It is a simple fact that as the time goes by Active Directory gets messy. Lack of automated provisioning and deprovisioning practices, employee turnover, Active Directory restructuring due to ongoing M&A activity are just a few reasons why. A good evidence of a messy Active Directory known as the “group sprawl” is when you end up having more groups than you have users.
Not only can it negatively affect the operational state of Active Directory. It might also put a huge toll on a bottom line of the organization itself. Affected companies might face:
- Increased security risks – not knowing what groups are used for, leaving dormant accounts in AD creates opportunities for offenders to break into your network. This becomes especially easy target for company ex-employees or administrators that are intimately familiar with the internal network and organization of Active Directory.
- Affected productivity of end users – when users are members of excessive number of groups they might run into the “token bloat” problem that prevents them from accessing certain resources or conversely, yields them access to resources they should not have access to.
- Compliance challenges – how do you prove to the auditor that you keep your access policies under control when you don’t know Active Directory what groups are used for? How can you be confident that groups still serve the same purpose they used to serve 5 years ago?
So, where do you start to put things back in order?
What about getting to know your own Active Directory first? Start with a thorough assessment of Active Directory users and groups that would spot unnecessary groups and dormant accounts.
In these series of blog posts we are going to show Top 10 ways how you can improve Active Directory hygiene. We will talk about 10 different things you want to know about users and groups in Active Directory and give you a ready made “do it yourself” recipe to quickly check things off from the Active Directory best practices list.
So, if you are tired of coming across stale accounts and unused groups, if “group cleanup” has been keeping you up at night, if you want to see what can be the first step on your way to a well managed and compliant Active Directory read on.
1. Active Directory User and Group Reporting: How to find empty groups
2. Active Directory User and Group Reporting: Circular nested groups
3. Active Directory User and Group Reporting: Groups with same direct members
4. Active Directory User and Group Reporting: Groups with same nested members
5. Active Directory User and Group Reporting: Groups without managers
6. Active Directory User and Group Reporting: Old Groups
7. Active Directory User and Group Reporting: Locked Out User Accounts
8. Active Directory User and Group Reporting: Disabled User Accounts
9. Active Directory User and Group Reporting: Users that have not logged on in the last X days
10. Active Directory User and Group Reporting: Users with old passwords