 |
|
 |
Active Directory Group Management: Challenges, Cost and Uses.
According to this Osterman survey, over 90% of all organizations manage Active Directory groups through manual processes. The cost for these manual processes? Over $16 per user per year. On average, for every 4000 users in your organization, you have a full time IT resource managing Active Directory groups. Not all of Active Directory, just the AD groups.
Download PDF - 5 pages, 350KB
|
|
|
|
|
|
 |
 |
|
What do most organizations use Active Directory groups for? Over 90% grant access to files and folders, almost 80% grant permission to systems, and over 70% apply group policy objects to AD groups. And, of course, AD groups are pretty helpful for communicating to your organization with email.
This shows how important security groups are and how inefficiently managed they are. Read more results from the survey below. And contact Imanami to find out how to do manage Active Directory groups better.
BACKGROUND AND METHODOLOGY
Osterman Research conducted a survey during April 2010 on behalf of Imanami to
understand issues related to Active Directory (AD) administration in organizations of
various sizes. A total of 155 surveys were completed using the Osterman Research
survey panel.
The mean number of employees and email users at the organizations surveyed was
10,229 and 9,526, respectively; the medians were 1,000 and 750. 51% of the
respondent organizations had 1,000 or more employees; 48% had 1,000 or more email
users. In order to qualify for completion of the survey, respondents had to be involved
with and/or knowledgeable about AD administration in their organization.
USER PROVISIONING
The survey found that 42% of organizations have updated user-provisioning capabilities
during the previous 12 months. In terms of the most important aspects of user
provisioning, authentication credentials for system access were deemed important or
extremely important by 89% of respondents. 86% deemed that accounts associated
with each user are this important, followed by managing group membership or role
assignments from which entitlements may flow (72%).
Among the least important aspects of user provisioning are assignment of roles (57%)
and access policy/rule sets (60%). Further, 48% of respondents believe that
identity/access management/life cycle solutions are very important, while another 37%
believe that these solutions are somewhat important. Only 1% determined that these
solutions are not important at all.
IT TIME INVESTMENTS
Managing groups is a significant time investment for many organizations, although the
results from the research varied widely. Our research found that the median IT time
investment in managing groups during a typical week is 8.3 person-hours per 1,000
users. If we assume that the average, fully burdened salary for an IT administrator is
$80,000 annually, that translates to a total cost of $16,600 per 1,000 users annually,
$16.60 per user per year, or $1.38 per user per month.
Interestingly, the survey also found that less time is being spent on managing groups
when compared to time investments from a year ago. When asked how many personhours
per week were spent on managing groups 12 months ago, respondents indicated
a median of 8.9 person-hours per week, representing a decrease of 7% during the past
12 months. That said, while 20% are spending more time in managing groups now
compared to one year ago and 21% are spending less time, the vast majority – 58% –
are spending the same amount of time managing groups as they were last year.
We also segmented the data into only those that have updated user-provisioning
capabilities during the past year. We found that among those that had updated these
capabilities, none were spending more time managing groups now compared to a year
ago, 26% were spending less time and 74% were spending the same amount of time.This clearly indicates that updates in user provisioning capabilities had at least some
impact on the amount of time that organizations spend managing AD groups.
THE PAIN OF UPDATING GROUPS IN AD
On balance, the survey revealed that updating groups in AD is not tremendously painful:
16% responded that these updates are not at all painful and another 47% told us that
they are not “too” painful. However, 10% responded that updating groups in AD is
painful or very painful, and another 27% believe it to be “somewhat” painful. Clearly,
this represents enough pain that a way to alleviate the difficulties with AD updates,
coupled with the problems caused when groups are not updated in a timely manner,
would be welcomed by a fairly significant proportion of decision makers.
We also found that 59% of organizations manage groups in AD only manually, 8% use
an automated system, and 33% use a combination of manual and automatic methods.
We examined ratings for the pain of updating groups in AD for those that use only
manual methods, expecting that those performing only manual updates would have a
more “painful” experience with AD updates. However, that turned out not to be the
case: although there were slight differences between the manual-only group and the
overall population, there was little difference between the two groups. This tells us that
current, automated methods of updating groups in AD do relatively little to alleviate the
pain of group updates.
Next Page >>
|
|
|
|
|
