There was a question over on Mark Minasi’s Active Directory forum on how to find unused Active Directory security groups. The answer quickly came that it is “a pretty hard problem to solve for real.” There are a few vendors that can offer reports/tools that show what file system permissions are associated with each group. But actually showing which are being used? Nope.
Since knowing what file system permissions each group can access didn’t really solve the original posters problem, another angle was suggested. The old “clear the membership and see who complains” technique. The poster was smart enough to suggest backing up the membership first and only doing the slash and burn on groups whose “whenChanged” attribute was a long time ago. Another smart part of the answer was to not do the usual “delete it and see who complains” because that loses the access that the security group was granting, you would need to re-apply that. But still, that is a lot of manual effort that does not need to be expended.
So what is a conscientious Active Directory admin to do about stale security groups? Expire them. Let the group owner know that the security group is going to expire in x days, give them a chance to renew it. If they fail to, expire the group which will effectively break it. If the group is still useful, the group owner can then choose to renew it. This sounds like it has all the pitfalls of the above approach but there is a huge exception. It is all automated.
GroupID will expire the Active Directory security group for you. It has all of the notifications built in and customizable. It backs up the membership and clears it for you. When renewed, it brings the membership back. It gives an Active Directory self service portal for the group owner to renew/expire.
And it works on distribution groups also. If your organization has an issue with stale security groups or unused distribution groups (GroupID can actually track distribution groups that are not being used), implement some group lifecycle action and expire these groups without all of the manual work.