Every organization has distribution lists and security groups, usually lots and lots of them (that’s a technical term meaning greater than the number of users). Sometimes Active Directory is just bursting with AD groups. Every single one of these groups gives access to information, files and folders, or resources of some kind.
So, obviously, accurate Active Directory group membership is important. But let’s flip this question and think of what can go wrong by having inaccurate group membership. Because avoiding catastrophic events for the business is really one of the more important roles for IT.
- An email distribution list can send confidential information to a user who used to need it but no longer should have access to it. This is a security risk.
- An email distribution list can leave off an important user who needs access to information. This is a productivity risk.
- An email distribution list can send meaningless information to a lot of users who just don’t care, forcing them to hit delete many times a day. This is annoying and a productivity risk.
- An Active Directory security group can give access to a file or folder with confidential information based on a user’s old profile. This is a huge security risk.
- An Active Directory security group can be applying a GPO to a user incorrectly, this could run the spectrum from annoying to productivity affecting to security risk. My favorite example of this was that I couldn’t figure out why some of my employees couldn’t VPN, I assumed they were luddites or something; it turns out they weren’t in the “work from home” security group.
- An Active Directory security group can be denying access to an important resource for a user. This is a serious productivity risk and one that is sometimes hard to find.
With all of those things that affect your users’ day to day work lives, why not do something to make sure that your group membership is accurate. Believe it or not, almost 60% of organizations manage AD groups manually.
So, here’s what you can do without making your IT department a full-time group management shop.
- Automate your groups dynamically. Over 85% of all group memberships can be set by simple rules. GroupID Automate will do this with a simple yet powerful query designer that will ensure you never have to update the HR Managers in Topeka security group again. That’s right, I said security group. You can manage security groups dynamically!
- Delegate the rest of the groups to responsible users that should own the groups and know who should be members. GroupID Self-Service gives you control over what group owners can do and eases the burden on the help desk.
- Allow users to opt-in and join appropriate groups. Ease the burden on group owners for groups you want users to have the option of joining. Make it completely open or require group owner approval to join. This just makes sense and GroupID Self-Service does it.
Do all of these steps and your Active Directory group membership will suddenly be much less of a security or productivity risk. Your help desk will be freed for more important tasks and your IT department will become the most productive department in the world. And it’s easy.
Jonathan Blackwell
View ProfileSince 2012, Jonathan Blackwell, an engineer and innovator, has provided engineering leadership that has put GroupID at the forefront of group and user management for Active Directory and Azure AD environments. His experience in development, marketing, and sales allows Jonathan to fully understand the Identity market and how buyers think.