Occasionally, it pays to get some extra husband points, so last week I decided to spend some time downstairs with my kids cleaning up their playroom. My wife and I were both tired of picking our way along the different toys, DVD cases, pillows, and little kid chairs, and somehow it had gotten messy *again* – it was my turn to herd cats and “help” the kids get it cleaned up. There were toys on the floor, bins full of mismatched pieces from different games, stuffed animals, and Lego – always lots of Lego.
A couple of days later I was working with a client in a large University in the northern United States and it struck me how similar the job was. They were trying to make sense of their AD environment, and everywhere they looked it was a mess. They weren’t the ones who made it – or at least, not all of it – but they were trying to get some work done and it seemed like every time they turned around there was more stuff getting in the way. It suddenly feel like I was back in my basement, picking up toys. The messes were different – the Lego under the foot hurts more – but the causes were the same.
First, there weren’t many clearly marked places to put things away properly, and when there were, they weren’t used properly. OUs were haphazardly named, different from department to department and admin group to admin group. “If you wanted to create a new user, where would it go?” I asked. There was a pregnant pause. “Well”, the response went, “It really depends…”
Second, it wasn’t easy to figure out what things were for. My basement had pieces from one toy mixed in with pieces of another, and the rest of the toys were in other bins. My client had it the same way – AD users, disabled accounts, service accounts, distribution lists and security groups all mashed together in OUs without naming conventions – well, they did have naming conventions, they just had several different ones. Over time, it became difficult to figure out which name meant what.
Finally, everyone was really responsible. At home, my kids (and my wife and me, too, in all honestly) all contributed to the problem. We’d put toys away in whatever bins were handy, created new bins to hold things that were already held somewhere else, put stuff away in the wrong place out of ignorance, not always knowing which toy went with which – the works. Even when we were trying to make it better, we were making it worse because we were doing it piecemeal, and we all had different ideas what the right way to fix it was. Disaster. My clients – well, lets just say that had the same problem but worse. More people, more sets of rules, more objects… ugly.
Near the end of the call, my client summed up his frustration: “I can’t find anything in here, and when I want to do something new, I don’t know where to put it. Every new project finds a new home, and it just keeps spreading on out…” I knew exactly how he felt. It was time to stop making things worse, and start making things better.
Learn about why you should bother cleaning up your Active Directory in Part 2 of this blog post.
Proper data security begins with a strong foundation. Find out what you're standing on with a free deep-dive into the security of your Structured and Unstructured Data, Active Directory, and Windows infrastructure.
Read more© 2022 Stealthbits Technologies, Inc.
Leave a Reply