When I was a kid, I remember playing in my room for hours on end, playing with new toy after new toy. Of course, being a kid, I never put anything away, so the number of toys just sitting around kept growing and growing. When my parents finally saw that my floor was riddled with so many toys that you couldn’t tell what color the carpet was, they did what every parent would do. They told me to clean it up.
In the IT world, there aren’t many times when the situation gets so out of control that IT professionals aren’t willing to change anything about it. That simply doesn’t happen. Or does it?
Unfortunately, it does. Active Directory groups are at lot like those toys in my room as a kid. Before you know it, you may unintentionally let groups spin out of control, leaving you with a ton of groups with wrong memberships, no members at all, no documentation of why they exist, where they’re used, who is responsible for them, or even any idea of whether you can safely remove them.
Just like cleaning my room, when you finally stop and take a look, the problem has exacerbated to a point where you feel paralyzed by the magnitude of the problem you need to tackle.
Here are a few reasons why groups in Active Directory are often in such a state and why you might feel paralyzed:
- You weren’t paying attention. As a kid, I was too focused on the next toy or game to think about putting the previous toy away first. In the same way, every IT pro is too focused on more important tasks to keep group memberships and permissions in the spotlight. This allows groups to take on a life of their own, especially when you’re not watching.
- Others helped make the mess. How many times as a kid did your friends come over, make a disaster area of your room, and then leave without helping clean it up? AD Groups often suffer from the same treatment. Many individuals manage group creation, membership changes, and permission assignments, all without coordinating with each other. Groups get repurposed when they shouldn’t, allowing memberships to become muddled and permissions to be broadly assigned, creating a security risk. And then, like the toys, you’re left frustrated about having to clean up everyone else’s mess.
- You don’t know what you have. That mess of toys is covering other toys, which are covering even more toys. In the same way, you have groups without members, groups with nested memberships, and no idea of what permissions have been assigned in the first place — all making it impossible to figure out what’s important and what isn’t.
- You don’t know where to start. Those layers of toys made it impossible for me to mentally organize even how to approach the massive problem that was my room, let alone actually getting the work done. Without knowing which of your AD groups are really in use, it’s easy to understand why a starting point is hard to find.
- You’re not sure where to go. It’s easy to find all those toys on the floor, but remembering where they all are supposed to go wasn’t exactly easy. I’ve heard of a company with over 1,000 groups with no members. When the current state of groups can be summarized with a question mark, it’s hard to create a vision of how your AD groups should look when you’re finished cleaning them up.
The paralysis is understandable — we’ve all been there. You spend cycles simply staring at the problem instead of formulating (and executing) a plan to get the job done. Even so, you still need to “clean up your room.” So, how do you get it done?
- Start with the known groups. You need to start somewhere to get the cleanup going. So begin with groups that you are very familiar with — Domain Admins, department groups, etc. — any group for which you personally know who should be members.
- Focus on what you can easily control. Verifying membership should be easy enough. You may need to ask a department head or line of business owner, but you can get that cleaned up quickly. Assigning an owner (which can be someone in IT, the department head or the line of business owner) via the Managed By field is also a good practice to follow. This person will, at a minimum, be the go-to person the next time you perform this cleanup task.
- Switch to the lesser-known groups. As you continue the cleanup process, repeat steps 1 and 2 on more “obscure” groups. And for groups with no members, you will need to do some detective work to see if you can safely delete them.
Let’s be honest. These steps are pretty straightforward and, perhaps even simple — much like tidying your room. To get it cleaned up, it wasn’t that much work: start with one kind of toy and pick all them up, then repeat on another set of toys. The strategy wasn’t really much harder than that. And once you were done, you realized that it wasn’t that difficult after all.
It’s the same for groups: they’re a mess, but it’s the basic blocking and tackling that will get them back into a proper state — and get you out of a state of paralysis.
Now, “go clean your room!”
Jonathan Blackwell
View ProfileSince 2012, Jonathan Blackwell, an engineer and innovator, has provided engineering leadership that has put GroupID at the forefront of group and user management for Active Directory and Azure AD environments. His experience in development, marketing, and sales allows Jonathan to fully understand the Identity market and how buyers think.