RE: Disable\Hide a group in AD
- From: "Jody Flett, JMF Computers Ltd" <JodyFlettJMFComputersLtd@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Mon, 16 May 2005 04:01:07 -0700
A nightmare cleanup, a company that I worked for previously went through this
exercise - it was a large organisation, with lots of groups/Servers so we
automated the process as much as possible. ie. Mailing, removing users from
groups, adding them back if needed etc.
We initially tried to build a database of all of the ACL's from our Servers,
the thought being we could query this DB to find out where the groups were,
but the Database soon grew to a size that required a Cray server to even load
it. Unfortunately there was no real budget to speak of to buy said server so
we plumped for the following process.
There is no way to disable a group, but if you remove the members of the
group then if noone complains you can be pretty sure it is not doing anything.
Steps:
Mailed the members of the group to see if they were aware what the group did
If no response Mailed members of the group to let them know that access to
this group was being removed and who to contact if they had issues.
Dumped out the membership of all of the groups and saved
Created scripts to repopulate the members of the groups using the dumps as a
source, if needed.
Cleared membership of the groups and ducked for cover.
If any issues we just ran the script to repopulate the particular group and
updated the group respectively so that we knew what it did for the future.
If noone complained after a time then the group was deleted.
Not a particularly techinical solution, but it did the trick and we made a
pretty website where all the tools could be run from, the cleanup tracked
etc....
The benefit of this is that the User Admin teams could look after the
process and it did not require Server Admin to do auth restores etc.
The downside is that it looks a bit unprofessional going to users and saying
"We have got no idea what these groups do" and also there is potential you
may take out access for users to some of their resources temporarily. But
hey.... it needed to be done and thats the cost of security right?... :-)
There maybe a better way, but hope this helps.
Thanks
Jody
"Mercilon" wrote:
> Is it possible to hide\disable a group in AD? My company is in the process
> of an ADcleanup, and we have hundreds of groups that we need to remove.
> However, we want to be sure that these groups are not in use anywhere in the
> domain (over 250 servers).
>
> So I was hoping that I could create an OU that would somehow block the
> access these groups grant, and then if a user comes forward with any issue,
> move it back to a regular OU and have the access restored. So far nothing I
> have tried has accomplished this.
>
> Any thoughts, or am I just dreaming?
>
> Mercilon
.
- References:
- Disable\Hide a group in AD
- From: Mercilon
- Disable\Hide a group in AD
- Prev by Date: Re: specific user profile gets invalid credentials when logging in
- Next by Date: Re: Event ID 1655&1126 Active Directory was unable to establish a
- Previous by thread: Re: Disable\Hide a group in AD
- Next by thread: How to restrict users to a single logon
- Index(es):
Relevant Pages
|
