It’s been said that admitting that you have a problem is the first step on the road to recovery. So let’s all take a deep breath, and say it together: My groups are a mess. Come on… I know you can do it.
Don’t believe your groups are a mess? Let’s take a look at the 7 worst habits that IT typically has when it comes to managing groups in Active Directory. How many apply to you?
- Set it and forget it: We’ve all done it — made a group, added some users, gave it permissions, and moved on to put out the next fire. The problem is this: you’ve probably never gone back to that group ever again, which turns a forgotten asset to the organization’s security into a forgotten gap in security.
- Don’t document: How many of us have bothered to fill in the Managed By tab? Or completed the Notes field to document the origin of the group and who is responsible for it? The likely answer “not many of us.” Without properly documenting this information, there’s no ability for IT to understand why a group was created, whether it needs to continue to exist years after its creation, and how one group can be differentiated from another.
- Make changes without context: Typically, when your helpdesk receives a request to add a new group member, assuming that the requestor checks out, the helpdesk team just goes ahead and makes the change. But is that even the right group to be modified? Are the permissions given to that group appropriate to the person being added? (Remember, you probably have no documentation to verify this.) What access is actually being granted? Without the proper context around a group’s purpose and the permissions assigned, it’s difficult to ensure that security is properly maintained.
- Make changes without accountability: Continuing with the previous example, who is verifying that the changes being made are appropriate? By itself, a request does not provide sufficient justification. It’s likely that the helpdesk team doesn’t check with the appropriate person to validate the request: anyone higher up the ladder in IT, someone closer to the application being granted access to, or even a line of business owner. Without some level of accountability, your helpdesk is simply helping your groups become an even bigger
- Keep IT the owner: When you created the group, you never set the Managed By values because you just figured IT would manage the group. However, as discussed above, this approach does not provide the context needed. Accordingly, it may be a good idea to designate someone closer to the resources being granted access to as the group “owner” (even if only for the purpose of later reference). This provides a way for IT to reach out to the right people when change requests are made in order to understand the context and address accountability issues.
- Don’t delete anything…ever: Most organizations have no group membership management process that includes the removal of members and groups. If this sounds familiar, you probably have groups with members or permissions to resources (or both) that you don’t even remember exist! Think about that for a moment. There are users with access to resources — of whom IT isn’t even aware. Not good.
- Do it all yourself: As discussed previously, you probably never go back and actually manage groups: clean them up, verify that memberships are correct, confirm that the permissions assigned are necessary, etc. This is why they’re a mess in the first place. It just doesn’t make sense to have IT be the owner of a group. Someone much closer to an application — who knows which staff should be using an application, what permissions they require, etc. — should be the one to actually manage a group’s membership, approve permission assignment, and even verify whether a group remains necessary or can be deleted.
If you are like most IT professionals, you are probably guilty of at least half of these bad habits — or more. Don’t feel bad. We’re all in the same boat. The question is, what can we do about it?
After admitting that there may be a problem, the next step is identifying the problem. For some of you, you may not even know just how bad it is. Fortunately, there are tools that can help. To evaluate the current state of your Active Directory groups, take a look at Imanami’s free GroupID Health Meter diagnostic tool to evaluate the strengths and weaknesses of your Active Directory group management.
If you already have an idea of how bad the state of your Active Directory group management may be, there are resources to help you, too. For more information on how to properly manage Active Directory groups, check out the whitepaper Getting a Grip on Groups: 7 Best Practices to Better AD Group Management.
Our mission here at Imanami is to help you kick those bad habits. Let us help. The health of your Active Directory groups may depend on it.