SPHERE Insights is an ongoing column written by various members of the SPHERE team, highlighting unique viewpoints and expertise. This article comes to us from our fearless leader, Rita Gurevich.
Active Directory is the most utilized system within an organization. Active Directory objects serve as a primary mechanism for policy and providing access to corporate resources including data, applications and systems. As such, Active Directory provides core security controls that must be managed appropriately to harden security, improve compliance with policies dictating systems access and use, as well as, gain operational efficiencies.
Master these core Active Directory concepts.
Group Policy Object (GPO) A collection of settings that define what a system will look like and how it will behave for a defined group of users. The GPO is associated with selected Active Directory containers, such as sites, domains, or organizational units (OUs). Group Policy is the essential way that most organizations enforce settings on their computers. It is flexible enough for even the most complex scenarios; however, the essential features are easy to use in simple scenarios, which are more common. Think of Group Policy as “touch once, configure many.”
Organizational Unit (OU) A subdivision within an Active Directory into which you can place users, groups, computers, and other organizational units. You can create organizational units to mirror your organization's functional or business structure. Each domain can implement its own organizational unit hierarchy.
Inventory Gathering and reviewing all documents related to Active Directory administration that already exist. Analyzing group type and scope. Reviewing key properties i.e. Managedby field, Notes and Descriptions.
Heavy Nesting Grouping (or groups within groups) defined by business roles, functions, and management rules. While nesting eases the need for individual user access, multi-level, heavy nesting is an issue because it can grant individuals access to assets they should not have.
Membership Examining total AD groups and counts, including groups providing excessive access, groups with 1 member, disabled groups and more. Empty groups should be determined if still needed. Built-in groups should be considered as well.
Stale Groups Removing stale groups improves efficiency in group management. Understanding and managing date/time stamp and activity attributes in Active Directory accounts, like Create and Modify dates, particularly with empty groups, is helpful.
We’ve developed key work streams for firms to gain an understanding and build a baseline of critical Active Directory functions as well as assets stored and managed within Active Directory. Learn about our AD management service or talk to an AD expert today about your immediate needs.