Improving Security and Compliance: 10 Common Active Directory Mistakes

Kanika Agarwal by   12.15.2017   Data Security

It’s true to say that the majority of organizations understand that Active Directory is essentially the backbone of the IT infrastructure. Despite this, we see multiple instances every day of Active Directory being misused, abused or generally neglected when it comes to best practices. In this article, we’re going to go through a few of the most common mistakes organizations make that could lead to compromised Active Directory security.

Mistake 1. Using Administrator accounts on a routine basis

If you are using administrator accounts for everything and anything, you’re putting your organization’s security at risk. Your IT infrastructure must be planned in such a way that privileges given to user accounts are monitored continuously and excessive privileges should be removed proactively. LepideAuditor monitors all permission changes in your IT environment and lets you reverse them to a previous ideal state. The solution also identifies who is logging into your computers, when, where from and shows what data they are accessing.

Mistake 2. Adding a large number of users to Domain Admin groups

Quite often, the policy of least privilege may not be adequately exercised, and the Domain Administrator ends up adding non-administrative users to a Domain Admin group. This means that users end up having access to computers and data that they shouldn’t have; increasing the likiness of an insider attack. To prevent this, LepideAuditor audits every change in group memberships and tracks administrative groups. You can get real-time notifications when these changes occur and rollback unwanted group memberships in Active Directory.

Mistake 3. Having insufficient backup and recovery plans

Occasionally, changes may be made to Active Directory that are unauthorized or unwanted. Such changes could lead to data breaches, computer downtime or worse. Restoring modifications made to Active Directory Objects and Group Policy Objects is easy with LepideAuditor. The rollback feature enables you to reverse changes to their original state – including changes made to group memberships, attributes, permissions and more.

Mistake 4. Managing Active Directory from domain controllers

If malicious individuals obtain administrative access to Active Directory domain controllers, they have everything they need to breach the security of your network. To mitigate the risk of this happening, LepideAuditor identifies unauthorized users who have obtained administrative passwords. The solution also addresses security through constant change auditing and monitoring of your Active Directory environment; ensuring you always know what’s happening to your computers, data and permissions.

Mistake 5. Not de-provisioning inactive accounts

If you have large pools of inactive user and computer accounts sitting dormant in your system, it can clutter your Active Directory infrastructure. In many organizations, inactive user and computer accounts accumulate when employees leave the business and the IT team is not informed. Such accounts retain their privileges and can be used to gain illegitimate access to sensitive data. Lepide Active Directory Cleaner helps you keep track of inactive user and computer accounts easily from an automated and centralized console.

Mistake 6. Having a long list of Privileged Users

Privileged users are users with administrative rights provided through membership of a group or an organizational unit. Having too many privileged users increases the chances that your sensitive data will be compromised. Do you really need that many users accessing that sensitive piece of information? LepideAuditor can be used to list the members of Administrative groups. You can keep track of permission changes using predefined audit reports, compare the permissions and view historical permissions.

Mistake 7. Having a lax Password Policy

One of the most common reasons for data breaches is an employee not adhering to a password policy, or an IT team not enforcing a stringent enough policy in the first place. Using short passwords, sharing passwords and not regularly updating passwords all increases the chances of data leakage. Using Lepide User Password Expiration Reminders, you can send regular reminders to users to change their passwords in order to keep your Active Directory more secure.

Mistake 8. Inadequate Auditing of Active Directory

If you are the IT administrator in charge of auditing Active Directory, you know how difficult it is to log, filter and recover event details from a mountain of raw data. LepideAuditor for Active Direcotry logs every configuration change and user activity in a way that makes it easy to track down each event, ensure a secure IT environment, maintain operations and meet compliance.

Mistake 9. Inconsistent Permission Analysis

Even the smallest change in permissions could result in unwanted modifications made to Active Directory objects. LepideAuditor, on the other hand, keeps track of every permission change, records it in granular reports and send real-time or threshold based alerts for such critical changes. You can regularly assess the current state of Active Directory user privileges and mitigate the risks of privilege abuse. Our solution also equips you with the power to restore user privileges to a previous ideal state.

Mistake 10. Relying on native auditing alone

Due to the sheer size and complexity of Active Directory, it is often plagued with security attacks. Relying on native auditing alone to meet compliance and ensure Active Directory security, simply isn’t good enough in today’s world of increasing security threats. Automated solutions, like LepideAuditor, give you complete visibility into changes taking place in Active Directory through change configuration auditing, Active Directory clean-up, password expiration reminders, health check, account lockout management and object state restoration.


Lepide® is a Registered Trademarks of Lepide Software Private Limited. © Copyright 2018 Lepide Software Private Limited. All Trademarks Acknowledged.