[Webinar] Streamline your web hosting managementRegister Today

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 286
  • Last Modified:

AD and Group Management

1) Is there any Microsoft best practice around governing creation of new groups in AD, new users in AD, documenting where groups and users are added to ACL's on various file servers. Adding users to security groups etc etc. Our AD seems in a mess in that nobody knows what certain groups are for, scanning the list there is certain groups that have no users in them, so quite what they are doing I dont know. If theres an AD (user/group) management/governance best practices document that we can use as a baseline moving forward that would be great.


2) Does AD know where groups are added onto DACL's on file shares? Or is that only the server which knows that.

3) Is there anyway to audit groups in AD for a total head count of members? I'd especially like to see which groups have no members (and as such are proving 0 business worth). Is that true - if a group has 0 members then its fair to say its not serving any purpose?
0
pma111
Asked:
pma111
  • 3
1 Solution
 
AnuroopsunddCommented:
Group creation depends all on the company to company requirements. like if you have several groups and require more shared folder then you are going to create more and more group.

For managing best practice is to create the group with the owner information and put the requirement in the description/Details field. this helps in getting information in future and contact the owner to check if the group is still be utilized.

to your answer to your 2nd question... only the server which host the security folder/permission know about the permissions.... AD or DC only have information about the group and it's members information.
0
 
AnuroopsunddCommented:
for your query how to find empty groups below seems to help.

http://fkazi.blogspot.in/2010/02/find-empty-active-directory-groups.html
0
 
pma111Author Commented:
Are there any valid reasons why a group would be setup for a valid purpose, yet have no members. My naive view of groups is you create them then apply them to an object, i.e. set up "payroll-allstaff" and apply that to \\server\FINANCE\payroll-folders

What else are groups setup for? Why may they be empty (i.e. no members)?
0
 
AnuroopsunddCommented:
Having a group with no member as such does not make any sense. may be some one created and the users in that group already left the company or someone created it for some testing.
0

Featured Post

Never miss a deadline with monday.com

The revolutionary project management tool is here!   Plan visually with a single glance and make sure your projects get done.

  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now