Solved

AD and Group Management

Posted on 2012-04-03
4
271 Views
Last Modified: 2012-04-03
1) Is there any Microsoft best practice around governing creation of new groups in AD, new users in AD, documenting where groups and users are added to ACL's on various file servers. Adding users to security groups etc etc. Our AD seems in a mess in that nobody knows what certain groups are for, scanning the list there is certain groups that have no users in them, so quite what they are doing I dont know. If theres an AD (user/group) management/governance best practices document that we can use as a baseline moving forward that would be great.


2) Does AD know where groups are added onto DACL's on file shares? Or is that only the server which knows that.

3) Is there anyway to audit groups in AD for a total head count of members? I'd especially like to see which groups have no members (and as such are proving 0 business worth). Is that true - if a group has 0 members then its fair to say its not serving any purpose?
0
Comment
Question by:pma111
  • 3
4 Comments
 
LVL 17

Accepted Solution

by:
Anuroopsundd earned 500 total points
ID: 37799826
Group creation depends all on the company to company requirements. like if you have several groups and require more shared folder then you are going to create more and more group.

For managing best practice is to create the group with the owner information and put the requirement in the description/Details field. this helps in getting information in future and contact the owner to check if the group is still be utilized.

to your answer to your 2nd question... only the server which host the security folder/permission know about the permissions.... AD or DC only have information about the group and it's members information.
0
 
LVL 17

Expert Comment

by:Anuroopsundd
ID: 37799831
for your query how to find empty groups below seems to help.

http://fkazi.blogspot.in/2010/02/find-empty-active-directory-groups.html
0
 
LVL 3

Author Comment

by:pma111
ID: 37800538
Are there any valid reasons why a group would be setup for a valid purpose, yet have no members. My naive view of groups is you create them then apply them to an object, i.e. set up "payroll-allstaff" and apply that to \\server\FINANCE\payroll-folders

What else are groups setup for? Why may they be empty (i.e. no members)?
0
 
LVL 17

Expert Comment

by:Anuroopsundd
ID: 37800570
Having a group with no member as such does not make any sense. may be some one created and the users in that group already left the company or someone created it for some testing.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Some time ago I faced the need to use a uniform folder structure that spanned across numerous sites of an enterprise to be used as a common repository for the Software packages of the Configuration Manager 2007 infrastructure. Because the procedu…
Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now