Pau Lo
asked on
empty AD groups and risk
we have done an audit of our of our AD domains, and found several hundred empty AD groups (no members). Our admins don't seem particularly concerned about this, even though accepted its years worth of bad housekeeping. I am wondering if they have overlooked any risks in leaving the empty groups in place even though clearly serving no operational purposes to the business. Is there any risk in leaving masses of empty security groups in a domain, if so what?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Good point to enable Recycle Bin. Give it some time before permanent deletion. At least one month. Sometimes you need some objects back.
ASKER
>You probably do not remember which group has which privileges
Is it common to find permissions on groups allow global groups like everyone domain users etc can modify the groups and add their own accounts to groups or is that unlikely?
Is it common to find permissions on groups allow global groups like everyone domain users etc can modify the groups and add their own accounts to groups or is that unlikely?
Well, in domain environment users can use something like AD scan or AD sniffer to get the list of all users and groups. That's why you shouldn't use a Description field for sensitive information.
They also might see a permission list of users and groups under folder properties unless you disable this.
But they cannot modify anything in AD if they don't have elevated permissions.
They also might see a permission list of users and groups under folder properties unless you disable this.
But they cannot modify anything in AD if they don't have elevated permissions.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.