Building an Active Directory Workflow From the Ground Up

A healthcare services company was growing. That’s the good news. The bad news, at least for the Company’s IT Department, was that the growth was derived largely through acquisition. Each new merger meant another Active Directory to be integrated, new domain controllers to manage, more privileged accounts to track. The IT team was always under pressure to integrate the new organizations as quickly as possible, and thus, AD cleanup and optimization was never a priority.

They described their environment as a collection of different sets of policies, with dozens of Groups with different names and exactly the same members. “They estimated their AD object count to be 4 times as large as necessary,” explained Patrick Conlon, STEALTHbits’ Director of Professional Services. “And it wasn’t just about inefficiency. A chaotic Active Directory adds significant security risk to any organization, and they knew it. For example, they had about 4,000 users total, and over 150 admin accounts. That’s a problem.”

With a small IT team to begin with, and senior management pressure to quickly integrate new acquisitions quickly with little or no priority placed on Active Directory or security, the Company’s IT management knew they needed a close partnership. “They told us they needed consultation, not a tool,” added Patrick. “They basically said ‘tell us what to do.’”

With Perfectly equipped - and specifically designed - to do just that, STEALTHbits’ Professional Services team essentially became a de-facto extension of the Company’s IT Department for Active Directory Management. Starting with STEALTHbits’ AD Assessment – a tool designed to provide a quickly-generated snapshot of an enterprise’s AD status – the STEALTHbits Professional Services team developed a plan that would:

  1. Clean up the existing AD environment
  2. Train the Company’s IT department on the use of STEALTHbits’ products
  3. Develop workflows and new processes for provisioning new Groups and permissions, and removing those no longer needed
  4. Build a periodic AD maintenance and cleanup process moving forward, effectively leveraging the capabilities of STEALTHbits’ products independent of the Professional Services team long-term.

STEALTHbits’ engineers spent a month meeting with the Company’s IT people, aggregating and analyzing AD data collected using the AD Assessment tool, and generating dozens of reports designed to crystallize an AD optimization strategy. The work resulted in the development of an AD Cleanup document that detailed project priorities, literally ranking them from 1 to 10. Patrick explained: “We prioritized the big-ticket items: trust and configurations between domains, accounts with elevated permissions, computer objects and group configurations, documentation around all those, and the process for provisioning new items across those major categories.”

The document generated for the healthcare services company now serves as a model for similar Professional Services Group engagements. “Frankly, there may be some irony in this project,” summarized Patrick. “We helped the customer develop processes they use going forward, and our documentation of our effort resulted in a highly effective tool and process for us to deliver similar services and value in our subsequent engagements. It’s cliché, but that sounds like a win-win to us.”


In Brief:

  • Healthcare Services Company

  • Approximately 4,000 users

  • Active Directory was a mess

  • Knew they didn’t have expertise with the tool or AD administration to do this on their own

Quotes:

  • “They told us they needed consultation, not a tool... they basically said ‘tell us what to do.’”

  • “They had about 4,000 users total, and over 150 admin accounts. That’s a problem.”

  • “They estimated their AD object count to be 4 times as large as necessary.”