Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

AD and Group Management

Posted on 2012-04-03
4
Medium Priority
?
284 Views
Last Modified: 2012-04-03
1) Is there any Microsoft best practice around governing creation of new groups in AD, new users in AD, documenting where groups and users are added to ACL's on various file servers. Adding users to security groups etc etc. Our AD seems in a mess in that nobody knows what certain groups are for, scanning the list there is certain groups that have no users in them, so quite what they are doing I dont know. If theres an AD (user/group) management/governance best practices document that we can use as a baseline moving forward that would be great.


2) Does AD know where groups are added onto DACL's on file shares? Or is that only the server which knows that.

3) Is there anyway to audit groups in AD for a total head count of members? I'd especially like to see which groups have no members (and as such are proving 0 business worth). Is that true - if a group has 0 members then its fair to say its not serving any purpose?
0
Comment
Question by:pma111
  • 3
4 Comments
 
LVL 17

Accepted Solution

by:
Anuroopsundd earned 2000 total points
ID: 37799826
Group creation depends all on the company to company requirements. like if you have several groups and require more shared folder then you are going to create more and more group.

For managing best practice is to create the group with the owner information and put the requirement in the description/Details field. this helps in getting information in future and contact the owner to check if the group is still be utilized.

to your answer to your 2nd question... only the server which host the security folder/permission know about the permissions.... AD or DC only have information about the group and it's members information.
0
 
LVL 17

Expert Comment

by:Anuroopsundd
ID: 37799831
for your query how to find empty groups below seems to help.

http://fkazi.blogspot.in/2010/02/find-empty-active-directory-groups.html
0
 
LVL 3

Author Comment

by:pma111
ID: 37800538
Are there any valid reasons why a group would be setup for a valid purpose, yet have no members. My naive view of groups is you create them then apply them to an object, i.e. set up "payroll-allstaff" and apply that to \\server\FINANCE\payroll-folders

What else are groups setup for? Why may they be empty (i.e. no members)?
0
 
LVL 17

Expert Comment

by:Anuroopsundd
ID: 37800570
Having a group with no member as such does not make any sense. may be some one created and the users in that group already left the company or someone created it for some testing.
0

Featured Post

Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Group policies can be applied selectively to specific devices with the help of groups. Utilising this, it is possible to phase-in group policies, over a period of time, by randomly adding non-members user or computers at a set interval, to a group f…
After seeing many questions for JRNL_WRAP_ERROR for replication failure, I thought it would be useful to write this article.
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
Suggested Courses

879 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question