We get a lot of searches for “recover Active Directory group membership”, mainly for this post on restoring group membership with dynamic groups. Imanami’s products don’t actually recover Active Directory group membership once they’ve been deleted but we do something that I find slightly more interesting in that context.
If you think about one reason someone would search to “recover group membership”, it’s because they deleted the group and want to get it back. Once a group has been deleted, it is a pain to get back. You lose all membership (Active Directory’s tombstone doesn’t retain membership) and more importantly, you lose all access rights that were granted to that group.
That’s why I say, don’t delete groups, expire them. And, of course, native Active Directory tools have no idea what I’m talking about. There is no such native concept of expiring groups in Active Directory. And that is where GroupID comes in, a third party product to the rescue of Microsoft yet again!
GroupID adds a layer in between a living group and a deleted one. This expired state allows the group to break but still be recoverable. When GroupID expires a group it does one of two things:
-
Distribution group: Un-mail enable the group, hide it from the GAL and add the prefix exp- to the display name. This effectively breaks the group so nobody can mail to it.
-
Security group: Back up the group membership, clear out the group members, and add the prefix exp- to the display name. With no members, this group does not grant access to anything for anybody. {note: it is a bad practice to apply deny rights to a security group}
The idea is that once you break the group, if somebody needs it, the owner(s) can easily renew it (reversing the changes listed above) and life will go on like nothing happened. Other than the group owner(s) won’t ignore the notification that the group is expiring next time.
In the old days, the method was to delete it, see who called to complain, re-create it and do a google search for “recover group membership.”
Recovering Active Directory group membership is tricky and it’s better to just not get yourself in that situation. Add this Active Directory group lifecycle layer to Active Directory and you won’t have to use The Google to figure out how to get the group membership back.
Unleash the Power of Active Directory Groups
Download Whitepaper
Jonathan Blackwell
View ProfileSince 2012, Jonathan Blackwell, an engineer and innovator, has provided engineering leadership that has put GroupID at the forefront of group and user management for Active Directory and Azure AD environments. His experience in development, marketing, and sales allows Jonathan to fully understand the Identity market and how buyers think.