Every group has its day. But for Active Directory groups, sometimes those days seem endless. That is because groups (whether security groups or distribution lists) are usually only needed for a certain time period but there is no simple way to end them. In the past, the best practice seemed to have been delete it and see who complained. But what would you do if the owner of that group still needed it? There was no way to renew the group.
Since each Active Directory group should only live as long as it is useful to the business, IT needs a way to effectively manage group glut. They need to be able to warn group owners that their group will expire, give that group owner the ability to renew it, expire the group, have a way to bring the group back from expiration, and ultimately delete it. The key to this working is that you have to “break” the group during the expiration phase and have a way to bring it back afterwards.
That is why we created GroupID, a way to comprehensively manage the full group lifecycle. The first example we ever heard about this need was a customer who had an Exchange distribution list called Fantasy Football 2004…he knew that he could delete that group but was worried about what would happen if he deleted something called Project Scorpio (a mail enabled security group). In an organization that had more groups than users (more common than you may think), he had a seemingly insurmountable task ahead of him.
We built group lifecycle management into two of our modules (Self Service and Automate) realizing that one of the keys to making Active Directory groups useful for end users was to only have useful groups available to them. If there are two operations groups due to a merger, expire both of them, see which one is being used and let the other get deleted.
After that it becomes a cycle, with the group owner needing to renew the group periodically based on a policy that the administrator sets. If that group owner doesn’t need the group anymore, they simply let it expire, or go to their web based Active Directory portal to delete it right then and there.
The tricky part is that there are always business critical Active Directory groups that cannot be expired or deleted. Can you imagine the havoc that would be created if domain admins were expired? So, we make sure that you can include or exclude certain OUs from the group expiration policy or set individual groups with a “never expire” status. That way, you know that those critical groups will always have their day.