I must admit: I’m a bit of a hoarder. Not in the “you can barely move around in my house amidst my 47 cats” kind of way; just in the “I probably keep things a bit too long” kind of way. I’m probably not going to use that rubber washer or that set of small hooks I kept from 10 years ago, but I’ve kept them anyway. It sometimes can be hard to recognize that everything has both its period of usefulness and its time to be thrown out.
Groups are the same way: we often “hoard” group members. Over time, group memberships bloat into a mess of entries that you’re no longer certain if they can be removed. We’re reluctant to remove these groups because we’re afraid that removing them might break some business process or because we’re not certain if someone still needs the permissions granted via membership.
In reality, a group and its members should never outlive its purpose. You start a project, you create a group, users become members, they complete their part of the project, and they are removed. Simple, right? It just never happens that way. We know of at least one company that hoarded so badly it ended up with three times as many groups as users!!! If the number of groups is any indication of the mismanagement of their groups, think about how many of those groups have members that haven’t needed to be included in years.
In theory, this situation is really simple to fix: just stay on top of group membership and remove users. It’s just that no one has the time to do all this work in a consistent manner. There may be help in the future. [The latest Technical Preview of Windows Server 2016 touts an ability to establish a Time to Live (TTL) for group memberships.] But until then, for pretty much the entirety of the IT world right now, it’s just not a reality.
Even when Server 2016 is released, setting up a TTL would require the use of PowerShell, which means that it’s not as easy as adding a group member and typing into a “TTL” box in ADUC. Other solutions, like GroupID from Imanami, help address this with more granularity, simpler administration, and better accountability. Accordingly, for today and for the future, using a third-party solution remains a viable option, depending on your temporary group membership needs.
The concept of expiring memberships is not only sound. It’s also necessary — as part of maintaining a strengthened state of security. Without automatically removing inappropriate memberships, you increase your organization’s risk of both insider threats and external attacks. By putting a solution in place that not only automates the management of the expiration of group memberships but also delegates responsibility to those within the organization closest to a group’s purpose, you will have a cleaner, more correct — and more secure — environment.