Active Directory Group Clean up
& Permission Clean up
Does your organization suffer from permission bloat?
After years of delegating access rights and managing group memberships, it can feel
overwhelming to get your arms around the big question of Who Has Access to What?
and impossible to clean up.
If your goal is to reset permissions to a state where rights are only granted where needed, you have a firm understanding of what rights people have, and your infrastructure is easier to manage, NetVision can help.
Approaching the problem
NetVision has identified a few key tasks that can get you most of the way there.
Direct User Assignments - We've all heard the best-practice guidelines. Permission to files and folders should be granted via group memberships and not directly to users. But it still happens all the time. To avoid time-consuming processes or reduce effort, administrators grant permissions directly to user accounts. In an ideal world, this would only be done as an exception and with good reason. In reality, it's done often and without cause. NetVision can provide a quick report of all direct user assignments across numerous servers. It's a good first step toward re-gaining control.
Dormant Accounts - Dormant Accounts are user accounts that have not been used in a while. You can determine whether that means 30 days or 60 days. For some accounts, such as factory workers who log on for HR or benefits purposes, six months of non-use may be normal. The key is to understand your environment and apply the logic as appropriate. But no matter what inputs you use, dormant accounts could be an indicator of risk. NetVision can help you identify accounts that are dormant and apply automated clean-up tasks such as disabling accounts, removing group memberships, or moving the account to a new OU in the directory.
Groups with No Members - An Active Directory Security Group with no members is often an easy choice for cleanup. In addition to eliminating the potential risk that these groups may be used incorrectly, unused groups may add to the clutter and confusion around your group cleanup initiative. NetVision can help you quickly identify these groups and also automate the cleanup, delete, or move of these groups.
Groups with Less than X Members - Once you've eliminated groups with zero members, the next step would be to identify groups with few members. This list of groups gives you a starting point for identifying target areas for consolidation. The groups with the fewest members will be easiest to eliminate by verifying the rights assigned to the group and identifying other groups through which its members can be re-allocated required permissions. NetVision can provide a report containing a list of groups with less than a user-specified number of members.
Users with No Groups - The flip side of groups with no members would be to identify any users that have no group memberships. This may or may not indicate a problem. It could be useful simply for identifying types of users that do not require group memberships that previously seemed mandatory. In other instances, it could indicate a failure in your rights provisioning process. NetVision can provide a report of all user accounts with zero group memberships.
Groups with Less Than X Permission Assignments - Groups with few assigned permissions are another easy target for consolidation. If the group is not being used to grant or deny rights in more than a few instances, there's a chance that the group could perhaps be eliminated or consolidated. Of course, you'd need to compare the results of this report with reports on what other groups have been granted rights to the resources in question to see if the user accounts overlap or if the permissions could already be granted elsewhere. NetVision can provide a report containing a list of groups with less than a user-specified number of permission assignments.
Effective Rights to Resources - NetVision can quickly report on all users and groups that have rights to a set of resources. These reports enable you to quickly see who can access or act upon the resources but also identify HOW permissions are granted so you can make quick decisions about how rights should be applied.
If you're ready to take on your organization's permisison bloat challenges, and to consolidate or reduce the number of security groups in-use, contact us or sign up for a Free product demonstration to see how NetVision can help.