Senior/Lead Active Directory Engineer

(#5034)

N-iX is looking for skilled Senior/Lead Active Directory Engineer to join our team! Our customer is the European online car market with over 30 million monthly users, with a market presence in 18 countries. As a Lead Active Directory Engineer, you will play a pivotal role in shaping the future of online car markets and enhancing the user experience for millions of car buyers and sellers. We require a Lead Engineer to assess, clean up, and harden multiple inherited single-forest, single-domain Active Directory environments. These environments require standardization, security hardening, and alignment with current best practices. The focus will be on improving AD structure, security posture, Group Policy hygiene, and operational consistency, while also evaluating long-term viability and integration with enterprise IAM platforms. This is a hands-on senior role requiring deep expertise in Active Directory architecture, security, identity integration, and remediation of legacy configurations, including alignment with industry audit and compliance standards (e.g., PCI DSS).

Requirements:

• EDT Timezone work hours

• Extensive hands-on experience (typically 7+ years) with Active Directory engineering and administration.

• Proven experience performing AD clean-up, consolidation, or post-transition integration work.

• Strong expertise in: Active Directory (single-domain environments at scale), Group Policy design, cleanup, and optimization, OU design and delegation models.

• Demonstrated experience with: AD security hardening (tiered admin model, least privilege, attack surface reduction), identifying and remediating, stale objects (users, computers, groups), legacy permissions and misconfigurations, GPO sprawl and conflicts.

• Experience integrating Active Directory with IAM/IdP platforms, including: Azure AD / Entra ID - must have, Okta - nice to have, etc, SSO, federation, and identity synchronization (e.g., AAD Connect or equivalent), role-based access control (RBAC) and identity lifecycle management.

• Experience working within regulated or audited environments, including: PCI DSS (or similar frameworks such as ISO 27001, NIST).

• Implementing controls related to identity, access management, and auditability.

• Strong knowledge of: Authentication protocols (Kerberos, NTLM, SAML/OIDC basics), DNS (AD-integrated), replication, and site topology.

• Experience with tools such as: ADUC, ADSIEdit, Group Policy Management Console, PowerShell (AD module - must have) for bulk changes and reporting.

• Experience in auditing and improving: privileged access (Domain Admins, Enterprise Admins), service accounts and delegation.

• At least upper-intermediate English level.

 Responsibilities:

• Perform a comprehensive assessment of current AD environments.

• Identify and remediate: inactive/stale objects, legacy groups and excessive permissions, GPO duplication, conflicts, and inefficiencies.

• Redesign and implement: OU structure and delegation model, Group Policy strategy aligned to best practices.

• Implement security hardening measures, including: privileged access model (e.g., tiering), reduction of attack surface and legacy protocols.

• Alignment with audit/compliance requirements (e.g., PCI DSS controls).

• Integrate AD environments with enterprise IAM platforms, including: identity synchronization and federation, access model alignment (RBAC / least privilege), SSO enablement and identity lifecycle processes.

• Review and optimize: AD Sites and Services (replication topology), DNS configuration and health.

• Develop and execute cleanup and remediation plans with minimal disruption.

• Automate tasks and reporting using PowerShell.

• Produce clear documentation and operational standards, including audit-ready configurations.

Nice-to-Have Certifications:

• Microsoft Certified: Windows Server Hybrid Administrator Associate

• Microsoft Certified: Identity and Access Administrator Associate (SC-300)

• Microsoft Certified: Azure Solutions Architect Expert

• MCSA / MCSE (legacy but relevant)

• Security certifications (e.g., CISSP, Security+, CISM)

• Okta Certified Professional / Administrator (or similar IAM certifications)