Best practices for Active Directory Schema

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Best practices for Active Directory Schema

  • Do not casually modify the schema.

    Modifying the schema is an advanced and complex operation best handled by experienced programmers and administrators. Developers may decide to modify the schema as part of the process of developing an application that will itself modify the schema. Advanced administrators may decide to modify the schema while troubleshooting an application that they suspect has itself incorrectly modified the schema. For information about modifying or extending the schema, see the Active Directory Programmer's Guide at the Microsoft Web Site.

  • Develop and test your schema modifications on an isolated test forest.

    You should develop and test your schema updates on an isolated forest before moving them to your production forest.

  • Refer to the Active Directory Programmer's Guide.

    The Active Directory Programmer's Guide at the Microsoft Web Site is the best source of information about modifying the schema. Do not modify the schema without first consulting this document.

  • As a security best practice, it is recommended that you do not log on to your computer with administrative credentials.

    When you are logged on to your computer withoutadministrative credentials, you can use Run as to accomplish administrative tasks.

    For more information, see Why you should not run your computer as an administrator and Using Run as.

  • To further secure Active Directory, it is recommended that you implement the following security guidelines:

    • Rename or disable the Administrator account (and guest account) in each domain to prevent attacks on your domains. For more information, see User and computer accounts.

    • Physically secure all domain controllers in a locked room. For more information, see Domain controllers and Securing Active Directory.

    • Manage the security relationship between two forests and simplify security administration and authentication across forests. For more information, see Forest trusts.

    • To provide additional protection for the Active Directory schema, remove all users from the Schema Admins group, and add a user to the group only when schema changes need to be made. Once the change has been made remove the user from the group.

    • Restrict user, group, and computer access to shared resources and to filter Group Policy settings. For more information, see Group types.

    • Avoid disabling the use of signed or encrypted LDAP traffic for Active Directory administrative tools. For more information, see Connecting to domain controllers running Windows 2000.

    • Some default user rights assigned to specific default groups may allow members of those groups to gain additional rights in the domain, including administrative rights. Therefore, your organization must equally trust all personnel that are members of the Enterprise Admins, Domain Admins, Account Operators, Server Operators, Print Operators and Backup Operators groups. For more information about these groups, see Default groups.

      For general security information about Active Directory, see Security information for Active Directory and Securing Active Directory.