Groups are the lifeblood of companies and organizations of every size with in their on-premise and hybrid environments. They are the foundation for security and accessibility to resources and email functionality. The challenge is keeping them updated and current after they are created. In many cases, IT is tasked (via tickets) to add and subtract employees as they come and go. Doing it this way is not timely and is not efficient. It involves a process in which the people who have a more familiar understanding of the staff needing access to data, systems, and applications first recognize that a modification is needed and then submit a request to IT.
It’s like throwing money down a hole. You know that when active directory group management is done this way it is costing IT time and resources. How much? Too much.
So, how do you really calculate the amount of time you’re spending managing active directory groups and how you can account for hidden cost of managing such groups with in active directory?
Imanami commissioned a Forrester Total Economic Impact report, and its analysts outlined some very simple ways to calculate the real cost of managing groups.
First, they broke the active directory costs into two separate activities:
- Active directory groups management due to employee turnover (the deprovisioning of departing employees from groups and the provisioning of new employees by IT security personnel).
- Ongoing updates to both active directory security groups and distribution groups (assumed to involve the process of users’ submitting tickets to the helpdesk)
Let’s look at the cost calculations for each.
Sticker SHOCKED: Calculating the Cost of Employee Turnover
This study assumes that you’re managing the Active Directory group lifecycle and that the appropriate group membership removals and additions are being performed regularly, thus Forrester focused on multiplying employee turnover per month with hours per update being performed in the organization to hourly cost of implementing those changes per month to 12 (months). Here is the summary of formula that Forrester used to calculate this cost:
Cost of Managing Active Directory Groups = Employee turnover per month x hours per update x hourly cost x 12 months
Assumptions:
- Active Directory group lifecycle is being managed
- AD Groups Provisioning & De-provisioning is being performed.
Armed with this formula, it’s merely a matter of plugging in the numbers. For example, let’s assume that you’re a larger enterprise with 10K employees, of which 100 employees leave every month, and it takes an IT pro an hour to perform the tasks necessary to ensure that all memberships have been properly updated. (Forrester calculated this to be an average of 3 hours, but we’ll keep it at 1 hour to simplify the calculation.)
The next step is to plug in the fully loaded hourly cost of the IT staffer and multiply that monthly cost by 12 to get the annual cost of managing Active Directory groups. If that IT staffer makes $60K a year, we can use the simple $30/hour number for illustrative purposes. Here is the resulting calculation:
100 employees x 1 hour x $30/hour x 12 months = $36,000
The important point to remember is that this cost is only for updating groups due to turnover. There are also the ongoing updates requested by employees.
Calculating the Active Directory Costs of Ongoing Updates with in Groups
The assumption here is that within your organization users submit tickets to the helpdesk, requesting changes to both active directory security and distribution groups — and these requests are made daily as business needs change. Forrester suggests that New/Changed group requests per month multiplied by average cost of solving a ticket in a month to 12 gives an estimate of cost of these ongoing updates requested by employees. This is the formula used by Forrester for this cost:
Cost of Solving Helpdesk Tickets (for Security & Distribution Groups Changes) = New/changed group requests per month x average cost per ticket x 12 (months)
Assumptions:
- Helpdesk tickers are being submitted by users in security and distribution groups.
- Requests are being made daily.
To continuing with our example above, let’s assume that our large enterprise would have add 600 new distribution lists per month and handle 2,000 updates every month. (These numbers are close to Forrester conclusions, which were based on its interviews with several organizations.) If an average helpdesk ticket costs $18 (Forrester’s assumption), this would be the resulting calculation:
2600 requests per month x $18 per ticket x 12 months = $561,600
Totaling up the Active Directory Cost
Even if you don’t agree with some of the assumptions used for these calculations (as you may think that you have fewer group change requests per month, or that it takes your IT team less time to update groups changes resulting from turnover), that’s ok. The key point here is that it’s important to determine what active directory groups management really costs your organization.
Another important consideration is that the total cost of managing active directory groups includes not only the tangible monetary costs outlined above but also the “lost opportunity” cost of the time not focusing on strategic initiatives. For this reason, the Forrester report also considers the prospect of using a solution that automates active directory group management and empowers self-service of daily changes.
Do the math yourself and see how much your organization is spending on managing active directory groups, then read the report yourself and see how you compare.
Then question is, how IT professionals can enable their organization to effectively reduce the cost of managing active directory groups and reduce the helpdesk tickets?
One approach would be to put an end to the chain of manual processes by automating the creation and management of Active Directory, Azure Active Directory and Microsoft 365 Groups and Users.
A simple, out-of-the-box tool can cut IT tickets by up to 50% and is depended upon by customers including McAfee, Splunk, Riverbed Technology, Palo Alto Networks, Nvidia, Samsung, Toshiba, Disney and more.
GroupID by Imanami solves real-world use cases while keeping data and systems secure.
Jonathan Blackwell
View ProfileSince 2012, Jonathan Blackwell, an engineer and innovator, has provided engineering leadership that has put GroupID at the forefront of group and user management for Active Directory and Azure AD environments. His experience in development, marketing, and sales allows Jonathan to fully understand the Identity market and how buyers think.