contact@securehero.com
Facebook
Twitter
Google+
LinkedIn
YouTube
  • PRODUCTS
    • FILE SYSTEM AUDITOR
    • GROUP REPORTER
    • LOGON REPORTER
    • PERMISSION REPORTER
  • PRICING
  • SUPPORT
  • BLOG
  • ABOUT US
  • CONTACT

Active Directory User and Group Reporting: Groups without managers

June 18, 2015blogwp_admin

In well managed Active Directory every group has its purpose. As the number of groups grows and Active Directory spreads out globally it becomes challenging to manage all groups from one central authority. This is where you start thinking about delegation of group management.

In the simplest case, management of groups associated with particular division, business function or location is delegated to lower level administrators or managers. It is considered a good practice to publish group managers in Active Directory. For that purpose every group has the managedBy attribute which is conveniently shown in native AD management tools.

If your Active Directory utilizes managedby attribute for groups then it is a good idea to leverage it for Active Directory cleanup. Here is a simple PS snippet that finds all groups without managers and dumps the resulting list of groups into a csv file.

PS C:> get-adgroup -LDAPFilter “(!managedBy=*)” -SearchScope Subtree -SearchBase “DC=toronto,DC=local”  | select-object -property distinguishedName | export-csv c:testgroups.csv

Note that unlike with previous examples, we are specifying the LDAP filter using a different method. This is because managedBy is an extended attribute and regular filter syntax does not work here.

This is the easy part. The not so easy part is what you are going to do with the resulting list of groups. If a group does not have a manager, it does not mean that it is no longer used. However, it is worth trying to find the probable manager for such groups to ensure its proper management in the future. Here are a few of the ideas taken from the real world that show you how:

1. Examine the list of users included into a group and lookup their organizational chart. Most companies publish their org structure in Active Directory, so this information is readily available. Users that manage most of the group members can be nominated to group managers.

2. Look at the group object permissions. Users that have modify permission on the group object are most likely its managers. Look at the owner attribute of the group permissions as well.

3. If you have been collecting Active Directory object change events into Security log, or have been using 3rd party applications for Active Directory auditing, try looking up who created the group in the first place.

4. Email every user included in the group and ask them about the purpose of this group as well as who might be in charge of its management.

Does any of these practices sound familiar to you? How well do you enforce group managers?

<< Active Directory User and Group Reporting: A practical guide for administrators

Tags: Active Directory group cleanup, Active Directory hygiene, active directory reporting, groups without members
Previous post Active Directory User and Group Reporting: Groups with same nested members Next post Active Directory User and Group Reporting: Old Groups

Related Articles

Active Directory User and Group Reporting: A practical guide for administrators

June 1, 2015wp_admin

Active Directory User and Group Reporting: How to find empty groups

June 1, 2015wp_admin

Active Directory User and Group Reporting: Groups with same direct members

June 10, 2015wp_admin

Recent Posts

  • Simplicity, Scalability and Stability
  • New Product: Permission Reporter!
  • SecureHero Management Platform 2.0 Released
  • New product: Group Reporter!
  • Active Directory User and Group Reporting: Users with old passwords

Archives

  • October 2016
  • May 2016
  • November 2015
  • September 2015
  • August 2015
  • July 2015
  • June 2015
  • February 2015
  • January 2015
  • October 2014
  • September 2014
  • July 2014
Facebook
Twitter
Google+
LinkedIn
YouTube

Recent Posts

  • Simplicity, Scalability and Stability
  • New Product: Permission Reporter!
  • SecureHero Management Platform 2.0 Released
home

Orange, CA 92866, US

mail

contact@securehero.com

PricingSupportPrivacy Policy
© 2017 SecureHero LLC