Active Directory Guide

A step by step guide for Active Directory

Active Directory Guide How to setup a restricted local administrator group? Enable the AD Recycle Bin. Check and disable the following
Access this computer from the network Add workstations to the domain Log on locally Interactive Logon
General settings Per interface settings Don’t do this on DC’s or on File & Print Servers. DHCP Delegation

Active Directory Guide

  1. Setup of yourname.com Active Directory.

  2. Forest name: corp.yourname.com | NetBIOS name: yourname | ad recovery password: ***********
    Windows Server 2012 R2 & 2016 2019 2022 2025 (preview) only can be Domain Controllers.

  3. Set up reverse DNS primary Ipv4 = 192.168.2.3

  4. Setup backup: add backup role : create backup on internal & external disks.

  5. Create new Enterprise Admin = your admins name, add to Administrators, Enterprise Admin, Domain Admin and schema Admin groups.

  6. Rename administrator to Yourname | create dumb administrator with profile that looks like administrator password = ***************

  7. Protect all OU folders from accidently deletion.

  8. Add new OU's for computers and Users OU's and redirect Redircmp.exe & Redirusr.exe

  9. redircmp "OU=New Computers, DC=corp, DC=yourname, DC=com"

  10. Set PDC Emulator to sync from an external time source

  11. The Domain Controller with the PDC Emulator role is the one true source of time for your domain.

  12. All other Domain Controllers sync their time from it, and all client machines sync their time from the domain controller that they log into.

  13. It's important that time is consistent across your enterprise. The example below will sync it from some ntp.org pools, which are very reliable.

  14. If you already have a device on your network, like a core switch, offering reliable NTP, then you can replace all of the items in the manual peer list with those devices.

  15. w32tm /config /update /manualpeerlist:"0.pool.ntp.org,0x8 1.pool.ntp.org,0x8" /syncfromflags:MANUAL

  16. If you're not sure which DC has the PDC Emulator role, log into one of them and run netdom query fsmo at the command prompt.

  17. It will return a list of each FSMO role and which server currently holds it.

  18. Set DNS Server Search order correctly on network adapters for DCs: 127.0.0.1 should be in the list and be last.

  19. Each DC in a site should use another DC from that site as the primary.

  20. If there are more than two DCs in a site with DNS installed, then one of the other DCs should be primary, the other secondary, and 127.0.0.1 should be the tertiary.

  21. For example: DC01 IP address is 192.168.2.2 : DC02 IP address is 192.168.2.3 both are DNS servers.

  22. DC01 network adapter should be configured so that 192.168.2.3 is the primary and 127.0.0.1 is the secondary.

  23. This prevents replication islands from occurring in specific circumstances.

How to setup a restricted local administrator group?

Restricting the Ability of Users to Create Computers
It is highly recommended that you close this loophole so that non-administrative users cannot join computers to the domain. To change the ms-DS-MachineAccountQuota attribute, follow these steps:

  1. Open ADSI Edit from the Administrative Tools folder.

  2. Right-click ADSI Edit and click Connect To.

  3. In the Connection Point section, click select Default Naming Context from the drop-down list.

  4. Click OK.

  5. In the console tree, expand Default Naming Context.

  6. Right-click the domain folder “dc=yourname,dc=com”, for example and then choose Properties.

  7. Select ms-DS-MachineAccountQuota and click Edit.

  8. Type 0 and click OK.

How to use group policy preferences to secure local administrator groups website
NB:: Do the following also, make sure the domain and itsupport admins can add computers.
Better to prestage, computers first.

Enable the AD Recycle Bin.

  1. The AD Recycle Bin requires you to have a 2008 R2 Forest Functional Level, which means that you can never make a machine that is older than 2008 R2 into a Domain Controller.

  2. If this isn't an issue for you, then you should enable it. It allows for item-level recovery of deleted objects like user or computer accounts. It's a life saver.

  3. Open PowerShell run as admin, copy and paste from the website example below.

    4. Click here for more information.
For specifying the permissions in the domain object, always use global or universal groups.
Never use the local group for setting permissions to any domain object.

Check and disable the following

  1. All the drives in the server hosting active directory need to be in NTFS

  2. Disable SMTP protocols

  3. Disable boot from any removable devices except the boot disk.

  4. Run only the services needed to run the server. Disable the rest. The services you can disable are IIS, SMTP, FAX, indexing, Shell Hardware Detection and Distributed Link

  5. Tracking Client; upload manager, Portable Media Serial Number, Windows Audio and Utility Manager.

  6. Allow only secure DNS updates

Access this computer from the network

  1. The WSSG EC Policy changes the default settings (which are indeed way to broad) to BUILTIN\Administrators, NT AUTHORITY\Authenticated Users, NT AUTHORITY\ENTERPRISE DOMAIN/CONTROLLERS

  2. “Authenticated Users” It would be better to create a Group in AD, add all of your known users into that group, and replace Authenticated Users with your own group.
    That way, you are sure that someone who is able to create a user account (in any way), cannot necessarily access your DC’s from the network.

Add Workstations to the domain

Typically, you’d only want your IT staff to be able to add computers to the domain.
In order to really be able to delegate and secure this kind of activity, there are 2 places that need some configuration
  1. Edit the GPO that is applied to your DC’s – Go to “Computer Configuration – Policies – Windows Settings – Security Settings – Local Policies - User Rights Assignments

  2. Edit “Add workstations to the domain”, remove “Authenticated Users” (Default Policy) or “BUILTIN\Administrators” (WSSG EC Policy) and add your IT Staff users.

  3. If changing this setting breaks your attempt to add a new DC to the Domain, you may have to add your Domain Admins/Enterprise Admins group as well.

  4. Open Active Directory Users & Computers. Go to View and enable “Advanced Features”. Right-click “Computers” and go to the Security tab. Make sure regular users (Authenticated Users, etc) have read-only rights.

  5. You don’t need to add your IT Staff to the ACL. After all, it would be much better to create a separate OU structure, grant access to that OU, and set necessary permissions to the OU to the IT Staff.

  6. This way they can pre-create the computer objects before adding a computer to the domain. That is the best way to manage your computer objects (or at least the addition of computer objects in your environment)

Log on locally

  1. Change this setting from “Not defined” to your local admin group, Domain Admins, BUILTIN\Administrators… whatever, as long as you don’t allow regular users to log on locally on a DC.
    In most cases, BUILTIN\Administrators will do just fine. If you’re not an admin, there’s nothing you should do on a DC.

  2. Backup files & directories, Restore files & directories

  3. By default, this setting is set to “not defined”. I would suggest changing this to your admin groups, BUILTIN\Administrators and BUILTIN\Backup Operators

  4. Change the system time

  5. Set this parameter to your admin group, BUILTIN\Administrators and LOCAL SERVICE

  6. Security Options

  7. DCOM: Machine Launch Restrictions in Security

  8. set to “configured”

  9. Add your IT admins group and grant permissions for “Remote Activation” This setting is required to allow IT admins to perform Group Policy Modelling, on Windows 2012 R2 server or higher

Interactive Logon

  1. Display user information when the session is locked : set to Do Not Display User Information

  2. Message text for users attempting to log on: enable and enter a security banner. Do NOT include wording/verbiage such as “Welcome to the server”, or “Welcome to the domain” or something like that.

  3. Be very specific in your statement. Example text could be

  4. This system is restricted to authorized users. Individuals attempting to gain unauthorized access to this system will be prosecuted.

  5. If you are unauthorized, terminate access right now. Clicking on OK indicates your acceptance of the information in the message above.

  6. Message title for users attempting to log on: enable and enter a Message Title. Example : “It is a criminal offense to continue without proper authorization”

  7. Network Security

  8. Force logoff when logon hours expire : Set to enabled

  9. Shutdown

  10. Clear virtual memory page file : set to Enabled

General settings

  1. Custom – TCP/IP Settings

  2. Disable IP Source Routing: This feature is now turned off by default for IPv4 connections, but it is still active for IPv6 connections. Even if you are not planning on using IPv6 right now, it might still be a good idea, just in case you decide to start using it. You can disable IP Source Routing for IPv6 by changing the following registry key :

  3. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters

  4. DisableIPSourceRouting (Value Type : REG_DWORD)

  5. Set to 1 or 2

  6. Possible values : 0 = forward all packets, 1 = don’t forward source routed packets, 2 = drop all incoming source routed packets

  7. Default values : 1 for IPv4, 0 for IPv6

  8. If you want to verify the settings for IPv4, then check the value of DisableIPSourceRouting under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters

  9. Note : this setting can be set using a SCE Extended GPO (look for one of the MSS: specific settings under “Computer Configuration – Policies – Windows Settings – Security Settings – Local Policies – Security Options”)

  10. Disable IP Routing: make sure IP routing is disabled, unless you want your server to act as a router. This setting is disabled by default under Windows 2012 R2 or higher.

  11. Make sure IPEnableRouter is set to 0 under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
    (Default value is 0. Possible values : 0 = disable IP routing, 1 = enable IP routing)

  12. Disable ICMP Redirects : unless you have a very good reason to leave this functionality turned on, you should consider disabling this by changing the value of
    HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\EnableICMPRedirects (reg_dword) to 0

Per interface settings

  1. Assuming that you know how to match a network interface with a GUID, you should consider setting the following options for each of the interfaces

  2. Disable Perform Router Discovery : Set PerformRouterDiscovery (REG_DWORD) under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{interfaceGUID} to 0 (disabled)

  3. Possible values are 0 = disabled, 1 = enabled, 2 = enabled only when DHCP “Perform Router Discovery” option is set. Default value is 2

  4. Disable APIPA : For each adapter under HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\ {xxxxxxxxx} Replace this with the GUID of the adapters : Create a REG_DWORD called “IPAutoconfigurationEnabled” and set to 0×0

  5. Custom – Other settings

  6. Restrict access to Null sessions : Set HKLM/System/CurrentControlSet/Control/LSA/RestrictAnonymous to 1 on DC’s, and to 2 on other servers.

  7. Disable Dial-Up Networking : Set (or create) HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\NetworkNoDialin (reg_dword) to 1

  8. Disable File&Print sharing & close the associated open ports.

  9. You can use firewall rules to do this, but in general, this may help as well

Don’t do this on DC’s or on File & Print Servers.

  1. Disable file & print sharing

  2. Disable NetBIOS TCP/IP Helper Service

  3. Disable NetBIOS over TCP/IP

  4. Disable LMHOSTS Lookup

  5. Disable the Computer Browser Service

  6. Disable the Server service

  7. Set SMBDeviceEnabled under
    HKLM\System\Controlset001\Services\NetBT\Parameters (Reg_Dword) to 0 to close SMB Port 445

DHCP Delegation

  1. By default, only Enterprise admins have the ability to authorize DHCP servers.

  2. You can change who can authorize a DHCP server by editing the ACL on the following service

  3. Add the group of admins you want to allow to authorize DHCP servers

  4. Give the group full control

  5. Wait until replication has completed to all DC’s, and you should be fine.






Scroll to Top