Medium to large AD environments have thousands of security groups:

It is challenging to manage group membership on this scale:

  • Control access to printers, shares and folders.
  • Membership in mail distribution lists.

  • User needs constantly change.
  • Users do not understand groups or ACLs.
  • Users don't know which groups they need.
  • Who authorizes membership in each group?