Who’s in charge here, anyway? Even if you have only a modicum of proper group management in place, your groups should at very least have some documentation of (a) how a given group is being used in the Notes field and (b) who is responsible for the group in the Managed By field, for the group’s assigned security, and for deciding whether managers can also alter membership.
However, even if your groups have this much information in place, Active Directory provides very few tools to help prevent circular references when you assign members or managers. In fact, you can make just about any configuration you want, and Active Directory doesn’t care (nor should it).
To help illustrate this situation, we created two groups in Active Directory: AccountsPayable and AccountsReceivable. Then we made the following changes:
- Made each group a nested member of the other
- Set each group as the Manager of the other
- Configured each group so that the Manager can update group membership
While there is obviously no realistic use case for such a configuration in a production environment (or none that I can think of, anyway), this example clearly shows that it is possible in Active Directory to configure extremely circular assignments.
While it’s very unlikely that you’ve made such egregious errors in the management of your Active Directory groups, the fact that it’s so easy to do so convincingly demonstrates the need to validate memberships, owners, and the people with the ability to manage groups.
Part of the challenge of managing groups in Active Directory is the use of the Managed By field itself. This field is intended to identify who’s responsible, but it’s not Active Directory’s job to enforce it. For example, if another administrator who has rights over a given group object were to make a membership change, the manager doesn’t need to be involved, nor even notified.
In some ways, I think that the Managed By field gives organizations a false sense of completion: “OK, Bob’s going to manage this group,” etc. In reality, the only way you can you truly manage groups properly is by implementing a comprehensive Active Directory Group Management Lifecycle that involves both application and line-of-business owners in the process.
To get you started the right direction, consider taking the following steps on a per-group basis:
- Start with the business: Don’t just jump into the properties of a group and start “cleaning things up.” Instead, evaluate the needs of the business to determine that a subset of the organization (e.g. the Accounts Payable department) needs a group in order to provide access to resources or to create an email group alias.
- Assign a (human) owner: Select a person (ideally, someone who runs the department, application, or line of business) who will be responsible for managing membership.
- Make the assignment in AD: Once these first two steps are done, now go ahead and make the necessary changes to the Group object in Active Directory.
- Establish the management process: The owner needs to be included as an integral part of the process. For example, they must approve changes to group membership. After all, who knows which users should be members of the Accounts Payable group better than someone who is familiar with the people on the team and the access the group allows?
- Have periodic reviews: These reviews need to include confirming whether a group’s current membership is correct, whether the manager was kept in the loop as changes were made, and whether the group is still necessary.
Active Directory is merely the platform that reflects the processes and policies of the organization using it. Simply assigning managers doesn’t ensure that those individuals are part of daily ongoing changes. To best way to ensure that you avoid “running in circles” (instead of properly managing your Active Directory groups and the security they provide) is to consider implementing the steps outlined above, as well as adopting best practices for managing groups in Active Directory.