Adaxes Blog


Active Directory Group Membership Management
Articles

If you are running an Active Directory environment in your organization, chances are that you waste a lot of time on manually adding user to some groups and removing them from the others. It’s one of most common everyday tasks that’s fundamental to AD management, so it’s really hard to do anything about it. Or is it?

Obviously, managing groups is an important task. Security groups are needed for permission allocation, distribution lists are needed for emails — there’s no way you can just reduce the number of tasks involved. But there are several steps you can take to optimize the process.   

Automation

There are a lot of situations when you can easily define exactly when and how you need to change group membership. This means that it can be automated. Here are the most relevant cases to start with.

User Provisioning

When provisioning a new user in Active Directory, you need to add the account to certain groups. Some of them can be common for all users (e.g. ‘Staff Members’ group) and others can have certain conditions associated with them, e.g. group membership can depend on job role, location, department, etc. 

In Adaxes it’s something that’s really easy to automate. All you need to do is add your group membership logic to the Business Rule that’s triggered after a new user is created. You can specify conditions to add user to different groups based on the parameters you define.

Practically you can add any level of complexity, depending on the procedures required by your organization (for the most custom cases you can introduce own scripts). So, every time a new user is provisioned, the account will be automatically added to all the necessary groups with no manual intervention whatsoever.

Updating Users

After a user is created in Active Directory, a lot of things still do happen with the account during its lifecycle. E.g. a user can be promoted, moved to another department or added to a new project. Such actions can be accompanied by respective changes in group membership, which also can be automated.

Adaxes allows you to apply same principles as the ones used in user onboarding. Just put the automation logic in a Business Rule and define, when it should be triggered. E.g. every time a user is moved to a new OU, you can remove the account from all the groups that were associated with the previous OU and add to the groups of the new one.

You can also run scheduled tasks that would regularly check that all users are members of the necessary groups and no group has got wrong unwanted members in it.

User Deprovisioning

Last but not least, you users eventually need to leave your organization. Ideally, offboarding procedures must be automated, and you have two main options regarding group membership. Either you can remove user for all groups once the account is terminated, or you can add a user to a new group that denies all permissions in your environment. The second option can be beneficial if, for example, you’ll need to restore the account at some point.  

Delegation

Automating tasks is great, but you can’t automate absolutely everything. Another important thing with group membership management is delegating it. Ideally, most of the tasks associated with group membership management should be done by managers of respective teams because it’s relatively easy.

There are two things with delegating such tasks to non-technical people. First, is making the tasks comprehensive. Second, is not to over-privilege the uses and not give them the ability to break something or see things they are not supposed to.

Adaxes allows you to do that with the help of the Web Interface. The beauty of such approach is that you can customize absolutely everything in it. You can specify, which AD groups can each manager see, which users can he or she add to those groups, etc.

Another benefit of doing it via web interface is that you can even hide the whole concept of Active Directory from the users. They don’t even need to know that such a thing exists (they probably don’t anyway). E.g. if the group is responsible for assigning printer permissions, you can call the action that adds users to this group just ‘Give permissions to printers’. As simple as that, no extra complications.

Self-Service

You can go even further with delegation and allow users to add themselves to certain groups. This is achieved with a separate web UI for self-service. Technically it’s the same thing as delegation to managers. The only difference is that users are performing the changes to their own accounts.

Approvals

To make sure that your delegation practices don’t turn into a security disaster, you need to make sure you’re always in control. For these purposes, Adaxes allows you to introduce approvals to the process.

So, when somebody wants to add a user to a security-sensitive group, the operation will not be executed until an approval from the group owner is granted (the approvers list is also fully customizable). Or, for example, if the initiator of the operation is not a member of the ’Managers’ group, and tries to add him/herself to some group, an approval can be sent to the user’s manager before completing the operation.

Wrapping Up

Don’t burry your IT department in endless group membership management task. They’ve got much more important things to do. Simple tasks like that should either be automated or delegated to users with lower level of tech skills. Don’t waste your IT highly paid guys’ time on things like that.

You can start improving your Active Directory management right now by downloading a free 30-day trial of Adaxes.


comments powered by Disqus



Got questions?
Support
Forum