Active Directory

Microsoft strongly recommends that you register a public domain and use subdomains for the internal DNS Technet Article. So, register a public DNS name, so you own it. Then create subdomains for internal use (like ad.example.org, corp.example.org, dmz.example.org, extranet.example.org) and make sure you've got your DNS configuration setup correctly.

Always assign permissions to a group rather than to individual users, even if it means creating a group for one user. This greatly streamlines administration during employee turnover and re-assignments.

Use a name that describes the purpose and permissions of the group. For example Access to Scans Folder (M) would be providing access/modify permissions on the scans folder.

For security purposes create dedicated users with only required permissions for things like running scheduled tasks, services and devices like copiers.

When a user account is no longer needed, don't delete the user, just disable it and if desired put it in a "Disabled" folder. If after a period of time the account hasn't been needed you can then delete the account.

When cleaning up AD you can use these PowerShell commands to find any scheduled tasks that may be running as users you're removing/changing passwords for:

ViewScheduledTasksRunningAsAUser.ps1

$schtask = schtasks.exe /Query /S localhost /V /FO CSV | ConvertFrom-CSV | Where { $_.TaskName -ne "TaskName" }
$schtask | where { $_."Run As User" -notin "SYSTEM","LOCAL SERVICE","NETWORK SERVICE","INTERACTIVE","Administrators","Authenticated Users","Everyone","Users" } | Select TaskName,"Task To Run","Run As User" | Out-Gridview

Prevent non-admins from joining computers to your domain:

1. Right click your domain name and select Properties
2. Click the Attribute Editor tab
3. Find ms-DS-MachineAccountQuota and change the value to 0.

By default the Active Directory Recycle Bin is disabled, enable it:

1. Server 2008 R2
2. Server 2012 R2
3. Server 2016 (has PowerShell at the bottom)