Group Management Delegation

I remember standing in front of a group of IT pros, talking about how to handle daunting tasks, and I jokingly asked, “By a show of hands, does anyone want to work for a living? Anyone?” I think we all know that working in IT can sometimes involve working with some very cool technologies, but it can be a never-ending, sometimes thankless job. And with the responsibility of keeping the entire environment secure (in addition to just keeping in running), that list of never-ending tasks continues to multiply.

What if I told you there was a way to do less, but have your environment actually be more secure?

Group Management Delegation

Yes, this is entirely possible. If you’ve read some of our previous blogs, you already know that your Active Directory groups often represent the core of your company’s security. They are the foundation for many, if not most, of the granted permissions across a multitude of AD-integrated enterprise solutions. And yet, they never get the attention they require. The reason? You have to do all that other stuff that we just talked about.

If groups are central to your security, but you have no time to focus on them, how do you ensure that you’re secure and somehow not add to the pile of tasks you already have?

The answer lies in delegating — an activity that may be well outside of your IT comfort zone. If the right tools are in place, IT can have at its disposal an arsenal of power-hungry minions just waiting to do its bidding. Who are these willing participants? Heads of departments, line of business (LOB) owners, application owners, etc. — people who are all many, many degrees of separation closer than you to the people who need access, to the permissions required to do their jobs, and to the changes that occur to both on a regular basis.

By enlisting these people to participate in an organized Active Directory group management lifecycle, you will be able to offload the daily work of approving group membership and permission changes.

So, by delegating these responsibilities, we’re able to achieve the goal of “less work.” But would you be more secure?

If you simply tell LOB owners that they’re in charge of their groups, of course you would not be more secure. They won’t know what to do, and the burden will fall back on IT (and we’d be back in the same boat that you’re in today). This is why it’s so important to implement an Active Directory group management (ADGM) lifecycle.

ADGM is far more than just giving someone the rights in Active Directory to manage a group. It’s a company-wide initiative to leverage the knowledge of the people closest to a group’s purpose and make them part of an on-going process in which:

  • The daily management of a given group is addressed by the group owner.
  • All group owners participate in a somewhat regular review to attest to a group’s assigned permissions, its membership, and its very existence.

Think about it: if you had group owners actually telling you that certain people shouldn’t be members of that group — or even better, telling you that a group (especially a group that has access to sensitive resources within the company) is no longer needed and can be deleted (gasp!) — you’d be tightening down your security with each update to membership, each validation of permissions, and each group deleted.

The opportunity to raise your hand and vote to not “work for a living” is right there in front of you. You simply need to take the initiative to distribute responsibility across your organization and implement an appropriate ADGM lifecycle strategy.