1) Is there any Microsoft best practice around governing creation of new groups in AD, new users in AD, documenting where groups and users are added to ACL's on various file servers. Adding users to security groups etc etc. Our AD seems in a mess in that nobody knows what certain groups are for, scanning the list there is certain groups that have no users in them, so quite what they are doing I dont know. If theres an AD (user/group) management/governance best practices document that we can use as a baseline moving forward that would be great.
2) Does AD know where groups are added onto DACL's on file shares? Or is that only the server which knows that.
3) Is there anyway to audit groups in AD for a total head count of members? I'd especially like to see which groups have no members (and as such are proving 0 business worth). Is that true - if a group has 0 members then its fair to say its not serving any purpose?