We’ve spent a lot of time and effort on this blog working to educate you on best practices around specific aspects of AD group management, such as roles for delegation, the use of dynamic memberships, defining Active Directory health, and more. All of these blogs are part of a larger view of groups – one that seeks to ensure proper management throughout a groups life. From the moment it’s created, a group should come under scrutiny – should it even be created? Is there an existing group that already meets the intended needs of a new group?
This same scrutiny continues throughout a group’s lifecycle, as it changes memberships, has permissions assigned to it, and continues until the group outlives its usefulness and is no longer needed. It occurred to me, that we’ve talked so much about the tasks associated with Active Directory Group Lifecycle Management, but have put so little here to actually define it.
So, this blog is the first in a four-part blog series on how to properly manage a group through its entire lifecycle. In this first blog, we’ll take a high-level look at a definition of the lifecycle, and spend the next 3 blogs drilling down into the strategy, necessary tasks, and best practices for each part of the lifecycle.
What’s in the Lifecycle?
As previously mentioned, every aspect of a group needs to be scrutinized – this is because they usually serve as the basis for every bit of security in your organization – on-prem, into Microsoft 365 (and Microsoft 365 (and Office 365)), and even as the basis for critical security initiatives like IAM, DLP, etc. So, IT organizations need a mature lifecycle management structure to follow, to ensure groups should exist, are configured properly, and have the right membership.
The AD Group Management Lifecycle looks a bit like this:
In the center are the tactical actions you focus on when managing groups – the creation, configuration, modification, and – eventually – deletion of groups. But what we want you to focus on is the outer ring; it’s these three parts of the lifecycle – Attestation, Membership Certification, and Permissions Certification – that make up the AD Group Management Lifecycle.
The goal of implementing a Group Management Lifecycle is to elevate the organization’s approach to group management in a way that accomplishes a few things:
- Involves more of the organization to ensure groups, and their configuration, are correct
- Creates a more secure AD – and, therefore, the entire network – through better established processes
- Creates less work for IT through proper delegation of responsibility
- Results in a much cleaner, more accurate Active Directory
Over the next three blogs, we’ll cover each of the three parts of the AD Group Management Lifecycle, diving into the what, how, and why of each – all in an effort to make the foundation of your network’s security (groups) correctly configured, more secure, and easier to manage.
In our next blog, we’ll begin with the certification of group memberships – one of the greatest sources of insecurity within your organization.