Active Directory is not a four letter word but when opening AD up to end user self service, there is a potential to get bad words into it. I had a colleague years ago that as his last act at the company changed his voicemail to a lengthy profanity filled diatribe against the company. It took a few days until that was discovered and a few hours to fix.
We don’t want that to happen to Active Directory; the potential can be embarassing and open a company to lawsuits. In fact, it was a prospect who was in the middle of a lawsuit that first gave us the idea to implement a bad word filter in GroupID. They had a home-made AD self service portal that allowed end users to create groups. And users will do what they are allowed to…so this one user created an inappropriate group and added female co-workers who fit the description of the group name to it and emailed them. This was more than a harmless prank, it was the exact definition of sexual harassment.
So, we implemented two features that would stop this sort of activity: workflow on group creation and a bad word filter. The workflow on group creation simply allows IT to set an approver(s) that determines if the group should even exist. The bad word filter allows IT to set a list of words/phrases that they don’t want to appear anywhere in AD.
The bad word filter applies to group names, descriptions, user addresses, basically any attribute in AD where text is allowed. We can also set workflow on these attributes but why not just stop it before the end user even makes the mistake.
Why is this important? Because it’s possible for any of the information in AD to show up in the Global Address List (GAL) or employee directory. Don’t let your users make a mistake and expose the company to potential lawsuits.
Jonathan Blackwell
View ProfileSince 2012, Jonathan Blackwell, an engineer and innovator, has provided engineering leadership that has put GroupID at the forefront of group and user management for Active Directory and Azure AD environments. His experience in development, marketing, and sales allows Jonathan to fully understand the Identity market and how buyers think.
I can see where you would say that except that there are real examples where companies are exposed to potential lawsuits by AD groups. See the tweet referenced in this blog post.
What if an employee or admin actually created a group called cr@zy b!tches and placed a female employee in it. It would be sitting for all to see in the GAL.
And, yes, we have a way of detecting if someone uses “@” instead of “a” like I did in the comment above. Those l33ts won’t pull a quick one on us!