Part 1

Administrative Accounts
Administrative accounts include that includes (Domain Admins, Enterprise Admins, and Administrators)
Must have recognizable username for auditing purposes.
Active Directory build in Administrator account must be renamed and password is known only to company IT director or other executive personal.
On annual base Administrative accounts should be reviewed by IT director.

Generic Accounts
Generic accounts are general user accounts in active directory.
And are aplyed by Default Domain Policy GPO ( See password Policy )

Service Accounts
Service accounts are accounts used to run application services that requires domain credentials in order to function for example Backup applications .
It is recommended that Service accounts will named by service name and their password set to “Never Expire”
On annual base those Service Account passwords should be changed by IT team.
Happens that service accounts are members of “Domain Admin group ” And they should be approved by IT director.
Every service account should have detailed description, of their purpose.

Contractors
It is recommended to put Contractors user and computer accounts in dedicate OU and apply more comprehensive security policies
Every Contractor account should have detailed description, of their purpose (Department and Project)

Guests
Recommendation is to not use guest accounts at all

Active Directory Password Policy for example
“Password policy” is a set of password protection rules that apply to all company users

• Password must be at least 8 characters long
• Password must contain:
• At least 1 upper case letter
• At least 1 special character or digit. Example (*&^%$#@?.|\~`,012345678+-*/)
• The password can’t contain part of username.
• Maximum password age should be 90 days. (Or less )
• Password will automatically expire after 90 days since last change.
• Reminder is emailed to user 15, 7 and 1 day before password expiration.
• Minimum password age is 7 days.
• User cannot change password in less than 7 days after previous password change occurred.
• The system remembers 24 previous passwords. User may not use these passwords.
• User account is locked for 30 min after 5 sequential bad logon attempts.
• Service Accounts password are changed on yearly basis each 15/Jan notification is sent to IT group

Delegation of Control
Delegation of user management tasks to users with specific set of permissions.
This responsibility should be assigned to a small number of Administration staff.

User Opening Policy
you should have policy that documents each new user

User Maintenance Policy
you should have policy that documents each change at user account security

User Termination Policy
you should have policy that documents each retired user

Backup
You must have Active directory backup policy

Related Articles

• Disable File And Folder Sharing, via GPO (5)
• How to find and disable Active Directory unused accounts (0)
• Moving a Group to Another Domain – Using ADMT (0)
• Create Group Using PowerShell ADUC, dsadd or admod (0)
• Rename all Domain Local Administrator Username Via Script (2)
• Windows 2008 Identify all AD admins script (0)
• Find user group membership Powershell script (0)
• Migrate Windows 2003 Domain Controler To New Hardware (0)
• Find Active Directory Failed Login Users – Power Shell Script (1)
• Find Email in Active Directory Domain Using CSVDE/LDIFDE (0)