An orphaned Active Directory group is a group with no owner. On the surface, that doesn’t seem that bad, email is still delivered, permissions are still applied. But there are some real dangers to the business if you allow Active Directory groups to go ownerless and the membership becomes static.
Common Danger for Orphan AD Groups
Following are the dangers of orphaned active directory groups.
- You can almost guarantee inaccuracy in a group with no owner.
- for distribution lists, users just won’t use inaccurate groups
- for security groups, the WRONG people will have access to the resources
- New groups will be created that replace groups that already exist
- for distribution lists, this causes confusion for the users…which marketing list should they use?
- for security groups, this causes token bloat
- With no user to manage the group, the Help Desk is over-run. And that is expensive.
- Ultimately, productivity AND security suffer.
Luckily, these orphaned groups will not doom your business. You can take steps to make these groups useful and relevant again. You need to take a few steps to understand the problem, fix the immediate issue and then create a longer term solution.
- Report on it. You need to know how many orphaned groups you’re dealing with. Luckily, there are free Active Directory reporting tools available.
- Assign owners. At a minimum, you can create default owners or have groups own the groups. These owners don’t need to manage the group membership necessarily but they can start the cleanup by managing join requests.
- Expire the groups. This is ESSENTIAL but you need a good Active Directory group lifecycle solution.
- Once you have the default owner, you can expire the group which requires the functionality to break to be effective. If the distribution list won’t receive emails, the users will complain to the owner. If the security group doesn’t give access, the users will complain to the owner. The owner can then renew the group and everythign works again.
- If nobody complains, then delete it, either automatically or manually.
- Automate as many as possible. Now that you have only the groups that you want, avoid this problem in the future. Determine which can be dynamic (for example a location or a department) and convert them to smart groups.
Orphaned Active Directory groups can be solved but it requires a bit of upfront work and then some strong group management software to keep it from happening in the future. Let us know if you would like a consultation on how to solve orphaned Active Directory groups.
Jonathan Blackwell
View ProfileSince 2012, Jonathan Blackwell, an engineer and innovator, has provided engineering leadership that has put GroupID at the forefront of group and user management for Active Directory and Azure AD environments. His experience in development, marketing, and sales allows Jonathan to fully understand the Identity market and how buyers think.
This article is good, but shouldn’t it also discuss how GroupID solves the problem. For example, we can discuss the Orphan Group Update job and the Manager/Owner Suggestion feature in SSP as a solution.