The first step in a Group Governance program is to take a full inventory of all groups and their memberships and to determine the group owners. Stale groups or groups with no members should be cleaned up or archived.
Next, confirm ownership with the group owner. Responsibilities shift over time as projects and groups evolve. Confirming ownership is an important step to guarantee that the right business owners review group membership. Occasionally group ownership is difficult to determine, so checking with a business manager or department head may be required. Occasionally, you will find groups that are no longer needed. In this case, delete or archive the group and document the change.
The designated group owner should now closely examine all group members to determine if they should continue to be in the group. Special care should be used when examining security group membership as these groups often have elevated or admin level privileges, and if used maliciously, represent significant risk to the organization. Group owners should document all requested changes and communicate the adjustments to the AD team.
The AD team should now make any requested adjustments to group membership. Group members should be added or removed as recommended by the business owner, and all changes should be documented.
This process should be repeated on a quarterly or semi-annual basis depending on the needs of your business. It’s important to understand that group governance is an ongoing process that should be conducted frequently to stay in alignment with the business.