We get a lot of people coming to us for our free Active Directory reporting tool. Whenever I have the chance, I ask them what they are looking to report on.
Often, the answer is that they are looking for an easy way to see group membership in Active Directory. They don’t have a great way of knowing which users are in what groups. (OK, I know you can use PowerShell!) Fair enough. Our reports certainly show that.
But why do you want to know?
The obvious reason is that you don’t trust that your groups are up to date. You don’t have a good way of knowing if the group is being used, and if it is, are the right people in it?
If groups are being maintained manually, how can you know? How are you supposed to know if Jenny is still in the Minneapolis office on the birthday cake committee?
But if a few simple attributes are kept up to date in Active Directory you can automate who belongs in which groups and provide for exceptions.
Then, you can delegate the management of the group to the person who actually uses it to provide permissions or to disseminate information.
As a final step, you can put a lifecycle on the group which requires that the owner renew that group on a regular cycle, as long as it is useful to the business. When it is no longer useful, expire the group and let it be gone from Active Directory.
Now, you have group memberships in Active Directory which are maintained dynamically and are presently useful to the business. No more mysteries. No more mind numbing reports.