Active Directory Security Best Practices

This article forms part 3 of our discussion on Group Policy. For articles 1 and 2 refer here:

What is Active Directory?

Active Directory is an Identity and Access Management tool (IAM) created by Microsoft. Active Directory sorts the members of your organisation into distinct groups.
With centralised access, the directory keeps track of user authentication. This allows users to sign into a managed computing environment. As a result, certain people get certain access to areas in the environment.

Active Directory – Categories:

Popular Active Directory groups include:
1. Universal – Universal groups define roles and manage permissions within the same forest. This can also extend to trusted forests.
2. Global – These categorise users based on organisational roles. Global groups may assign permissions for access to IT resources in all domains.
3. Domain Local – This group assigns permissions for access to resources.
4. Local – Can grant permissions on a local machine.
Because Active Directory streamlines permissions and assets. network administrators can better control resources as an organisation grows.

Active Directory Security Best Practices:

Within Active Directory, administrators can see and access everything on a standalone computer. All they need is the computers name. This means Active Directory needs to be secure. Otherwise malicious actors could gain access to all connected accounts. This makes Active Directory a prime target for hackers. System administrators should establish baseline security by performing the following three tasks:

1. Don’t stick to the default security settings:

Update your security configuration to ensure it fits organisational needs.


2. Use Least Privilege:

‘Least privilege’ means employees only have access to what they need. Privileged Access Management control should be strong across the network.

3. Control Admin Privileges:

Administrative privileges are only necessary for those who need them. Review all access privileges to ensure administrative access only provisioned to necessary users. Active directory has been around since 2000. Although the computing environment has changed since then. Over time IT admins have sought out alternatives to the original Windows structure. G Suite, remote AWS servers, Box and Samba have led to the world of Directory as a Service. Directory as a Service are cloud based IAM alternatives that aren’t tied up with windows.


Cogito Group is an award-winning cybersecurity company specialising in authentication, cloud security, identity management and data protection. Cogito Group protect the authentication methods used to access information through the use of Identity and other security technologies.