This is a bit of a loaded question because it is usually the readers of this blog, Active Directory administrators and help desk. In most organizations (85%), Active Directory group creation is done manually, usually in ADUC. When done manually, it takes a long time to get a group created and once created it is ignored and left to rot on the vine. By the way, the vine is figurative, there should be no vines in your server room (#expert-tip).
The solution is quite obviously self service for Active Directory. Delegate this stuff to your end users (and please do not give them access to ADUC; don’t laugh, this happens). Let them create groups and maintain the membership. They’re the ones who know who should and shouldn’t be in their groups, right?
But IT needs control, otherwise that figurative vine grows out of control and you end up with group glut. The main problem is token bloat, users can only be in 1015 groups before they cannot log in and we know that additional problems happen even before that magic number.
Two things absolutely need to happen:
- Workflow on group creation
- Group expiration & lifecycle
The first one is key, if you are going to give access to users to create groups, make sure that somebody who knows the issues has to approve that group before it’s created. You really don’t want some over-zealous end user creating yet another marketing group just because he doesn’t like the other one’s name or doesn’t know it exists.
Set it up so that their manager or the help desk or the Active Directory administrator or the CIO has to approve that group. Let them control the membership, but take a look at it before saying yes.
Once these groups have been created, make the group owner work to keep them. Expire the thing every once in a while (I believe that every 90-180 days is appropriate). Make sure the group doesn’t work if they haven’t renewed it to give a sense of urgency.
Basically, this means that the group owner has to attest to the need of the group every 90 days. They should review the membership at that point and make sure it is accurate. At a minimum it keeps the group from being forgotten. Things like this make auditors and CIO’s happy.
Only create Active Directory groups that you need. And only keep the Active Directory groups that are useful.
GroupID Self-Service offers all of this out of the box if you are thinking that it sounds like a bear to script.
Jonathan Blackwell
View ProfileSince 2012, Jonathan Blackwell, an engineer and innovator, has provided engineering leadership that has put GroupID at the forefront of group and user management for Active Directory and Azure AD environments. His experience in development, marketing, and sales allows Jonathan to fully understand the Identity market and how buyers think.