Using Active Directory (AD) security groups is a best practice for assigning permissions to users — each member of a group gains all the permissions granted to the group, eliminating the time-consuming and error-prone approach of assigning rights directly to each user individually.
IT administrators responsible for creating and managing security groups can assign owners to manage them. A group’s owner does not have to be a member of the group. A group’s owner is responsible for managing and updating the group; monitoring changes to its membership, attributes and permissions; and ensuring that it is deleted when it is no longer needed.
To ensure that these tasks are performed reliably, it is useful to have multiple owners for each AD security group. However, Active Directory does not support a security group having multiple owners. This article explains exactly why this functionality is so important and offers a solution that provides it.
Reasons to Assign Multiple Owners to AD Security Groups
For an Active Directory group, multiple owners can deliver valuable benefits. Here are some of the top use cases.
Ensuring Business Productivity
AD groups play a vital role in business productivity because they are the primary way that users gain access rights to the IT resources they need to do their jobs. For example, if the sales team adopts a new tool, the Sales security group needs to promptly be granted permissions to use it. If a new helpdesk technician is hired, that user needs to be added to the Helpdesk security group so they can start performing their assigned tasks.
However, no one individual can always be available, so it is important to have multiple people who can modify a security group. For instance, if the primary owner of the group is on vacation, one of the other owners can step in and make the necessary changes to keep your business moving forward.
Avoiding the Risks of Orphaned Groups
An orphaned group is any group with no owner. These groups are a clear security risk, since no one is responsible for ensuring that their permissions and membership remain accurate. For instance, an adversary could modify the rights of a group in order to increase the access of an account they have compromised, or add a user account they control to a group to take illicit actions without raising alerts.
A common way that groups become orphaned is that the group owner leaves the company. Short-staffed IT teams may not even realize that the group has become orphaned, so it can remain unmanaged for a long time. Assigning multiple owners to security groups greatly reduces the risk of groups being orphaned.
Avoiding Stale Groups, including Empty Ones, that Could be Misused
One of the key responsibilities of a group owner is to delete the group once it is no longer needed. While many security groups, such as those associated with departments like Finance or Sales, are long-lived, many security groups are created for specific projects or teams. Any group that exists longer than required poses a security risk, since an user who is a member of the group can still take advantage of the permissions assigned to the group — and so can any adversary who compromises their account. This can include accessing confidential information or sensitive systems.
Even if a group is empty, it still poses a security risk. In fact, adversaries often look for empty security groups because it is a sign that they are unmanaged. As a result, the attacker can add an account they control to the security group and gain all the access rights assigned to the group, while likely avoiding detection since no one is paying attention to the group.
More broadly, if Active Directory is cluttered with dozens or hundreds of unneeded groups, it is harder to manage effectively. IT teams may be reluctant to delete a group if no one knows its purpose or whether it might still be required. Assigning multiple owners helps ensure that groups are deleted at the end of their useful life and the IT team has a responsible party to check with if they spot a group that has no members or otherwise seems to no longer be useful.
Tips for Choosing Additional Group Owners
Primary group owners should be users who have clear visibility into the group’s purpose, so they can ensure the group has the proper permissions and the correct membership. Examples can include a department manager or a team lead.
Additional group owners should be selected just as carefully. If a team has multiple leaders, an obvious choice is to make all leaders owners of the associated groups. Another common secondary owner is someone managed by the primary group owner. For example, a vice president might be the primary owner of a group, and the director of engineering can serve as the group’s additional owner. In some cases, helpdesk teams can act as secondary group owners.
How to Unlock the Benefits of Multiple Group Owners with Netwrix GroupID
As we have seen, for a security group, multiple owners are essential. But Microsoft Active Directory does not enable you to assign multiple owners.
Netwrix GroupID does. In fact, this powerful identity and access management (IAM) solution delivers all of the following capabilities:
- Easily assign one primary owner and multiple additional owners to a group:
- Ensure that every group has at least one owner:
- Add additional owners on a temporary basis, with automatic removal at a specified time:
- Identify orphaned groups based on the “ManagedBy” group attribute:
Conclusion
Managing security groups in Active Directory is a vital but challenging task. To avoid risks like excessive user access rights and orphaned groups, consider assigning multiple owners to each security group. Active Directory does not support multiple group owners, but Netwrix GroupID does. Moreover, it provides a wealth of additional functionality to enable effective group and user management.
FAQ
Can AD groups have multiple owners?
Normally, an Active Directory security group can have only a single owner. However, you can use a third-party tool like Netwrix GroupID to assign multiple owners to a security group.
How do I add a group owner in Active Directory?
In Active Directory, you can add a group owner by modifying the ManagedBy attribute of the group. Third-party tools such as Netwrix GroupID make it easy to assign both primary and additional owners to groups.
