Here is a list of best practices for AD to consider that can help you get ready for a smooth integration between your Active Directory and IdentityIQ.
Consistent naming conventions for all account types and groups (naming pertains primarily to samaccountname). Account names apply to:
primary accounts
secondary accounts (i.e. server or workstation admin linked to a human)
service / shared / test accounts (not linked to a human)
mailboxes
distribution groups
security groups
contacts
CN values utilize samaccountname so that they do not need to be updated as the result of name changes.
employeeType attribute is populated to identify all potential account types: contractor, employee, service, admin, etc.
Primary accounts contain sufficient data to be easily correlated to the correct human identity
Secondary accounts (admin/privileged) store account ownership (who does this account belong to?) in an attribute so that they can be correlated to the correct human identity
Service accounts (non-human accounts) indicate ownership (if this ownership is not already stored elsewhere like a PAM system) so that the owner can be set in the service cube owner attribute
OUs are defined and organized to make finding accounts and groups easier
Separate OU is defined for secondary accounts
Separate OU is defined for service/shared accounts
Separate OU is defined for disabled accounts
Separate OU for accounts on Legal Hold w/restricted access
Group attributes are populated to facilitate various identity management use cases
Groups have owners, descriptions and are stored in an appropriate OU
Group names are consistent between business applications
Birthright groups are easily distinguishable via naming convention or extended attribute
Privileged groups are easily distinguishable via naming convention or extended attribute
Dynamically assigned groups (groups that are auto-assigned based on identity data) are easily distinguishable via naming convention or extended attribute
If possible, remove nested groups in favor of a flattened structure (makes certifications easier) – This might be difficult to enforce due to a Microsoft recommendation to use Nested Groups to address a token bloat issue
Set expiration date (accountExpires) for non-Employee accounts (Contingent Worker, Vendor, etc…)
Consistent password policy for all primary accounts
Strong password policy for secondary and service accounts (minimum 12 characters)
Multi-Factor Authentication for secondary and service accounts
sAMAccountName, mail, and userPrincipalName attributes should be unique throughout the entire forest
This is great and thanks. What about adding best practices for AD schema items and best practices for Attribute Examples Names, Type, Properties for 'Account' and 'Group' objects?
I would be interested in best practices with respect to using multiple AD App definitions to align with a tiered AD delegation model where you would not want to use the same service account for all actions (i.e. end-user accounts provisioning/update using one service account and privileged accounts provisioning/update via a separate service account). This is necessary to limit exposure should an individual service account be compromised.
