asked on

AD and Group Management

1) Is there any Microsoft best practice around governing creation of new groups in AD, new users in AD, documenting where groups and users are added to ACL's on various file servers. Adding users to security groups etc etc. Our AD seems in a mess in that nobody knows what certain groups are for, scanning the list there is certain groups that have no users in them, so quite what they are doing I dont know. If theres an AD (user/group) management/governance best practices document that we can use as a baseline moving forward that would be great.

2) Does AD know where groups are added onto DACL's on file shares? Or is that only the server which knows that.

3) Is there anyway to audit groups in AD for a total head count of members? I'd especially like to see which groups have no members (and as such are proving 0 business worth). Is that true - if a group has 0 members then its fair to say its not serving any purpose?

ASKER CERTIFIED SOLUTION

Anuroopsundd

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

Anuroopsundd

for your query how to find empty groups below seems to help.

http://fkazi.blogspot.in/2010/02/find-empty-active-directory-groups.html

Pau Lo

ASKER

Are there any valid reasons why a group would be setup for a valid purpose, yet have no members. My naive view of groups is you create them then apply them to an object, i.e. set up "payroll-allstaff" and apply that to \\server\FINANCE\payroll-folders

What else are groups setup for? Why may they be empty (i.e. no members)?

Anuroopsundd

Having a group with no member as such does not make any sense. may be some one created and the users in that group already left the company or someone created it for some testing.