Re: Housekeeping Obsolete Groups

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

Another thing that might work is that if the groups are being used for
security, you could set them as distribution only temporarily. This would
have the effect of disabling them for security purposes.

Just a quick and dirty thought if the "disable" approach is really desired.

Joe K.

"Al Mulnick" <amulnick_No_SPAM@xxxxxxxxxxx> wrote in message
news:O0vo4cDnFHA.1444@xxxxxxxxxxxxxxxxxxxxxxx
> Audit logging? I assume you've done some of that already and you are on
> to the next step.
> I usually like to insist that my groups be "owned" by a named person. On a
> regular basis, an update is sent to the group owner requiring the owner to
> validate that the group is still needed and to verify the members are
> accurate. If not, then the group is "archived" and marked for deletion.
> If needed, then it goes back into the hopper for the next six months. You
> could even delegate the membership to the group owners and then verify the
> group is still needed, but that's up to you.
>
> Marked for deletion. Why do this? Because users have a tendency to
> change their minds. Silly I know, but there you have it. So the group gets
> it's members removed (export the list first for later reinstitution if
> needed) and moved to a container that only ADMINS control. After 30 days
> of no-complaint, removal goes to the next step to completely remove the
> group at which time if there are any complaints then it gets routed to the
> new group queue.
>
> If you export the group membership, then users will no longer be able to
> access resources with that sid. If they don't use it, then it follows that
> they don't need it.
>
> My thoughts,
>
> Al
>
> "DaveChoiceTech" <dave@xxxxxxxxxxxxxxx> wrote in message
> news:1123518365.773902.250420@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
>>I am trying to clean up a number of obsolete groups. The problem is
>> that no one is really sure if these groups are necessary or not.
>> Ideally, I would like to disable such groups temporarily to see if
>> there are any repercussions. Unfortunately this function does not
>> appear to be available in Active Directory. Does anyone have any other
>> suggestions?
>>
>
>


.

Relevant Pages

  • Re: Global Security Group members disappear
    ... have two DCs and when the members disappear from one DC they disappear from ... Security Enabled Global Group Member Removed: ... Target Account Name: Students ... Caller User Name: SENIOR$ ...
    (microsoft.public.windows.server.active_directory)
  • Muths Truths
    ... Did you know that all Members of Congress automatically get TOP SECRET ... clearance when they are sworn into Congress -- with no background check? ... did you know that any Member who ascends to a security ...
    (misc.survivalism)
  • Re: Needed Advice - Olap client tool
    ... does your users are members of the secured role? ... removed myself and tested it in Excel and no change. ... I'll found a security group called "OLAP Administrators" ... we created a Sales report giving the total sales and ...
    (microsoft.public.sqlserver.olap)
  • Re: Help Needed with Dynamic Dimension Security
    ... business application for securing members. ... and the point in the hierarchy where the security ... > of using Dimension Security with a Virtual Cube. ...
    (microsoft.public.sqlserver.olap)
  • Re: [PATCH] perf_counter: Start counting time enabled when group leader gets enabled
    ... the non-leader member will reflect the whole time since it was created, ... since none of the members can go on the PMU if the leader ... when disabling a group leader we have to update the ... Please read the FAQ at http://www.tux.org/lkml/ ...
    (Linux-Kernel)