Top 10 Pitfalls IT Pros Face When Managing Groups in Active Directory

Don't let poor group management lead to a security breach

Jonathan Blackwell

July 18, 2014

9 Min Read
IT pros face several pitfalls when managing groups in Active Directory
IT pros face several pitfalls when managing groups in Active Directory.

It's no secret that Windows IT professionals struggle to effectively manage identity and access management systems and information distribution systems within Microsoft-based environments. The ability to provision and maintain up-to-date user lists and groups is absolutely necessary to improve security within an organization and to avoid major productivity hits to both the company's IT department and general workforce. Without these capabilities, organizations can't trust that business-critical information will get to the right people every time—or even worse, that sensitive information is delivered to people who shouldn't receive it.

Although it's widely known that failing to implement effective group management processes can lead to a security breach, IT departments still find it challenging to manage this process. This is due to a lack of group management tools and capabilities within the Active Directory (AD) environment. In reflection of AD's shortcomings, here are the top 10 most common pitfalls IT pros face when trying to configure AD to create and manage groups.

Pitfall 1: IT Departments Refusing to Let Go of Group Management

Too often, IT departments are unwilling to give up control of group management, but they're really the last people who should be managing them. Groups should be managed by the employees who own the content governed by the groups—not by IT staff members, who have limited visibility into a group's purpose. When the IT department refuses to give up control, it not only bogs down IT resources but also takes power away from the people to own and manage their groups.

For example, suppose that an employee is assigned a new project and must create an email distribution list (DL) that includes people from different sites. The IT department is in charge, so the employee must first submit a request to it. Then, the IT pro assigned to this task must get approval from the requester's manager and spend additional time understanding what the DL is for and who needs to be in the group. By the time the IT pro is finally allowed to create the group, several days have passed, meaning a loss of valuable time moving the project forward. The IT pro then spends additional hours managing the group (in essence, reducing this professional to a data entry clerk) when there are critical tasks on which he should be focused. Furthermore, as the project progresses, new employees will need to be added to and dropped from the group, all requiring the IT pro's involvement. This example showcases the process bottleneck that IT pros and line managers face every day, negatively affecting employee productivity and draining valuable IT resources.

Pitfall 2: Not Creating Dynamic AD Groups

Group membership should be defined by information you already have at your disposal, such as a set of rules, AD attributes, existing employee and contractor databases in an HR information system, or project databases. These data sources can be leveraged to make dynamic groups, thereby eliminating the problem of groups not being up-to-date (e.g., not accurately reflecting the current state of staffing).

For example, let's say a product team is designing a new widget at a company named Contoso. The team needs an email-enabled security group to share resources and distribute highly sensitive research results. The person who creates the group might use clearly identifiable common attributes to define who needs to be in it. The people who need to be in the group might all work in the same department, have a common phrase in a job title, work in the same office location, or have a special code that denotes the relative secrecy level to which they're trusted. Using this information, logic can be employed in a rules set that limits membership to only those people who match the specified criteria. As users move in and out of those roles, their inclusion in the defined group is added and removed to reflect their current status.

When automating group membership based on attributes in AD, it's imperative that these attributes are continually updated. If an IT department doesn't synchronize AD users with a trusted authoritative source (such as an HR database), group accuracy and security can't be ensured.

In most companies, the HR department knows more about employees coming and going than the IT department, and this information can be leveraged for the organization's benefit. When employee attributes in AD are synchronized with the HR database, the groups to which the employees belong are automatically updated every time an employee is hired, moves to a new department or job function, or leaves the company. This "checks and balances" system prevents an employee who left the company from having access to confidential information simply because they're still on an email DL. By having an automated way to ensure group accuracy, companies are able to control data access.

Pitfall 4: Not Letting Users Join AD Groups Using a Self-Service Feature

Employees should be empowered to add themselves to appropriate groups without having to go through the IT department, which must manually add them. There should be a self-service group management feature that allows users to add themselves to groups. Afterward, the group owners should receive notifications so that they can then either approve or deny the request with the click a button. This process, which can be easily enabled by third-party software, ensures access to groups across a department or location, while still giving the group owners control. 

Pitfall 5: Lack of Organization of Groups

It's important to organize groups in an easy-to-understand way, such as by geography or managerial hierarchy. Otherwise, groups can be confused with other groups, possibly resulting in people be added to the wrong groups.

For example, suppose that Contoso has four business units located in different regions, each with its own set of groups. If several of the business units have a group named Product Development and Contoso doesn't have its groups organized by geography, a new employee could potentially be added to the wrong Product Development group.

Pitfall 6: Not Including Group Descriptions

The lack of group descriptions has become a major IT problem because AD doesn't require descriptions when groups are created. As a result, companies sometimes find themselves in a situation where a group name (e.g., BZT456) means nothing to anyone in the company and the group's owner can't be consulted because the person has left the company.

When creating a group, it's crucial to insert a description explaining its purpose. Otherwise, when the group owner moves on, no one will know why the group was created, if it's currently being used, or if it still needs to exist. It's also an industry best practice to implement and enforce a standardized naming convention or policy.

Pitfall 7: Failing to Provide for a Group's End of Life

Organizing groups and giving them adequate descriptions are great first steps, but you need to go one step further by setting an expiration date. Without one, a group could potentially live forever. It's not uncommon for AD groups to exist long beyond their intended purpose.

By assigning an expiration date, group owners are forced to regularly review both the need for a group and its membership. This simple limitation can eliminate hundreds of useless groups and stop information from going to the wrong people. To avoid this potential pitfall, companies must implement a solution that provides end-of-life parameters within the AD environment. Implementing a true group life-cycle environment ensures ongoing attestation of the groups being managed.

Pitfall 8: Permanently Adding Users When Only Temporary Access Is Needed

Every organization has users who need only temporary access to information. Because AD doesn't allow users to be added to a group on a temporary basis, the IT department or group owner is responsible for removing people who no longer need access. Letting users who no longer need access remain in groups can lead to a security breach, especially if the group has access to sensitive data.

The pitfall is easily avoided by implementing solutions that enable AD to support temporary access requests. If a user needs access beyond the predetermined expiration date, the group owner should be allowed to confirm the need and renew the membership.

Pitfall 9: Being Unaware of Permission Inheritance in Group Nesting

Group nesting is when you add a group as a member of another group. Although group nesting is often required, AD nests groups based on a parent-child hierarchy. In other words, if you make Group 1 a member of Group 2, the users in Group 1 have, by default, the same permissions as the users in Group 2. When a parent group gets added to another group, all the sub-groups in the parent group are given access to the other group, leading to the potential for unnecessary—and potentially unauthorized—access to information.

For example, suppose that Contoso's Engineering department creates a new project group that requires the head of marketing to be included. If the groups are nested based on a child-parent hierarchy, this marketing person would be added to the engineering group and, unknown to the group's creator, the entire marketing organization is also added.

Group management is an ongoing process that must be monitored to be efficient and effective. However, most monitoring tools used today overlook the group management aspect of an organization, focusing instead on issues such as bandwidth, CPU strength, or storage capacity. Oftentimes, this leaves group management unattended, with no one responsible for effective and secure operations. To avoid running into potential group management health issues, organizations need to implement the appropriate monitoring processes so that they can quickly identify potential health problems.

Effective Group Management Doesn't Have to be Complicated

Group management can be very challenging to tackle due to limitations within AD, but it doesn't need to be. Powerful tools are available, allowing organizations of any size to get up and running with secure, automated, and effective group management processes in place. Even with these group management processes in place, there will still be a few pitfalls to avoid (e.g., being unaware of permission inheritance in group nesting), but a little knowledge can go a long way in avoiding them. In today's IT environment, there's no excuse for a company to experience a security breach due to poor group management, particularly when potential threats can be easily avoided.

 

Read more about:

Top 10
Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.

You May Also Like