Staff replacements in large organizations happen frequently and group ownership replacements with it. A check to determine if a leaving user had any ownerships of managed groups can be missed, leaving a disabled user as owner. If a group owner is per process replaced with someone new in the company, does that person know what the group is for? Does she know what it means to be a group owner in the organization? Is the information part of the on-boarding introduction?
Unless you have clear view of Active Directory groups and their ownerships and descriptions, it can be challenging to know what every single AD group is for. Assigning the correct group owner is important as this person should be aware of what the group is for and be able to update or approve membership either to a security group that grants access based content or a distribution email list. Regardless if membership management is made by IT, HR or by the group owner, it is important to have a process that checks the ownership structure and that the owners are aware of their ownerships and what it means to be a group owner in your organization.
Quick Steps:
Let’s look in the group category and under groups managed by reports in the tool.
Select managed groups in order to view all groups and their owners.
When you get to the columns window, make sure the column “Managed By” is selected. Then create the report.
You now get all groups that are managed and each owners by their distinguished name in the managed by column.
To check if the owner is enabled or disabled, copy all the group owners in the managed by column.
Either select and copy (right click) the entire “managed by” column or first export to file and copy it from excel.
Copy from this report
Most likely you will have copied the same DN being owner of multiple groups. This is fine as duplicate records will be ignored from our next report.
Now we click Menu to go back and change our category to users or open a new session.
Go to category: Users – System related in the very bottom. Here we select report “Users where distinguished Name” is exactly -->Multiple criteria.
Now select the top row in the multiple criteria data table and paste all your owners then click add filter to create report.
If you have thousands of rows it will take a few seconds.
Verify you have the “Enabled” and “Distinguished Name” column for this report.
Now you can easily sort for disabled users by either clicking on the “Enabled” column or by typing in the grid filter: “false”
If you don’t get any disabled users, all managed groups have enabled users.
If you do have some disabled users, copy the distinguished names of all those disabled users as we will use this for the final report to get all the groups they are owners of.
Now we go back into group category and first get all groups of your set target: Entire Domain or OU.
Let’s run “Groups where common name” à “is present”.
In grid view click on “LDAP FILTERS”-->“Add LDAP filter”
Make the following selections.
Now we have identified all groups managed by disabled owners in one report.
If HR has control and awareness of access levels you can mainstream, simplify and enhance your Active Directory group management.
Schedule monthly/quarterly reports of all managed groups and their members to HR.
A good way to determine how to reassign the groups to the correct owner is to find out who the manager is of the previous disabled user.
Another way is to check with current members of the groups.
Add a check in your employee leaver process and take appropriate action before the group owner account is disabled.
Create a group and add all group owners. Once you have a group of all owners, you can run a scheduled report to yourself or HR to check if the list has any disabled users, if so you know right away that you have managed groups with disabled users and can take action.
Upon disable process, place all your disabled users in a specific OU. Target this OU from AD report builder and copy all the DN names of the disabled users and finally complete the report by Step 3.