Unless you’ve been living in an IT-less cave for the last 16 years, you’re probably well aware of the Managed By field in an Active Directory group, as well as the option to allow that specified manager to update group membership. When Microsoft created those fields, the intention was surely to help organizations distribute the workload of managing groups and help maintain a more secure environment. In practice, however, this tool doesn’t necessarily deliver the desired result.
Groups get ignored for long periods of time, memberships get stale or bloated, and no one has any idea of what permissions have been assigned — or maybe they’re not even being used. These manager-related fields may just be sitting there waiting for you to assign an owner.
Regardless of whether a manager is assigned or not, does anyone in the organization actually own a given group?
The answer to this question is not as simple as you might think. We need to look at three possibilities that exist for any given group’s management-related fields:
- Nothing specified: Your organization is simply leaving it up to IT to “manage” group membership. (I used quotes there to sarcastically indicate that no one is really going to do anything. After all, groups just don’t get the attention they deserve.)
- Managed By, but no Manager Can Update: You’ve selected a manager, but it’s in title only. The person specified is probably someone closer to the group’s membership, such as a department head or a line of business owner (and that’s a good thing, as IT can’t do this alone). However, you are still holding back the reigns of management and waiting (and waiting…) on IT to make membership changes.
- Both populated: OK, so now we’re getting somewhere. You’ve specified a user or group that can actively manage memberships. But it remains to be seen if the manager is actually making changes. More on this later….
In answer to the question above, you may be thinking the answer is no if your situation is either of the first two or yes if your situation is the third. Right? Wrong. None of these necessarily indicate that anyone is doing any kind of actual management of a group. They only specify that someone has been selected and is — potentially — empowered to do so.
To truly answer the question, IT needs to put some accountability in place, holding those responsible for a given group answerable for their actions (or inactions). There are three ways to tell if someone is actively owning a group or not:
- Is the group’s membership actively being managed? Periodic reviews should be setup to ensure that membership is up to date and properly reflects the current roles of users within your organization.
- Are the group’s permissions actively being managed? Similarly, someone needs to review the permissions with IT regularly to make sure that the permissions both allow users to accomplish their jobs and ensure the security of data and systems.
- Should the group continue to exist? In some cases, a group is no longer needed. (When is the last time you deleted a group? Probably never, right?) So, the owner should periodically attest to a group’s necessity. Otherwise, get rid of it.
If IT is asking these questions of group managers — and getting back answers — then you definitely have an owner of a group. If you have no one to ask, or simply aren’t getting back any answers, then your groups don’t have ownership in place.
Someone definitely needs to own each group in your Active Directory. And it’s equally important for IT to “own” those owners. At the end of the day, you need to create an environment where IT provides the service of Active Directory, but the ownership of a group, its members, its assigned security, and the daily management of said group all need to belong to someone who is close to a group’s usage and not someone who may be several degrees of separation away. In this way, IT can simply be responsible for putting accountability in place, and ensuring that the group owners are doing their job.