Microsoft® Windows® Security Resource Kit, Second Edition

Always apply the theory of least privilege. Whenever you are configuring security on an Active Directory object, assign only the least permissions needed by the users to complete their job functions and always test the changes in a test environment before making changes on your production Active Directory to prevent disrupting service by changes that overly restrict access.
Use a consistent model for assigning permissions. Do not assign permissions to individual users; rather, use a well-defined model for assigning permissions to security groups and placing user accounts into the security groups.
Avoid assigning permissions to domain local groups. Domain local security groups are valid only in the domain; thus, permissions replication ...

Get Microsoft® Windows® Security Resource Kit, Second Edition now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Microsoft® Windows® Security Resource Kit, Second Edition by Ben Smith, Brian Komar, The Microsoft Security Team