Medium to large AD environments have thousands of security groups:

It is challenging to manage groups on this scale:

  • Control access to printers, shares and folders.
  • Membership in mail distribution lists.

  • Groups are created but never removed.
  • Group membership does not track changing user responsibilities.
  • Users do not understand groups or permissions -- don't know what to request.
  • Who authorizes membership in each group?