Senior Active Directory Engineer (Enterprise Security & Architecture)
Are You an Experienced Active Directory Engineer Looking for Your Next Challenge? Apply Now!
Working with one of our top financial clients, this role calls for a Senior Active Directory Engineer (Enterprise Security & Architecture) to join our client's Identity Services team to lead critical infrastructure initiatives, focusing on the review, remediation, and security hardening of our on-premises Active Directory environment. This is an excellent opportunity for a seasoned professional to leverage their expertise in a dynamic, fast-paced setting.
Responsibilities
- Assess, remediate, and optimize Active Directory forest and domain configurations
- Design, implement, and manage forest and domain trusts, including external, parent-child, and filtered trusts
- Develop and oversee Group Policy Objects (GPO) and authentication policies to enforce security controls
- Apply advanced security measures for privileged access, service accounts (including gMSA), and functional accounts
- Harden domain controllers and Tier 0 servers following security best practices
- Audit and remediate directory object permissions to follow least privilege principles
- Manage Kerberos protocol settings, ticket lifetimes, and mitigate risks such as Kerberoasting and Golden/Silver Ticket attacks
- Review and restrict NTLM protocol usage, implement modern authentication protocols, and disable legacy authentication where feasible
- Support implementation of authentication enhancements such as Protected Users, authentication policies, and credential caching controls
- Provide third-level support for Active Directory incidents, including replication failures, authentication issues, and security breaches
- Utilize diagnostic tools (e.g., repadmin, dcdiag, event logs) to monitor AD health and troubleshoot infrastructure issues
- Collaborate with security and infrastructure teams to respond to vulnerabilities and audit findings
- Serve as a subject matter expert for Active Directory-related projects, migrations, and integrations
- Advise on directory design, trust architecture, and integration with identity management platforms
- Document technical solutions, remediation activities, and operational procedures
Desired Skill-Set
- 7+ years of hands-on experience with large-scale, multi-domain, and multi-forest Active Directory environments
- Deep understanding of AD architecture, including replication, sites and services, and trust relationships
- Extensive experience with authentication protocols (LDAP, Kerberos), ticket management, and protocol security
- Proven expertise in GPO design and deployment, privileged access management, and security hardening
- Strong background in incident response, remediation of misconfigurations, and directory security practices
- Familiarity with monitoring, network capture, and security assessment tools
- Excellent written and verbal communication skills
- Ability to work effectively with cross-functional teams and external partners
Nice to Have
- Advanced PowerShell scripting for automation and management tasks
- Experience managing service accounts, including gMSA, credential protection, and identity lifecycle
- Knowledge of integration with identity management platforms and related migration projects
BeachHead is an equal opportunity agency and employer. We advocate for our candidates and welcome applicants regardless of race, color, religion, national origin, sex, age, or physical or mental disability. BeachHead or our clients may use technology-enabled tools, including automation and artificial intelligence (AI), to support parts of the recruitment process such as resume screening, application management, and candidate matching. These tools assist our recruiters and our clients, and do not replace human decision-making. This job posting represents a current or anticipated vacancy. The position may be filled at any time, and the posting may be removed without notice once the role has been filled.