Active Directory Domains remain an important part of many companies, despite widespread cloud adoption. In many cases, on-premises servers and services simply cannot be replaced with cloud-based alternatives, and the authentication mechanism used for many of those services remains the tried-and-true Active Directory Domain Controller. Given the importance of Domain Services, it's sometimes surprising just how overlooked certain routine maintenance tasks can be.
User and computer accounts lie at the heart of an Active Directory Domain, controlling who can log into the domain, from which computers, and with access to which resources. The Domain Controllers silently direct all of this traffic and do such a good job of staying "out of the way" that it's sometimes easy to forget about the underlying accounts and systems involved. As computers get replaced with new ones, the older computer object may remain in Active Directory for days, weeks, months or even years. In some cases, those computer accounts may be disabled, as happens when a computer is removed from the Domain. In other cases, the objects may simply continue to exist, untouched and forgotten about.
Similarly, user accounts may be disabled when people stop working for a company, but this is not always an automatic process, and it can sometimes be overlooked. This can lead to user accounts existing in the Domain for some time, often with a static password and with very little attention being paid to it. In cases where Entra Connect is being used to synchronize on-premises user and computer accounts with Entra ID, this can be particularly troubling. An enabled, but disused, user account can provide a possible entry point for malicious behavior.
Often flying even further under the RADAR, Group Policy Objects may be created for initial testing or used to perform a specific task, then forgotten about and left in place long after they've become irrelevant. In many cases, the settings contained in those policies are benign and unimportant, but a large number of applied and unnecessary Group Policy Objects can slow down Group Policy Processing on client computers and add unwanted network traffic between client computers and Domain Controllers. Group Policy issues become more likely, and potentially more disruptive, over many years as network administrators come and go. The combined efforts of several administrators over many years, combined with a reluctance to make changes to policies that are not fully understood, can lead to sprawl, complexity, and the potential for configuration issues on client computers and servers.
This can also be true of login scripts, which can "hide in plain sight" for years, without doing anything of any benefit. A legacy login script may be directing computers to map drives to servers and shares that no longer exist, or printers and print servers that haven't be in production for years. These scripts may be written to prevent error messages from appearing to the end user, but the time it takes to process invalid login script commands may increase login times.
Many companies also have a standard procedure for deploying new servers and computers, and this often involves the use of a standardized password for the local Administrator account. If that account is compromised on any one of the computers on the network, those same credentials can be used to remotely access other computers with the same username and password on them. This lateral movement can allow malicious software or hackers to move rapidly across the network, wreaking havoc and causing devastation as they go.
DMC Technology Group can help identify user and computer accounts that have not communicated with the domain for some time, which can help to identify those accounts that can be disabled or deleted from Active Directory. We can also assist with the implementation of Microsoft Defender for Identity, which can monitor the behavior on the local Domain, and alert administrators when dangerous or anomalous behavior is detected. We can help determine which Group Policy Objects and login scripts are still being used, and which are no longer relevant and can be removed from the network. To help prevent lateral movement, we can help install and configure the Local Administrator Password Service (LAPS) either on-premises using Active Directory or in the cloud, using Entra ID.
It's truly a testament to the longevity and effectiveness of Active Directory that we spend so little time thinking about the accounts, protocols and services that make it all work. But a little "Spring cleaning" now and then can help reduce the complexity of an Active Directory environment and streamline the communication process between client computers and their Domain Controllers. A few hours spent on this kind of tune-up now can yield benefits for months or years to come.
President, DMC Technology Group
