If you’re like most IT professionals, you don’t bother to update an Active Directory group’s membership. What’s the big deal?
You may have read our articles about the realities of IT not focusing on groups or about the importance of putting some basic management in place — or better yet, a full group management lifecycle management strategy. The reason is simple: groups are the foundation of security and communications within your organization, and continued mismanagement can have an adverse impact on your business, often turning into a disaster.
The “potential risk” aspect of mismanagement should not be taken lightly. Users’ having too many permissions because they are members of too many groups can lead to either people taking advantage of inappropriate access or people sharing credentials. Both of these situations can create risk concerning the security that groups provide.
But the potential risk goes far beyond than just users. For example, here is one case where computer memberships also create risk:
One of our customers used a Security Group’s membership of both User and Computer objects to provide VPN access. In this company’s case, the physical computers could be either company- or user-owned. So when an employee that used a personal computer to access the company’s VPN left the organization, even with their user account disabled, the computer still had access to the corporate network, providing a foothold to anyone intending to do harm.
There are also real-world implications that the mismanagement of groups can create beyond just potential risk. In many cases, mismanagement can do real harm:
One of our customers had a Distribution Group designated for employees who were eligible to purchase company stock. The management of the group was left to IT (rather than getting the business owner to manage the membership — in this case, someone in finance who is close to the details around those who should be included in the group) and a number of employees were not included in the group.
An email went to the members of the distribution group giving them a choice to buy options, but with a specific deadline. The deadline came and went with those few eligible employees missing out on the opportunity. It was not their fault and held the organization responsible.
Whenever you have humans responsible for maintaining a large list, there are going to be people included who should not be and people not included who should be. In this case, it was the latter and, with SEC rules around the purchase of stock options not allowing corrective action retroactively, the damage was real, as the stock price had already risen.
As you can see, in both cases, the disastrous results were the product of little more than not updating a group in AD. Even though the “amount” of mismanagement was seemingly small, the “degree” of mismanagement could — and did — cause material damage to the company and its employees.
Mismanagement of Active Directory groups takes on many forms — one of them being the lack of updating group memberships. If you’d like to learn more about the implications of mismanaging Active Directory groups, read the 7 Worst Habits of AD Group Management to see how you measure up.