Dynamic security groups in Active Directory are extremely important, not hard to do and inexplicably don't come out of the box from Microsoft. Why are they extremely important? To answer a question with a question, when was the last time a user came to you and asked to have some old permissions revoked?
They changed jobs and immediately demanded all the new permissions they now need and neglected to say, "hey, I was in operations, maybe you should take away my permissions to X, Y and Z." Even if you are using roles, you are undoubtedly also using AD security groups. So, manage them dynamically.
So, it's a given that you need to manage membership of AD groups dynamically, and if you follow that link above, you can see how easy it is, but what all do we use these AD groups for?
- File and Folder access: Windows is built on using AD groups for files and folders. You want to manage these permissions efficiently to avoid token bloat but still give access to all the right data. Most software systems give you an either/or situation....either manage membership dynamically or manage the permissions. EmpowerID File Share Manager merges these ideas and allows you to dynamically manage membership and permissions. Together.
- Application access: this is a tough one because Windows does not support this in any way outside of its own integrated applications. But these dynamic groups can and should be the method to access applications. The key to this working is to have an authentication process which can recognize security group membership and roles, you know, something like the EmpowerID metadirectory. SharePoint is an interesting example of this; SharePoint handles permissions based on AD groups but gives no way to manage the groups easily or well. Make them dynamic and you have this solved.
- Group Policy Objects (GPO): there is a subset of GPOs which apply well to groups. Actions like applying desktop or IE settings by department. You sure want to be sure to have the correct members in the departmental groups if you are doing this.
In all of these situations, if you are managing files/folders, applications or GPOs by AD security group, you run the risk of having out of date security groups if you are trying to manage them manually.
A simple to use group management tool allows you to manage the membership dynamically; there are a few choices out there but the key to your choice is how extensible is it. Do you want to just manage the membership? Or add key components like what files/folders permissions does the group have and how do you incorporate provisioning and single sign-on to the applications based on group membership?
If you see the need for these dynamic security groups, let us show you a demonstration of the full value of managing the groups and what they can do!
Tags: Active Directory, Group Management