Active Directory groups are used for many different purposes. Whether it be for managing security through membership in security groups or be it at establishing simple group communications through distribution groups (lists), groups provide an excellent method to logically assemble related objects together.
The term “orphan” can carry with it a negative connotation. No person, no animal, no object that is a part of a collective naturally wants to be by itself or without governance. The same is true with groups. No group wants to be orphaned. Its natural state should be one where it has been assigned oversight.
In the case of an Active Directory group, no group should be without an assigned owner. An owner of a group has an explicit responsibility for what the group governs and what objects are included in that governance. Other than the standard built-in groups which have implied purpose and administrative governance, any post-Active Directory deployed groups that are created should always have an individual or group of individuals responsible for the duration of that group’s life.
Built into Active Directory is the option to assign an owner of a group. At Imanami, we specifically call out the practice of assigning at least minimally, an owner as a best practice and preferably, multiple owners.
What about additional owners? There are times when having a single owner is not enough. Workers go on vacation, become sick, or otherwise are unable to constantly oversee a group. A best practice is to find additional human assets that can be the backup or additional owner should the primary owner be otherwise unavailable. A best practice is to enforce more than one owner of a group so that none ever go unmanaged.
How can you enforce ownership policies? With tools such as Imanami’s GroupID Self Service, the process of creating groups can have rules associated with the delegated creation process. The best practice of having multiple owners of a group can be implemented with a rule whereby a minimal number of ownership entities must be applied before a group is actually created.
Moving forward, ensure that your groups have the content owners assigned as responsible. With additional tools, they can be delegated to manage membership, group expiration, and other tasks (see Imanami GroupID Self Service).
Do you already have groups without ownership established? Use an Active Directory Reporting Tool, to identify those groups.
Have another example of the benefits of group ownership? Opine below, we always welcome opinions. Want to learn more about unleashing the power of your Active Directory? Download our free white paper.
Jonathan Blackwell
View ProfileSince 2012, Jonathan Blackwell, an engineer and innovator, has provided engineering leadership that has put GroupID at the forefront of group and user management for Active Directory and Azure AD environments. His experience in development, marketing, and sales allows Jonathan to fully understand the Identity market and how buyers think.