is not write-enabled.

• Use Restricted Groups.

  Use Restricted Groups in Group Policy to limit membership in the Schema Admins security group.