ACTIVE DIRECTORY GROUP GOVERNANCE

The most efficient way to manage access in AD is by using groups. However, if not properly managed, AD groups can become a security risk.

    Request A Free Trial

    >

    Thank You For Your Request

    A Stealthbits representative will contact you shortly.

    If you have any questions, you can contact our sales department by sending an inquiry to sales@stealthbits.com.


    WHY DO YOU NEED GROUP GOVERNANCE?

    Employees are typically added to a standard set of groups based on their job role and department when they first join an organization. As they gain more responsibility, are assigned to more projects, or transfer departments, they are added to additional groups to give them the access they need to do their work. Over time, these group memberships – and the corresponding access grows, and administrators must proactively examine group membership to determine if the access is still appropriate and necessary.

    INVENTORY GROUPS

    The first step in a Group Governance program is to take a full inventory of all groups and their memberships and to determine the group owners. Stale groups or groups with no members should be cleaned up or archived.

    CONFIRM GROUP OWNERSHIP

    Next, confirm ownership with the group owner. Responsibilities shift over time as projects and groups evolve. Confirming ownership is an important step to guarantee that the right business owners review group membership. Occasionally group ownership is difficult to determine, so checking with a business manager or department head may be required. Occasionally, you will find groups that are no longer needed. In this case, delete or archive the group and document the change.

    REVIEW GROUP MEMBERSHIP

    The designated group owner should now closely examine all group members to determine if they should continue to be in the group. Special care should be used when examining security group membership as these groups often have elevated or admin-level privileges, and if used maliciously, represent a significant risk to the organization. Group owners should document all requested changes and communicate the adjustments to the AD team.

    ADD OR REMOVE GROUP MEMBERS

    The AD team should now make any requested adjustments to group membership. Group members should be added or removed as recommended by the business owner, and all changes should be documented.

    GROUP GOVERNANCE IS A REPEATABLE PROCESS

    This process should be repeated on a quarterly or semi-annual basis depending on the needs of your business. It’s important to understand that group governance is an ongoing process that should be conducted frequently to stay in alignment with the business.

    LEARN ABOUT StealthAUDIT FOR ACTIVE DIRECTORY

    © 2020 Stealthbits Technologies, Inc.