Face it. Consolidating groups is just one of those tasks no one really wants to take on. You know that your Active Directory is filled with a ton of unused or unnecessary groups, yet they still sit there, happily existing without any supervision. See if any of these situations sound familiar:
- A group with no membership?
- Group nesting where no one knows the reason why it exists?
- A group for which no one is sure about what permissions are assigned to it?
- A group that no one wants to touch because you think it might be tied to a particular application?
These are all great candidates for groups that could easily be consolidated… or at least you think they might be.
So, why haven’t you already consolidated them?
There are a number of common reasons why you haven’t. And it’s not just you — everyone is in the same boat:
- Too many other priorities: Groups are just one of those things that fall to the bottom of the list every time.
- You didn’t create them: Even if you’ve been at your company since Active Directory was first installed there, you probably still have a group or two about which you have no idea when it was created or why it’s there.
- Not sure of their purpose: Sure, you can guess what the purpose of the AcctPayDBAdmin group is by its name, but do you know who is supposed to be a member or what the proper permissions should be? Probably not.
While there may be some validity behind these reasons, you’re here reading this article because you know deep down that consolidating your groups is something that you should be doing — and you’re looking for tips about how to do it without causing too much pain.
So, what’s the best way to consolidate groups?
Here are a few best practices to follow:
- Identify every group before you start: There’s nothing worse than consolidating two groups, only to discover that there’s a third, which causes you to start the process over again. Document everything about all of your groups, which can be accomplished with PowerShell. (Adam Bertram recently put out a great article on managing groups with PowerShell.) Or you could use an automated tool like GroupID from Imanami. The objective is to gather all pertinent data, including Name, Description, Members, Member Of, Managed By, whether Managers can modify membership, etc.
- Get input and assistance from those closest to a group’s apparent purpose or function: In most cases, IT is the farthest away from a group’s daily use. Someone like a department manager or a line-of-business owner has MUCH more insight into whether a group is properly configured — or even needs to exist at all.
- Understand the permissions assigned: This is a bit more complicated than simply pointing a PowerShell script at Active Directory. You’re going to need to figure out what permissions are assigned to each of the groups to be consolidated. Further, some permissions are likely to have been assigned to each group, so you’ll need to consolidate permissions, too. In lieu of that, you could get input from people closer to the group’s function (as mentioned in best practice #2 above) and simply assign a proper set of permissions to the single, finished consolidated group.
- Don’t consolidate — delete: If a group is no longer necessary, and you’ve done the necessary diligence, kill it.
- Never let this happen again: If your groups are in a bad state, it’s merely the result of simple negligence. Now that you have the attention of people outside IT who are somewhat vested in the appropriate membership and permissions for a particular group, it may be time to put a proper group management lifecycle in place and employ the help of people outside of IT to manage the consolidated groups on a daily basis.
Consolidating groups won’t necessarily be an easy task, but if you understand the need and place a value on the security and management benefits created by cleaning things up, following these best practices will help you build a much more secure and well-managed Active Directory environment.