Key Points
- Define an Active Directory Domain Services security baseline aligned with standards like CIS and NIST to strengthen identity and access management.
- Regularly compare Domain configurations against your baseline to identify compliance drift using PowerShell and automated reports.
- Use PowerShell and Group Policy Objects (GPOs) to enforce your settings.
- Track deviations, remediation actions, and audit trails to ensure transparency and regulatory compliance.
- Use NinjaOne’s centralized dashboard, automation policies, and reporting tools to simplify baseline management, enforce configurations, and ensure ongoing compliance.
Similar to an Azure AD security baseline, a strong Active Directory Domain Services (AD DS) baseline defines the policies and practices across on-prem environments. Establishing this bolsters your security posture, but implementing it across all on-prem domains requires a structured approach.
Build a scalable framework for AD DS security. This article explains how to safely roll out Active Directory (AD) baselines at scale with Remote Monitoring and Management (RMM) capabilities.
Build a scalable framework for AD DS security
Your AD DS baseline defines how passwords, user logons, protocols, and elevated permissions must be configured in on-prem Active Directory. Here’s how to deploy and maintain AD DS baselines with RMM assistance:
📌 Prerequisites:
- Administrative access to domain(s) or delegated OUs
- Windows 11 Pro, Education, or Enterprise
- PowerShell (5.1+) with AD and GPO modules, RSAT tools
- A defined baseline (e.g., Microsoft recommended defaults, CIS benchmarks, or a hybrid custom baseline)
- Centralized logging/event collection (Windows Event Forwarding, SIEM, RMM)
- Automation or script deployment platform (e.g., NinjaOne or equivalent)
Step 1: Establishing a baseline framework
Start with a well-defined AD DS security baseline based on authoritative sources (e.g., Microsoft Security Compliance Toolkit, CISA AD DS benchmarks, etc.). This should outline policies around password creation, logins, GPOs, auditing, and privileged control access.
Microsoft recommends security baselines that align your criteria with internal risks and external standards, such as CIS (Center for Internet Security) and NIST (National Institute of Standards and Technology).
Your baseline should govern:
- Password and account lockout
- Kerberos policies
- Legacy protocol restrictions
- Privileged access model
- AD DS auditing
- Domain Controller hardening
Moreover, detecting compliance drift and recording your baseline’s canonical state is also crucial for proactive management. NinjaOne RMM enables both through its centralized dashboard and secure IT documentation—all visible through a single pane of glass interface.
Step 2: Automating baseline enforcement
After outlining your security baseline, you’ll need to enforce configurations across all client domains and constantly validate them. This is typically done in two ways: modular scripts or Group Policy changes.
PowerShell enforcement modules
Here are examples of how to enforce your AD DS security baseline via PowerShell.
📌 Use Cases: Deploying your on-prem Active Directory security baseline across multiple systems.
📌 Prerequisites: Administrative privileges, Domain admin rights, PowerShell 5.1 or later, Active Directory Module.
- Press Win + R, type PowerShell, and press Ctrl + Shift + Enter.
- To set password lockout thresholds, run the following:
Set-ADDefaultDomainPasswordPolicy -MinPasswordLength 14 -LockoutThreshold 5 -MaxPasswordAge (New-TimeSpan -Days 60)
- To disable the legacy SMBv1 protocol, run the following:
Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol
- To disable anonymous access and protect sensitive data, run the following:
Set-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Control\Lsa” -Name “RestrictAnonymous” -Value 1
- To create tiered admin groups and enforce least-privilege, run the following:
New-ADGroup -Name “Tier0-Admins” -GroupScope Global -Path “OU=Privileged,DC=domain,DC=com”
🥷🏻| Use pre-built, custom scripts to streamline security policy baseline workflows. Explore NinjaOne’s script hub here.
Use Group Policy Objects for persistent controls
Group Policy Objects (GPOs) are essential tools for implementing a strict security baseline, from individual systems to client environments. Unlike PowerShell scripts, GPOs ensure that your configurations remain intact after reboots or policy refreshes.
Here’s how to centrally deploy AD DS security baselines across on-prem environments via GPOs:
- Press Win + R, type gpmc.msc, and press Ctrl + Shift + Enter.
- Create a new Group Policy Object for your AD DS security baseline.
- Link the new GPO to the Domain Controller’s Organization Unit (OU).
- Configure its account policies, disable legacy protocols, and choose audit policies that prioritize least-privilege.
- Devices that are under that DC inherit your baseline configurations hierarchically.
🥷🏻| Use NinjaOne’s policy-based automation workflows to improve protocols with half the risk. Explore how NinjaOne policies simplify tasks here.
Step 3: Continuous validation & drift detection
Continuously validating your settings is key to preventing any deviation in your AD DS security baseline. This “drift” can occur when patches are misapplied or when settings are manually changed, highlighting the need for around-the-clock monitoring.
Health audits via PowerShell
Here’s how to compare your AD DS security baseline with your current one to detect possible drift:
📌 Use Cases: Use this to compare your current security baseline with the expected configurations.
📌 Prerequisites: PowerShell 5.1 or later, Administrative privileges.
- Press Win + R, type PowerShell, and press Ctrl + Shift + Enter.
- Note the complete file path of your canonical baseline’s text file (e.g., C:\Baseline\expected-config.txt).
- To compare baselines and detect drift, run the following:
$baseline = Get-Content “<expectedConfigFilepath>“
$liveConfig = Get-Content “<actualConfigFilepath>“
Compare-Object -ReferenceObject $baseline -DifferenceObject $liveConfig
Replace <expectedConfigFilepath> with the file path of your true baseline file.
Replace <actualConfigFilepath> with the file path of your current baseline file.
- Flag the following:
- GPO modifications
- Registry changes
- Privileged group drift
- Domain configuration changes
- Use Task Scheduler to run this script weekly or monthly at scale.
Periodic & on-demand reporting
Compliance drift findings and baseline changes need to be addressed during governance reviews. Include the following in your reports to keep an open line of communication between your team and your clients:
- Coverage ratio: How much of your current settings match the baseline.
- Developments: Tracking trends from the previous audit.
- Next steps: Remediation for non-compliant systems.
Step 4: Triggered baseline checks (event-driven)
During suspicious system events and high-risk changes, baselines need to be re-validated in real time to maintain compliance. To do this efficiently, set triggers to run audits whenever roles are elevated too quickly or too many password errors are detected in real time.
📌 Use Cases: Use this to implement event-driven checks.
📌 Prerequisites: Group Policy Management Console, Administrative privileges.
- Press Win + R, type PowerShell, and press Ctrl + Shift + Enter.
- Open Task Scheduler.
- Set a PowerShell script to run when a specific Event ID is detected in the Security Log.
- Trigger: Event ID 4625.
- Action: Run a script that checks baseline compliance.
- Use this script to verify AD DS compliance:
$baseline = Get-Content “<expectedConfigFilepath>“
$liveConfig = Get-Content “<actualConfigFilepath>“
Compare-Object -ReferenceObject $baseline -DifferenceObject $liveConfig
Replace <expectedConfigFilepath> with the file path of your true baseline file.
Replace <actualConfigFilepath> with the file path of your current baseline file.
Automatically run checks on your AD DS security baseline during:
- Event ID 4625 – Failed Logon
- Event ID 4672 – Admin Logon
- Event ID 4728–4729 – Group Membership Change
- Event ID 1102 – Audit Log Cleared
Step 5: Change control & documentation
Hardening AD DS security is an iterative process that involves constant optimization. While automation can streamline your workflow, logging drift events ensures that the same mistakes won’t be made again.
Log every baseline deviation, what changed since the last audit, who your remediation leads are, and the date and time events were resolved. Name your records consistently (e.g., ADDS-Hardening-[ClientName]-[YYYYMMDD]-v1), and keep validation reports to monitor trends over time.
Lastly, link your documentation to important tickets on RMM platforms for faster resolution times, which integrate Professional Services Automation (PSA) services to further streamline AD DS readiness.
How NinjaOne integration improves AD DS security
Besides having its own scheduling engine, NinjaOne also automates reports and graphs in its all-in-one dashboard to help fast-track important projects. Here’s how integrating NinjaOne simplifies AD DS security baseline development:
| Step | Without NinjaOne | With NinjaOne |
| Establishing a baseline framework | Manual research and baseline development for multiple client environments. | Automation policies, scheduled scripts, and customizable templates streamline baseline creation. |
| Automating baseline enforcement | Needs custom PowerShell scripts, manual GPO linking, and tests for each individual client. | Policy automation standardizes control across all client endpoints and domains. |
| Continuous validation & drift detection | Doing audits ad hoc increases the chances of oversight and delays | Scheduled compliance checks both detect drift and alert owners in real time. |
| Triggered baseline checks | Limited scalability with custom log monitoring and manual scripting. | Event-based automation triggers baseline checks after flagged event IDs are detected. |
| Change control & documentation | Spreadsheet maintenance; low-trust audit trails. | Built-in logging tracks drift and includes version control for QBR-ready compliance data. |
Elevate your AD DS baseline with RMM
Operationalized AD DS security involves hardened security criteria, automation plans, and long-term tracking. This lets you focus on sustainable client protection that ensures compliance with SLAs and instant drift remediation, especially with highly-rated endpoint managers that provide hands-free control.
Related topics:
