Why’s and How’s of Active Directory Group Management

Active Directory is a tool from Microsoft which helps IT/Network Administrators to manage all entities of a network through a centralized interface. To avoid the headache of manipulating millions of objects individually, Active Directory provides a notion of “Groups” to help us group similar objects and manage them as one entity.

In large enterprise arrangements, having thousands of users, creating groups in Active Directory lets them make dozens of groups in no time but cleaning them up is not easy. Figuring out, which group is used for what, which group is still needed, which one is not being used, which one would be safe to delete, and so many “why’s” and “how’s” are common in an Administrator’s life to keep Active Directory in good health. Not easy by any means.

What should they do?

  • Closely monitor creation and usage of new groups by enterprise users.
  • Do not let regular users create groups by themselves, rather let them send a request to Administrators to create the group.
  • Keep deleting any unused groups (Reading from exchange and Active Directory usage logs)
  • Force the users to give a good description to all created groups so that Administrators could figure out group purpose easily and take any action accordingly.
  • Force the creator of the group to set himself or herself as owner so that we could easily get the groups sorted by owners and if an owner leaves organization we could delete all his/her owned groups.
  • Keep the groups updated with their purposed membership as per the changes in the organization so that group doesn’t get obsolete and users do not have to create new group for similar purpose.
  • Help users importing groups from other data sources so that they could maintain a consistent set of groups and doesn’t have to go around for creating mix and match between different directories for a common cause.

It’s very easy to list down all these solutions/suggestions for Administrators and it might also be easy for organization’s to put it down into job description sheet of an Administrator but when it comes to execution of any of these solutions, they don’t really find a magic or Aladdin’s lamp to come to their help.

How to help poor Admin’s for this challenge? Many companies started creating automated solutions by picking up some of the above given solutions but the clutter was still not resolved completely. Imanami Corporation US was also among the potential rescuers of these so called poor “Admin’s” and was releasing different products to hit different solutions and was gaining popularity in this domain but was still not able to satisfy these poor admin’s. Each of the solution suites contained some of the above given solution hitting some particular dimension of the problem, neglecting others.

This race was “ON”  when one day Imanami came up with a concept of Group life cycle management. This was not just a term or just a thought rather the philosophy contained a check on all different phases of a group life and to keep the owners admin’s informed about every state transition whenever a group switches a state.

This term (Group Life Cycle Management) abbreviated as GLM became the core of Imanami’s new product called GroupID. Imanami combined all above solutions tagged them relevant life cycle states, provided an automated monitoring mechanism, reduced the risks associated with Automated deletion of unused groups by introducing virtual deletion logic and then providing Administrators or Group Owners a facility to undelete objects within certain time period (if they were still needed) made this solution real exciting for Administrators and this term GLM became a buzz word among “Poor Admin’s”.

This product took around one and a half year to develop and shape up as a final cure and got released in the second quarter of 2009, it started capturing a big market in the US, Europe and Australia. To get a free trial version of this product you can visit Imanami’s website.

The other feature that is very popular in all group management products given by different venders is Automated Group membership management by letting the user choose a membership criteria and then save that criteria somewhere in the group itself. Group will execute that criterion to populate its membership so user and/or administrator will not have to update the membership manually as and when the need arises. This will help the end users keep their groups very much up to date.

Work flow is another major feature given by a variety of products to impose a filter or a check on all possible transactions being done in Active directory by regular users. So Administrators don’t have to monitor anything closely rather, they will get work flow requests and notifications as and when any update takes place in Active Directory.

ILM (Identity Life Cycle Manager) released by Microsoft is another big launch combining most of these features to target large enterprises and giving a very smooth integration with Exchange and outlook. By these powerful integrations Microsoft is targeting to save end users from headache of trying multiple interfaces for different day to day interactions with group lists. Workflows are very extensively exposed for a variety of scenarios to provide power users an ease of management.

For further information about ILM you can try this website link.

Synchronization and security among related systems and environments is too much of a luxury and is no more than a matter of few clicks to get the user data replicated across all needed environments and is being offered by both above mentioned products. It reduces risk of errors and makes it a safe transaction.o


  • Naveed Alam

    The hyperlink for trial version generates the following information :

    We have encountered difficulties in sending you the license key(s) and are unable to reach you. Please contact us directly at 1-800-684-8515 x 1 or 01-925-371-3000 x 1 so that we can provide you the information you requested or email us at [email protected].

    Have you confirmed that the link works? Thanks.

    • Naveed Qazi

      this message pops up for those users who are using general email addresses from hotmail, yahoo or google. If you have your company provided email address, you can use that address to download GroupID.
      In case you find difficulties, give us a call on above given numbers or send us an email.

      Naveed

      • Sajid Bangash

        Great work!!

        • Naveed Qazi

          Thanks.