Group management in Active Directory is so much more than just making sure that memberships are correct. There’s an entire lifecycle process devoted to improving the management of groups — and the security they represent. But for many of you, there simply isn’t enough time (yet) to devote to implementing an entire group lifecycle.
So, what steps can you take today to make groups more accurate and your environment more secure?
There are three basic steps that you can take to improve how you manage groups. With just a little time and effort, these steps can improve both your security position and your management strategy, ensuring that the management of your groups is being done correctly.
Step 1: Assess the Current State of Your Groups
If you’re going to go it alone, this step could be a nightmare. Some of you may have hundreds or even thousands of groups, and you’d need to check for numerous issues, such as the lack of a manager, empty groups, nesting, etc. Understandably, no one wants to spend the time doing all of this. You already don’t have the time for simple tasks such as documenting the reasons for a groups existence in the Description field, and you definitely don’t have time to manually pour through countless groups.
Don’t worry. There’s help.
Because this is such a critical step, we’ve created a free tool that does most of the legwork for you. Health Meter is a free online diagnostic tool that assesses the strengths and weaknesses of groups in Active Directory. With Health Meter, you can quickly determine the health of your Active Directory groups using multiple metrics that focus on specific areas of groups and their management. For example, the Group Types gauge (see diagram) shows how many groups exist by type.
Other gauges help identify where you should focus your cleanup efforts, providing guidance and suggestions along the way.
Step 2: Implement Self-Service
This step involves giving select users the ability to manage group membership themselves. Remember: Because you don’t have extra time, a more mature approach to security posture would shift the responsibility of managing groups from IT to people who are closer to the applications and data that the groups provide access to.
You could accomplish this natively by using not much more than Active Directory delegation. (If you do, we recommend you use the Managed By and Description fields within groups to document any delegations created.) But before you do, you’re going to need some help. Start by looking at groups from a business standpoint and then begin to identify individuals within the organization who can help with daily management.
If you need more advanced self-service, Imanami GroupID helps to automate the creation, use, expiration, and deletion of groups.
Step 3: Implement Workflow
In many organizations, it’s necessary to incorporate more advanced controls (such as approvals) before changes to group memberships can take place. (You could create manual workflows in the form of approved processes, but they lack accountability.) These more complex controls will require the use of automated tools such as GroupID to implement automated workflows, which would include the following tasks:
- Allowing users to create groups with IT approval
- Ensuring consistent naming during creation
- Sending automatic notifications
- Obtaining approvals when users request to join groups
- And much more
For each of these three steps, there is something that you can do now to improve the state of your groups — and how you manage them. But for those of you who want something more — better visibility, productivity, and security around group management — you’re going to need to examine a group management solution like GroupID.