permissions-certified

If you’re like most IT professionals, after a group is created, you never really give that group a second thought. Once you go to the Members tab, add a user or two, and press OK, you don’t look back. It makes sense — it’s just groups, right? I mean, who cares? Perhaps the better question to ask yourself is should you care?

I recently participated in an Imanami webinar where we sought to understand what IT pros are really doing (or not doing, as the case may be) when it comes to managing groups. The discussion raised some very interesting points.

Before we begin, some background about the questions being asked may be in order. When it comes to Active Directory groups, there are three parts to managing groups as a true lifecycle, from cradle to grave. (Yes, you should be killing off groups every once in a while.) The three parts are as follows:

  • Certifying group membership: Someone within your organization should be responsible for periodically validating that the membership is correct, both for users and for nested groups.
  • Attesting to the group’s very existence: This may seem like an odd requirement, but consider that a group should exist only if it’s actually being used. The person who will attest that the group is still needed and is still in use should probably be a line of business owner — rather than someone in IT.
  • Certifying assigned permissions: Once you’ve addressed the core issues related to group management, membership, and attestation, assigning permissions becomes a parallel effort to ensure that both the membership of the group and the group’s permissions are correct.

When these three steps are implemented properly, you will have your Active Directory groups under control. While this is an easy statement to make, the question becomes what does the proper management of Active Directory groups look like?

In that webinar, we asked the audience to share how often they perform the tasks mentioned above. Check out the results below, and see how you compare.

Certifying Group Membership & Assigned Permissions

We asked the webinar participants to identify the last time they verified the membership of a group, as well as the last time they verified the permissions assigned to a group. It’s important to note that we asked them to think of the very last time they did it, not the frequency of how often they do it. Accordingly, the answers below represent the best-case scenario for their organizations.

How often are group permissions certified?
How often are group memberships certified?

The most surprising results of this survey may be that nearly a quarter of the organizations never certify memberships and nearly a third never certify permissions. Based on this data, you might guess that it’s the same organizations that just aren’t doing anything, but a deeper dive into the data revealed that only 6% of organizations answered Never to both questions.

Verifying Ownership

Percentage of Groups with Defined Owners

Although it’s not the same as attesting to a group’s existence, defining an owner for a group (by having someone specified in the Managed By field in a group object) is a leading indicator of whether there is at least someone who is responsible.

When we asked the participants what percentage of their groups have a defined owner, the percentages were shockingly low. (See chart.) Almost half of the organizations have defined an owner for less than 10% of their groups. This is a strong indication that many organizations, if not most, never attest a group’s existence.

Getting Groups Under Control

If your organization is like those that do not consistently manage Active Directory groups, one way to gain — or re-gain — control over your groups is to re-examine the three parts of a group management lifecycle and evaluate whether implementing these steps makes sense for your organization. As you consider these options, here are a few questions to get you started:

  • How do you compare to other organizations?
  • Does each of your groups have a defined owner?
  • Do you verify permissions and memberships? If so, how often?

Please feel free to share your thoughts and observations in the comments below.