A customer asked recently, do you have any “best practices” in terms of naming your groups? To properly answer the question, we had to first understand why they were asking the question. After some discussion, we determined that they were just looking to find purpose and meaning to groups that were created before they were responsible for them. This seems to be an all too familiar situation.
As IT staff turnover occurs, new staff members do not have any historical reference as to a group’s purpose and the name of the group does not lead to any conclusions when you might expect it to. Group names like SB-CU-Proj123-Bridge makes no sense to the average user. I am sure the creator understood the reference, but as time passes the meaning is lost.
Fortunately, we were able to tell them a few best practices that help resolve this problem moving forward. The first obvious thing to tell them was to ensure consistency.
- Our first “best practice”: be consistent. Whatever rules you are to implement, be consistent over the life of the directory. What policies go into place now should remain in place and only be added upon.
- Leverage group naming prefixes. We know that many organizations like to enforce a group name prefix. To enforce a prefix, GroupID allows an IT administrator to specify one or more predefined naming prefixes that can be chosen from a drop-down menu. This type of configuration is then shared across all GroupID application on a server.
- Use regular expressions for enforcement. When delegating group creation through the GroupID Self Service application, the prefix along with group content name and suffix can be further enforced through the implementation of a regular expression on the web-based text entry element.
- Require group name descriptions. Especially important when delegating group creation, requiring a group to have a detailed description with purpose clearly detailed lifts away any future confusion as to purpose. Enforcement of this attribute in group creation can be implemented in the GroupID Self Service web-based portal.
- Require group creation approval through workflow. When groups are created, especially if done in a delegated fashion, require that the group creation be approved before actually implemented in Active Directory. Further to group creation, any future changes to the display name should also have workflow approval requirements.
Following just a few of these best practices will ensure that you and those who follow in your footsteps will have a clear understanding as to the purpose of any group that is created.