documenting purpose of AD security groups

pma111
pma111 used Ask the Experts™
on
Are there any specific best practices you follow when documenting security groups in AD, e.g. what membership of such a group actually permits? Without having to dig through file servers etc a group name on its own is not of much use. So I wondered what type of information you record about each security group, and where you store that information.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Distinguished Expert 2017
Commented:
The group name and description should be detailed and should convey its purpose.
The other option is to have a naming convention.
The scope of your need might be more elaborate that would be included in your environments documentation, possibly using Visio or similar rendering.
AlanConsultant
Commented:
Hi,

I always try to enforce a naming convention, with the end of the name being 'free form' to give more information on purpose etc.

I also try to make extensive notes in the 'notes' section of the group properties in AD, including always:

Date / Time:  Who created or amended / Detailed notes on why the group was created, and I put new notes at the top.

For example:


20171107-2140 (Alan):  Added John Smith per email from Edna Jones (HR Manager) (20171107 - 1054 - Please add John to HR group.msg)

20170131-1345 (Alan):  Group created to give access to //ServerName/ShareName/HR folder

I also file emails in folders (network drives, as well as in Exchange), hence the reference to an msg file, but that could easily be a scan of a hardcopy form, or a fax (rare these days), or a voice recording.


I have been very grateful to my past self numerous times for the notes I created at the time!


Alan.
Pete LongTechnical Consultant
Commented:
I name all mine

GP-U-{sensible name}
GP-G-{sensible name}
GP-D-{sensible name}

For universal - global and domain local and I put something descriptive in the 'description' field, as that's whats visible when you browse AD

i.e. 'Group for read only access to folder xyzy created xx/xx/xx by PeteLong'

Also I don't use spaces so things are a bit easier If I need to script anything!

P
Shaun VermaakSenior Consultant
Awarded 2017
Distinguished Expert 2018
Commented:
Reduce groups by using role groups and delegation groups
https://www.experts-exchange.com/articles/29366/Delegation-the-proper-way.html
AlanConsultant

Commented:
Good advice offered

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial