Ensuring a Group Management Best Practice
Building on the blog of “the case for multiple owners“, the concept of multiple owners with Active Directory Groups becomes of lesser value if those who you’ve delegated group creation to do not actually establish an owner or additional ownership as part of the creation process.
Now considered a best practice for group lifecycle management (see chapter 5 in Active Directory Group Management for Dummies), ensuring that a group has an owner is a key tenant to ongoing attestation to the group’s validity.
No group should ever be ‘orphaned‘ certainly, but how does one go about enforcing a group owner, or even multiple owners? This was a question asked by some of our clients over the years which gave rise to the ability in Imanami’s GroupID to allow a policy to be established as to whether a primary group owners should be required and then in addition, whether a minimum number of additional owners be established.
By establishing this ownership baseline, a Best Practice (Chapter 5) is then assured to be fulfilled.
What about your existing groups without an owner? Get a handle on them as well. Use the GroupID Reports (a free tool) to discover which groups are without a designated owner. After all, other than built-in groups, a group without an owner is probably one not being managed and thus, one that should either be expired (another group management best practice), or assigned to a responsible person(s).Do you have groups without a responsible business stake holder managing them? Ask for a demonstration on how we can help get you straightened out.
Jonathan Blackwell
View ProfileSince 2012, Jonathan Blackwell, an engineer and innovator, has provided engineering leadership that has put GroupID at the forefront of group and user management for Active Directory and Azure AD environments. His experience in development, marketing, and sales allows Jonathan to fully understand the Identity market and how buyers think.