5 Active Directory Security Best Practices

There are some active directory security tips and best practices that can ensure the optimal security of your system’s active directory.

Always Clean Up the Domain Admins Group

One of the most important active directory security best practices that should become your habit is the cleanup of the domain admins group. You must disallow a day to day user accounts in the domain admins group but the only exception to this is the default domain administrator account.

You can place Domain Admin access in temporary Domain Access groups, and when the work is completed, simply remove the access account from the DA group This security tip is recommended for your Backup admins and Enterprise admins.

Disable Local Administrator Account on all Computers

The local admin account is very popular in Domain environments and you don’t need it. Potential attackers know your local administrator account and it is often configured with the same password on all available computer domains. Once potential attackers can compromise one of the computers, they will have access to your local administrator account. If you can’t disable the account you should consider using the Microsoft LAPS tool to deny all log on services and to deny access to the compromised computer from the current network.

Make Use of At Least Two Accounts

Avoid login every day with the same local admin account. Create two accounts instead, which is a regular account that has no admin rights as well as a privileged account that is only used for administrative tasks. Do not make the mistake of putting your secondary account in the domain admin group, if you have to then you can put it there temporarily.

Make Sure You Secure the Domain Admin Account

One active directory security tip you must strictly adhere to is to secure your domain admin account always. Every domain in the system always include the admin account and by default, the domain admin account is a member of the Domain Admins Group. Anyone who requires administrative admin access must make use of their account and no one should know the domain admin account password.

Make Use of Local Admin Password Solution (LAPS)

LAPS has become a very useful tool to manage all local admin passwords on all computers. It relies on the use of Group policy client extension to complete management tasks on all workstations. It means you have to retrieve a password from an active directory if you want to use a local admin account. With the LAPS in place, the password will only be unique for every single computer and not all computers.


There are several other active directory security tips and ideas you can implement for added security on all your computers. For instance, you should consider using a secured admin Workstation which is only used to perform a specific administrative task with your privilege account. You should not consider using this secured admin workstation for browsing the internet, rather it should be for admin tasks such as Active Directory administration and Managing the DNS&DHCP servers.

  Modified On Sep-07-2019 12:26:01 AM

Leave Comment