Q&A: Managing Active Directory

Best practices for managing groups in Active Directory.

There’s nothing static about a company’s staff, but keeping up with access rights, especially in large enterprises, can be a hassle.

I spoke with Robert Haaverson about the problems with managing Active Directory groups, the options available, and best management practices.

Enterprise Strategies: What’s involved in managing Active Directory groups, and why is it so difficult?

The difficulty in managing Active Directory Groups can be traced back to the volatility of users: they are always getting hired, changing jobs, getting promoted, and relocating. The more a user changes, the less likely they’re in the correct distribution and security groups. Users will always tell IT what new groups they need to be in but rarely suggest the ones that they should be taken out of. This creates security and productivity holes.

This problem is exacerbated by massive changes such as a company re-organization or a new government administration. Imagine a new Executive Office administration coming in with almost 100 percent new employees. Getting these new users in the correct groups could possibly take the entirety of the administration!

What options does IT have for managing Active Directory groups? What are the pros and cons of each?

There are a couple of ways that organizations currently manage groups in Active Directory.

The first option is that IT doesn’t do anything but manage the most obvious and important groups. This approach does not take a lot of IT time so it costs very little. However, an organization will get almost none of the value that accurate group membership can bring

The second option is to have system administrators manually manage group memberships. Groups are generally very accurate, thus increasing productivity and security, but this is an expensive option that takes a lot of time and resources of highly paid and highly trained IT personnel and the user.

Finally, IT can use a group management solution, either written internally or bought off the shelf. On the plus side, groups are generally very accurate thus increasing productivity and security, and this approach places very little strain on IT. Be careful, however; if the solution is written in-house, it is rarely scalable or supportable; if you buy a product off the shelf, it might not be customizable enough for your organization

What best practices can you suggest for managing Active Directory groups?

The most important step in a solid group management solution is to automate the groups that can be automated. To do this, Active Directory needs to be accurate and complete. A method to manage dynamic groups through queries will ensure that you can automate approximately 80 to 85 percent of distribution and security groups. For example, all HR directors in the Southwest region; if a new hire meets the criteria of department=HR, title=director, and state=AZ, they are automatically put into that group.

The second step is to use the wisdom of your end users and offer a means for self-service for group creation and membership. A portal where group owners can manage their group memberships and a user can opt-in to a group is essential for groups that cannot be automated. You have to have controls in place as to which groups can be opted into, who can create groups, and other means for IT to control the process.

These two steps to manage dynamic and static groups are essential during the useful lifespan of a group, but you have to have a way to expire and ultimately delete a group once it has outgrown its business usefulness. You will need a lifecycle management capability to expire and renew groups and to track their usage.

With these three steps you can ensure that all of your distribution and security groups are accurate while useful and then expired once they are not useful.

What best practices about securing your group can you recommend?

At the very least, internal distribution groups should be secured so that internet users cannot send to them. This is easy in Exchange 2007 with the authenticated senders setting but trickier in older versions. For older versions of Exchange, it is possible to set it up so that groups can only have members or owners send to it.

Make sure that all groups have owners -- especially for security groups that are granting access to resources, ensure that there is an owner and a description of the group. Otherwise, if the owner leaves the organization, you may not know why that group exists and what its use is for the organization. The worst way to find out is to delete it and have no way to get it back. A good practice is to check for group ownership before de-provisioning a user.

One problem with group management tools (usually those solutions with a Web interface that let end users manage groups in a self-service fashion) is that groups can proliferate. How do you prevent that from happening? Can automatic expiration solve the problem, and if so, what expiration policies do you recommend?

We call that group glut. More organizations have this problem than you would expect. Group expiration is the key to preventing group glut.

There are two ways to managing group expiration. The first works only for distribution groups and is remarkably simple: check to see if the groups are being used. If nobody is sending e-mail to a group for a specific timeframe, “expire” that group. The second counts on having group owners: create a time limit for groups to live, for example, 180 days. Once a group is approaching that time limit, give the group owner an opportunity to renew it for another 180 days or let it expire.

It is important to note the distinction between expire and delete. If you delete it, you cannot get the membership information back, so you need a way to “expire” the group, break its functionality but still renew it when the users call to admit they didn’t read your e-mail.

We have found that 180 days is a pretty good lifespan for a group, but you need the ability to have a custom lifespan on some groups. For example, domain administrators should never expire and annual meeting distribution groups should probably be 360 days. Also, the renewal method should allow for a group owner to synchronize the expiration dates of all of his/her groups so that renewing doesn’t become a chore.

What features and benefits do automated solutions offer?

A complete group management solution makes it easier to secure and manage groups and offloads administrative tasks to end users and to software. Accurate distribution groups improve productivity. Accurate security groups improve security. Automating the process lessens the burden on IT of managing groups.

We know that accurate distribution and security groups are valuable to the business and it just makes sense to automate their management rather than have highly trained and paid assets do it. These solutions can be built and customized in-house and not necessarily purchased off the shelf. The important thing is to have a solution.

What does GroupID offer to help manage Active Directory Groups?

Imanami has focused on group management for years. GroupID brings all of our expertise in group management under a single modular product. The modules, available separately, are Synchronize, Automate, Self-Service, and Reports. GroupID Synchronize allows an organization to ensure Active Directory’s accuracy by synchronizing with authoritative source(s). This allows GroupID Automate to create and manage dynamic groups through queries as simple or as complex as an organization needs.

The remaining static groups are managed through GroupID Self-Service, a customizable Web front-end for Active Directory. GroupID Reports monitors the health of Active Directory and your groups.

The defining feature of this release is Group Lifecycle Management, the ability to set expiration policies, allow group owner renewals, and have an expiration/deletion solution. GroupID will eliminate the problem of group glut.

Must Read Articles