Lead Active Directory Engineer (#5034)

About the client:

Our customer is the European online car market with over 30 million monthly users, with a market presence in 18 countries. As a Lead Active Directory Engineer, you will play a pivotal role in shaping the future of online car markets and enhancing the user experience for millions of car buyers and sellers.

Project Overview

We require a Lead Active Directory Engineer to assess, clean up, and harden multiple inherited single-forest, single-domain Active Directory environments.

These environments require standardization, security hardening, and alignment with current best practices. The focus will be on improving AD structure, security posture, Group Policy hygiene, and operational consistency, while also evaluating long-term viability and integration with enterprise IAM platforms.

This is a hands-on senior role requiring deep expertise in Active Directory architecture, security, identity integration, and remediation of legacy configurations, including alignment with industry audit and compliance standards (e.g., PCI DSS).

Requirements

• EDT Timezone work hours
• Extensive hands-on experience (typically 7+ years) with Active Directory engineering and administration
• Proven experience performing AD clean-up, consolidation, or post-transition integration work
• Strong expertise in:
  • Active Directory (single-domain environments at scale)
  • Group Policy design, cleanup, and optimization
  • OU design and delegation models
• Demonstrated experience with:
  
  • AD security hardening (tiered admin model, least privilege, attack surface reduction)
• Identifying and remediating:
  • Stale objects (users, computers, groups)
  • Legacy permissions and misconfigurations
  • GPO sprawl and conflicts
• Experience integrating Active Directory with IAM/IdP platforms, including:
  • Azure AD / Entra ID, Okta, etc
  • SSO, federation, and identity synchronization (e.g., AAD Connect or equivalent)
  • Role-based access control (RBAC) and identity lifecycle management
• Experience working within regulated or audited environments, including:
  • PCI DSS (or similar frameworks such as ISO 27001, NIST)
  • Implementing controls related to identity, access management, and auditability
• Strong knowledge of:
  • Authentication protocols (Kerberos, NTLM, SAML/OIDC basics)
  • DNS (AD-integrated), replication, and site topology
• Experience with tools such as:
  • ADUC, ADSIEdit, Group Policy Management Console
  • PowerShell (AD module) for bulk changes and reporting
• Experience in auditing and improving:
  • Privileged access (Domain Admins, Enterprise Admins)
  • Service accounts and delegation
• At least upper-intermediate English level
  
  

 Responsibilities

• Perform a comprehensive assessment of current AD environments
• Identify and remediate:
  • Inactive/stale objects
  • Legacy groups and excessive permissions
  • GPO duplication, conflicts, and inefficiencies
• Redesign and implement:
  • OU structure and delegation model
  • Group Policy strategy aligned to best practices
• Implement security hardening measures, including:
  • Privileged access model (e.g., tiering)
  • Reduction of attack surface and legacy protocols
  • Alignment with audit/compliance requirements (e.g., PCI DSS controls)
• Integrate AD environments with enterprise IAM platforms, including:
  • Identity synchronization and federation
  • Access model alignment (RBAC / least privilege)
  • SSO enablement and identity lifecycle processes
• Review and optimize:
  • AD Sites and Services (replication topology)
  • DNS configuration and health
  • Develop and execute cleanup and remediation plans with minimal disruption
  • Automate tasks and reporting using PowerShell
  • Produce clear documentation and operational standards, including audit-ready configurations

Expected Deliverables

• Completed AD health assessment and remediation roadmap
• Reduction in stale objects, legacy permissions, and GPO sprawl
• Implemented hardened AD structure aligned with best practices and audit standards (e.g., PCI DSS)
• Successful integration of AD environments with IAM platform(s), including SSO and identity lifecycle alignment
• Improved security posture (privileged access, delegation, policies)
• Documented AD design, IAM integration approach, and operational procedures
• Assessment and recommendations for future state strategy, including options to consolidate, migrate, or decommission existing domains, with associated risks, dependencies, and a high-level migration approach

Nice-to-Have Certifications

• Microsoft Certified: Windows Server Hybrid Administrator Associate
• Microsoft Certified: Identity and Access Administrator Associate (SC-300)
• Microsoft Certified: Azure Solutions Architect Expert
• MCSA / MCSE (legacy but relevant)
• Security certifications (e.g., CISSP, Security+, CISM)
• Okta Certified Professional / Administrator (or similar IAM certifications)