There’s this quote from a Dr. Who episode that has stuck with me – “We’re all stories, in the end.” It speaks to the finality that nearly everything – and everyone – eventually has its demise and becomes nothing more than folklore. And in IT, this especially rings true. When you hear a name like Novell, Adaptec, and Lotus, or terms like Token Ring, and floppies (or any other that brings you back to your early days in IT) you tell stories about it. See? Everything in IT eventually goes away.
Everything, that is, except for Active Directory Groups.
Groups in AD are one of those parts of IT that continue to exist, despite the fact that no one really knows why they’re still here and what they’re for. They are the McDonalds Hamburger of IT – despite existing for years, they remain untouched despite the fact that everyone is pretty sure they’ve outlived their usefulness. Now, in the case of groups, it’s because no one wants to be the one that deletes a group and causes some catastrophic company-wide failure (and in the case of the hamburger, it’s because it lets two guys get a little notoriety every few years).
And it’s a bit worse than just the groups – remember the same uncertainty around whether something should exist also applies to group members, making those groups that should no longer be here that much more risky to the organization’s security. Unknown permission assignments, repurposed groups, and a lack of oversight are all a recipe for disaster.
So, should you just go on a group deletion rampage?
Obviously not, as it would make your catastrophe nightmares come true. But it is important to do a few things to ensure groups don’t live forever:
- Acknowledge that groups have their time – Just like when you were 7 and needed to accept that poor Goldie the goldfish needed to visit the toilet bowl in the sky, your groups, too, have their day of reckoning.
- Make someone responsible – hypothetically, to decide which groups need to be killed, someone is going to need to work through all your groups and ask “Is anybody using this group???” You can opt to leave this work in the hands of IT, but it does make sense to delegate out this kind of work to department heads, applications owners, etc. who are much closer to the current usage of the resources, applications, and systems necessary to keep business going.
- Let the killing begin – In many large organizations, there are hundreds – even thousands – of groups with no members and no owner assigned, all putting the organization’s security at risk. The simple task of eliminating groups that are no longer needed creates a more and more secure environment overall with each unnecessary, deleted group.
- Take a lifecycle approach – The first three steps above are more a tactical “get everything under control” approach. But in the long run, you’re going to need to have a process in place that manages your groups creation, permissions, memberships, and deletion.
None of this is rocket science, but it is meticulous work (and a lot of it in some cases). Skip it and any changes you make in the future simply add to the problem. It’s not particularly fun, but it’s important work that will have a material impact.
There’s more to that Dr. Who quote, by the way, that is quite relevant. In addition to “We’re all stories, in the end,” Dr. Who goes on to say “Just make it a good one, eh?” Many of your groups will outlive their usefulness and should become “just a story.” So make it a good one, by ensuring good management throughout the time each group is used.
Jonathan Blackwell
View ProfileSince 2012, Jonathan Blackwell, an engineer and innovator, has provided engineering leadership that has put GroupID at the forefront of group and user management for Active Directory and Azure AD environments. His experience in development, marketing, and sales allows Jonathan to fully understand the Identity market and how buyers think.