EIDM Check-list For Active Directory

Active Directory #

  • What is the name of your AD Domain?
  • What is the name of your AD Forest?
  • What is the current Windows environment? (i.e.: Windows NT, Windows 2000, Windows 2003)
  • How many servers
  • What are the specifications? (Brand RAM Disk etc.)
  • What other services/software are linked with Active Directory (i.e.: Microsoft Exchange)?
  • Describe the current NT Domain model (i.e.: single domain, multi-domain with trusts).
    • Would you be able to expand your domain structure down to the user object level and send an electronic copy (i.e.: place snapshots in a Word document)?
  • How many users exist in this directory?
  • How many groups exist in this directory?
  • What users, other than employees, are created (i.e.: contractors, vendors, patients, students)? Is there a way to distinguish who is an employee and who is not? How?
  • How many domains are in the forest?
  • Can you provide the IP Address and authorization to log into production to view the directory? If not for this phase for the Design/Development phase?
  • Do you have any plans to upgrade this directory in the near future?
  • Are there any known data cleansing issues?
  • Are user account names unique across the entire domain or just within a container?

Business Processes #

  • Who are your network administrators (the administrators who add and maintain user objects in your directory) for Active Directory?
  • Will this be one way from Identity Vault to AD? If not, what event do you want to flow to IDV?
  • What is the business process for adding a new user object? (What is the means of notification? What information is minimally required?)
  • What is your corporate standard for naming conventions in AD (i.e.: default behavior = full name, CN)
    • displayName: (Insert Naming Convention)
    • sAMAccountName: (Insert Naming Convention)
    • userPrincipalName: (Insert Naming Convention)
    • Distinguished Name for AD: (Insert Naming Convention)
  • What is the naming algorithm (conflict resolution) for creating new user objects?
  • What attributes are normally used to create a user object? Please identify which attributes are needed minimally (required).
  • What attributes default for a user object create and what are the default values?
  • What attributes that you are not populating or maintaining currently would you like to see populated and maintained through IDM?
  • What is the business process for deleting/disabling a user object? (i.e.: What is the means of notification? How long are accounts left disabled before they are deleted? Are the accounts moved to another container?)
  • What is the business process for moving a user object? (What is the means of notification? Is this done with a move, a delete/create new user, disable/create new user?)
  • What is the business process for modifying a user object? (What is the means of notification? What attributes are changes normally requested for?)
  • What is the business process for renaming an object?
  • What attributes, if any, would you like to come back to the directory? And what is the authoritative source of each? (i.e.: email address)
  • Right back: If a change to a user object occurs in AD do you want the original values (from the Identity Vault) to change it back again?
  • What are the business rules or the password policy for creating passwords?
  • How are initial/default passwords determined? How are they communicated to users?
  • Are there any additional users that will need to be populated into AD during this implementation?
    • If yes, from what source(s) will Active Directory be populated during implementation?

Development / Test Environments #

  • Do you have separate development and test environments? If not, what is the lead time to provide a development environment?
  • Do you follow any configuration management processes? If yes, what are they?
  • Do you have any service location protocol (SLP) installed in your environment? If yes, what is it?

Deployment / Implementation #

  • What are your current maintenance schedules (i.e. health checks, scheduled downtimes, time slots for downtime)?
  • What backup and recovery procedures to you have?
  • What change management procedures to you have?


  • Are there any additional comments, risks, assumptions or issues that we should be aware of for this project?