Solved

AD and Group Management

Posted on 2012-04-03
4
277 Views
Last Modified: 2012-04-03
1) Is there any Microsoft best practice around governing creation of new groups in AD, new users in AD, documenting where groups and users are added to ACL's on various file servers. Adding users to security groups etc etc. Our AD seems in a mess in that nobody knows what certain groups are for, scanning the list there is certain groups that have no users in them, so quite what they are doing I dont know. If theres an AD (user/group) management/governance best practices document that we can use as a baseline moving forward that would be great.


2) Does AD know where groups are added onto DACL's on file shares? Or is that only the server which knows that.

3) Is there anyway to audit groups in AD for a total head count of members? I'd especially like to see which groups have no members (and as such are proving 0 business worth). Is that true - if a group has 0 members then its fair to say its not serving any purpose?
0
Comment
Question by:pma111
  • 3
4 Comments
 
LVL 17

Accepted Solution

by:
Anuroopsundd earned 500 total points
ID: 37799826
Group creation depends all on the company to company requirements. like if you have several groups and require more shared folder then you are going to create more and more group.

For managing best practice is to create the group with the owner information and put the requirement in the description/Details field. this helps in getting information in future and contact the owner to check if the group is still be utilized.

to your answer to your 2nd question... only the server which host the security folder/permission know about the permissions.... AD or DC only have information about the group and it's members information.
0
 
LVL 17

Expert Comment

by:Anuroopsundd
ID: 37799831
for your query how to find empty groups below seems to help.

http://fkazi.blogspot.in/2010/02/find-empty-active-directory-groups.html
0
 
LVL 3

Author Comment

by:pma111
ID: 37800538
Are there any valid reasons why a group would be setup for a valid purpose, yet have no members. My naive view of groups is you create them then apply them to an object, i.e. set up "payroll-allstaff" and apply that to \\server\FINANCE\payroll-folders

What else are groups setup for? Why may they be empty (i.e. no members)?
0
 
LVL 17

Expert Comment

by:Anuroopsundd
ID: 37800570
Having a group with no member as such does not make any sense. may be some one created and the users in that group already left the company or someone created it for some testing.
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This script can help you clean up your user profile database by comparing profiles to Active Directory users in a particular OU, and removing the profiles that don't match.
This article outlines the process to identify and resolve account lockout in an Active Directory environment.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

856 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question