In well managed Active Directory every group has its purpose. As the number of groups grows and Active Directory spreads out globally it becomes challenging to manage all groups from one central authority. This is where you start thinking about delegation of group management.
In the simplest case, management of groups associated with particular division, business function or location is delegated to lower level administrators or managers. It is considered a good practice to publish group managers in Active Directory. For that purpose every group has the managedBy attribute which is conveniently shown in native AD management tools.
If your Active Directory utilizes managedby attribute for groups then it is a good idea to leverage it for Active Directory cleanup. Here is a simple PS snippet that finds all groups without managers and dumps the resulting list of groups into a csv file.
PS C:> get-adgroup -LDAPFilter “(!managedBy=*)” -SearchScope Subtree -SearchBase “DC=toronto,DC=local” | select-object -property distinguishedName | export-csv c:testgroups.csv
Note that unlike with previous examples, we are specifying the LDAP filter using a different method. This is because managedBy is an extended attribute and regular filter syntax does not work here.
This is the easy part. The not so easy part is what you are going to do with the resulting list of groups. If a group does not have a manager, it does not mean that it is no longer used. However, it is worth trying to find the probable manager for such groups to ensure its proper management in the future. Here are a few of the ideas taken from the real world that show you how:
1. Examine the list of users included into a group and lookup their organizational chart. Most companies publish their org structure in Active Directory, so this information is readily available. Users that manage most of the group members can be nominated to group managers.
2. Look at the group object permissions. Users that have modify permission on the group object are most likely its managers. Look at the owner attribute of the group permissions as well.
3. If you have been collecting Active Directory object change events into Security log, or have been using 3rd party applications for Active Directory auditing, try looking up who created the group in the first place.
4. Email every user included in the group and ask them about the purpose of this group as well as who might be in charge of its management.
Does any of these practices sound familiar to you? How well do you enforce group managers?
<< Active Directory User and Group Reporting: A practical guide for administrators