Group management challenges
Over time, the number of groups and in some cases may surpass the number of users. As groups proliferate, they can become difficult to manage. This leads to problems, including:
- Stale groups or group memberships, no longer clearly linked to a business function.
- Empty or very small groups.
- Redundant groups (i.e., with identical or very similar membership).
- Groups with obscure descriptions.
- Groups with missing, invalid or inappropriate owners.
- Difficult access request processes, as users are unsure what to request and administrators are unsure of whether to approve or fulfill requests.
Complexity in managing large numbers of changes in group membership leads to real business problems:
- Staffing cost associated with managing groups, often
in an access administration team.
- Long turnaround and lost productivity when users wait hours or
days for required access rights.
- Users with inappropriate access rights, as a result of process deficiencies.
Managing group objects
Groups are created, should be managed and may be deleted, like any other object in a directory. Also like other objects in a directory, they should be subject to policies and standards:
- Groups should always be assigned owners.
- Naming conventions should be used for cn, sAMAccountName or description.
- Groups should be placed in appropriate containers (OU).
- Attributes, such as group type (security versus mail distribution list) and scope (Universal, Global or Domain Local) on AD should be set appropriately.
- Groups may contain child groups and (conversely) be members of parent groups. These relationships must not form loops.
These are basic, technical constraints. Businesses usually have additional requirements, such as restricting who can request the creation of new groups or modification to existing groups, what kinds of groups users can request, who must approve changes to groups, who should review the configuration and membership of groups and when, etc.