- Who has 1,450 login scripts (For 3,500 users at that)?
- Who puts account passwords in the account’s description field? (for anyone who doesn’t know why this is appallingly bad, try this PowerShell as a regular domain user from a box with the Win7/2008R2 RSAT tools installed:
ipmo activedirectory;get-aduser -filter * -Properties description, other scripting languages are available)
- Who doesn’t use Domain Admins for their domain administrators and instead uses Account Operators, Administrators, Network Configuration Operators, Remote Desktop Users & Server Operators? (Not for granular permissions, all of them as a replacement for Domain Admins membership)
- Who leaves 5,500 computer accounts, including servers, in the Computers container in AD? (ProTip: You can’t link GPOs to the “Computers” container in AD)
- Who doesn’t have any actual DHCP servers in their Authorised DHCP Servers list? (Not even sure how you manage this one)
This isn’t just bad practice, this is years of dedicated training and substantial investment in bad practice…
I’m going to go curl up in a corner and cry for a while now.