Azure AD Gets on the Group Expiration Bandwagon I recently wrote about the need for group expiration as part of a comprehensive lifecycle approach to group management. It’s a necessary step, given the life of group objects in any of the directories you manage won’t last forever. The only exceptions, generally, lie around built-in administrative-type…
Many directories contain groups so old that even you don’t know why they exist, who uses them, and what they provide access to. It’s a more common problem than you’d think. “We should be deleting groups then, right?” might be your initial response. And while the answer is “yes” in the short run, the reality is…
The advent of cloud-based applications syncing their directories with source directories like Active Directory has forced organizations to think about the validity of the directory data. Some organizations look to users to self-service their account details (with no real incentive to do so, though), while others look to IT to keep the directory current (more…
The shift to the cloud has many organizations focused on the productivity features available in a given cloud suite. And M365 is no exception. There’s a long list of applications in M365 – a list that’s continually growing. But, Using M365 isn’t just about productivity; it’s also about security and control for IT. And, like…
Because of the lack of attention groups get throughout their lifetime, one of the greatest security risks an organization faces is when a group lives too long. Think about it – you have groups that exist today that, despite having a clear understanding of the logic behind its membership, you have zero idea why it’s…
One of the greatest faults in the architecture of AD is the complete lack of documenting when someone assigns permissions to it. You know what I’m talking about – you’re in SharePoint, or on a file server and you add some permissions to a resource. You grab a list of users and groups from AD,…
If I was to ask you who are the members of a given group with permissions to some sensitive application or data set (one other than, say, Domain Admins), you probably don’t know the answer to that. It’s a bit of an unfair question, as none of us strive to memorize the membership of any…
We’ve spent a lot of time and effort on this blog working to educate you on best practices around specific aspects of AD group management, such as roles for delegation, the use of dynamic memberships, defining Active Directory health, and more. All of these blogs are part of a larger view of groups – one…
I love those ridiculous commercials for the new selling service LetGo. People are holding onto an item that they just can’t seem to part with, despite the peril it may be putting them in. Like the one where the guy has the heavy bowling ball in one hand, and the other is grasping the bumper…
I remember standing in front of a group of IT pros, talking about how to handle daunting tasks, and I jokingly asked, “By a show of hands, does anyone want to work for a living? Anyone?” I think we all know that working in IT can sometimes involve working with some very cool technologies, but…