Lead Active Directory Engineer

About The Position

Requirements

• Bachelor's degree and a minimum of 5 years’ relevant work experience, or in lieu of a degree, a combined minimum of 9 years’ higher education and/or work experience
• Enterprise Active Directory Architecture
• Multi-domain and multi-forest designs
• Forest and external trusts
• FSMO role placement
• Active Directory–integrated DNS, split‑brain DNS, and secure name resolution models
• Hybrid Identity & Microsoft Entra ID (Azure AD)
• Integrating on-prem AD with Microsoft Entra ID
• Entra Connect (Cloud Sync and Traditional)
• Password Hash Sync, Pass-through Authentication, and Federation
• Conditional Access
• Hybrid Join, Entra ID Join, and legacy device coexistence
• Identity lifecycle controls
• Security, Compliance & Risk Controls
• Active Directory security hardening
• Tiered administrative model (Tier 0/1/2)
• Dedicated admin forests or hardened admin boundaries
• Privileged Access Workstations (PAWs) / Secure Admin Workstations
• Least privilege, role separation, and dual‑control models
• Threats targeting financial institutions: Credential theft, Kerberoasting, Pass-the-Hash/Ticket Delegation and ACL abuse
• Privileged Identity Management (PIM)
• Regular access reviews and entitlement recertification
• Zero Trust and defense-in-depth identity strategies
• Regulatory & Audit Readiness
• Supporting audits and controls for financial regulations and frameworks, such as: SOX, GLBA, PCI DSS, SOC 2
• Internal risk management and model governance requirements
• Strong logging and traceability
• Tamper-resistant audit logs
• Evidence generation for internal and external auditors
• Automation & PowerShell
• Controlled, auditable administrative changes
• Automated provisioning/deprovisioning
• Identity reporting
• Automation that integrates with change management processes, IAM, ticketing, and security tooling
• Operations, Resilience & Recovery
• AD replication topology across data centers and regions
• SYSVOL (DFSR) health and recovery
• Latency-sensitive authentication dependencies
• AD backup, recovery, and authoritative restore procedures
• Identity disaster recovery scenarios with defined RTO/RPO
• Monitoring and alerting with a focus on early risk detection
• Leadership & Governance
• Technical authority and escalation point for all directory and identity services
• Defining and enforcing enterprise identity standards, secure configuration baselines, and operational runbooks and procedures
• Partnering closely with Information Security and IAM teams, risk, audit, and compliance stakeholders, and infrastructure, cloud, and application teams
• Mentoring engineers and reviewing designs from a security and risk-first perspective

Nice To Haves

• Advanced understanding of the security system development and infrastructure lifecycle and architecture, and systems design
• Proven experience with the development and customization of tools utilized in assigned Cybersecurity function
• Demonstrated ability to translate architecture into technical requirements
• Proficient level of critical thinking and problem solving ability
• Excellent communication and interpersonal skills
• Experience partnering with leaders to design solutions to business needs
• Proficient persuasive communication skills to gain buy-in of others
• Strong ability to analyze and draw reliable conclusions based on large volumes of quantitative data from diverse sources
• Effectively serves in indirect leadership role

Responsibilities

• Enterprise Active Directory Architecture: Proven expertise supporting large-scale, Tier‑1 identity infrastructures with strict uptime, latency, and change‑control requirements. Strong experience with: Multi-domain and multi-forest designs aligned to business units, regions, or regulatory boundaries. Forest and external trusts supporting M&A, joint ventures, and third-party integrations. FSMO role placement optimized for resilience and auditability. Advanced understanding of Active Directory–integrated DNS, split‑brain DNS, and secure name resolution models.
• Hybrid Identity & Microsoft Entra ID (Azure AD): Extensive experience integrating on-prem AD with Microsoft Entra ID in regulated financial environments. Hands-on implementation of: Entra Connect (Cloud Sync and Traditional). Password Hash Sync, Pass-through Authentication, and Federation. Strong experience with: Conditional Access aligned to regulatory and risk-based controls. Hybrid Join, Entra ID Join, and legacy device coexistence. Understanding of identity lifecycle controls to support joiners, movers, leavers, and separation-of-duties requirements.
• Security, Compliance & Risk Controls: Expert-level knowledge of Active Directory security hardening in financial services, including: Tiered administrative model (Tier 0/1/2). Dedicated admin forests or hardened admin boundaries (where applicable). Privileged Access Workstations (PAWs) / Secure Admin Workstations. Experience enforcing least privilege, role separation, and dual‑control models. Deep familiarity with threats targeting financial institutions: Credential theft, Kerberoasting, Pass-the-Hash/Ticket Delegation and ACL abuse. Hands-on experience with: Privileged Identity Management (PIM). Regular access reviews and entitlement recertification. Strong alignment with Zero Trust and defense-in-depth identity strategies.
• Regulatory & Audit Readiness: Demonstrated experience supporting audits and controls for financial regulations and frameworks, such as: SOX, GLBA, PCI DSS, SOC 2. Internal risk management and model governance requirements. Ability to design AD environments that support: Strong logging and traceability. Tamper-resistant audit logs. Evidence generation for internal and external auditors.
• Automation & PowerShell: Advanced PowerShell expertise for: Controlled, auditable administrative changes. Automated provisioning/deprovisioning aligned to compliance workflows. Identity reporting for risk, security, and audit teams. Experience building automation that integrates with: Change management processes. IAM, ticketing, and security tooling.
• Operations, Resilience & Recovery: Deep experience managing: AD replication topology across data centers and regions. SYSVOL (DFSR) health and recovery. Latency-sensitive authentication dependencies. Strong understanding of: AD backup, recovery, and authoritative restore procedures. Identity disaster recovery scenarios with defined RTO/RPO. Experience implementing monitoring and alerting with a focus on early risk detection.
• Leadership & Governance: Acts as technical authority and escalation point for all directory and identity services. Defines and enforces: Enterprise identity standards. Secure configuration baselines. Operational runbooks and procedures. Partners closely with: Information Security and IAM teams. Risk, audit, and compliance stakeholders. Infrastructure, cloud, and application teams. Mentors engineers and reviews designs from a security and risk-first perspective.

Benefits

• Four days onsite at our Seneca One Buffalo, NY location, with the flexibility to work from home one day per week