In classic on-prem AD domains, the number of groups often approached parity with the number of user accounts. With Microsoft Teams and Office 365 Groups, the number of groups is going to just keep growing. Along with those groups come entitlements and too much authority. This means that malicious insiders can do more damage the longer they are at a firm, and that attackers who gain control of an account are more likely to have access to what you are trying to protect.
Why are there so many groups in the first place? Most networks are over 20 years old and most organizations migrated to Active Directory from NT 4.0, Novell and even Banyan Vines. Coexistence has always been a factor in regards to a migration and most organizations focus on completing a project with the least amount of impact, however there is a cost associated with speed. Being that groups provide authorization for files and folders, most organizations migrated many groups from legacy environments instead of determining why those groups were created in the first place. Once these groups exist in your directory, it becomes even more challenging to know what they are being used for. Groups could be used to provide access for an application, email distribution, or file and folder access.
Bryan Patton, a colleague at Quest, told me how while watching an episode of “Hoarders” with his wife, he noticed himself relating this to many of the Active Directory environments that he’s seen over the years. Just as a hoarder doesn’t want to get rid of objects as they feel that it may have value for them later, one must realize that having too many objects without a purpose can be damaging. With the ability to nest groups, it becomes quite challenging to answer the question, “what does this person have access to?” To answer that question, you have to know if that person’s user objects has explicit access anywhere, but also break down any group memberships that may be applied (and those groups may be members of other groups).
Usually, in each episode of “Hoarders” there is a psychologist involved to help facilitate the process to achieve satisfactory and sustainable results. Information Security Polices serve a similar role when addressing a cleanup in AD. Just as many people resist getting the help they need, and by seeing a psychologist they get help in understanding “why” they are hoarding, most organizations lack any governance (established by Information Security Policies) over groups to establish who should be in a group and if that groups purpose is still relevant.
With the abundance of organizations now using Office 365, the amount of groups will continue to grow. Azure AD Connect synchronizes groups from On-premise Active Directory to Azure Active Directory and there is also the ability to create Office 365 groups. Left unmanaged, the proliferation of groups will continue.
Bryan works with a lot of companies to help them clean up their Active Directory – especially with regard to getting control of their groups. In this real training for free event, Bryan will show us the process he and his team has developed to accomplish this, which is roughly broken down into the following steps:
- Assessment
- Implement entitlement management process
- Cleaning up unneeded permissions
- Deleting/combining redundant groups
- Ongoing group and entitlement maintenance
Decluttering the years of legacy junk can be time consuming and painful, and keeping it clean is an ongoing challenge. Unfortunately, there is not a fancy new technology that will magically tidy years of entangled systems, processes and groups – preparation, persistence and hard work is necessary. However, by putting these practices and solutions in place, organizations can reduce complexity and confusion in your environment and eliminate the inherent risk these unmanaged users and groups represent.
Bryan, will briefly show how Quest’s fleet of AD and Windows management solutions help automate the drudgery of every aspect of this process.
Please join us for this real training for free session.