Active Directory Group Governance

The most efficient way to manage access in AD is by using groups. However, if not properly managed, AD groups can become a security risk.

Request a Free Trial

Powered by ChronoForms -

Why Do You Need Group Governance?

Employees are typically added to a standard set of groups based on their job role and department when they first join an organization. As they gain more responsibility, are assigned to more projects, or transfer departments, they are added to additional groups to give them the access they need to do their work. Over time, these group memberships – and the corresponding access grows, and administrators must proactively examine group membership to determine if the access is still appropriate and necessary.

Inventory Groups

The first step in a Group Governance program is to take a full inventory of all groups and their memberships and to determine the group owners. Stale groups or groups with no members should be cleaned up or archived.

Active Directory Group Governance - Inventory Groups

Confirm Group Ownership

Next, confirm ownership with the group owner. Responsibilities shift over time as projects and groups evolve. Confirming ownership is an important step to guarantee that the right business owners review group membership. Occasionally group ownership is difficult to determine, so checking with a business manager or department head may be required. Occasionally, you will find groups that are no longer needed. In this case, delete or archive the group and document the change.

Active Directory Group Governance - Confirm Group Ownerships

Review Group Ownership

The designated group owner should now closely examine all group members to determine if they should continue to be in the group. Special care should be used when examining security group membership as these groups often have elevated or admin level privileges, and if used maliciously, represent significant risk to the organization. Group owners should document all requested changes and communicate the adjustments to the AD team.

Active Directory Group Governance - Review Group Ownership

Add or Remove Group Members

The AD team should now make any requested adjustments to group membership. Group members should be added or removed as recommended by the business owner, and all changes should be documented.

Active Directory Group Governance - Add or Remove Group Members

Group Governance is a repeatable process

This process should be repeated on a quarterly or semi-annual basis depending on the needs of your business. It’s important to understand that group governance is an ongoing process that should be conducted frequently to stay in alignment with the business.



Active Directory Group Governance

Data Sheet

Learn More

5 Steps for Cleaning Up Active Directory

Executive Brief

Learn More

Access Governance Made Simple

White Paper

Learn More

Free Risk Assessment
Free Trial Request
STEALTHbits Demo Request
Browse Resource Library
Free Risk Analysis Stealthbits' Credentials and Data Security Assessment is your Business-Justification-in-a-Box!x