Do you have a good handle on which objects in your directory are no longer used? Do you know exactly who you need to contact when making changes to the content or structure of your forest?
As a consultant specializing in Active Directory (AD), I come across many AD implementations that have grown organically over time. Typically, these implementations contain a large number of unused objects, as well as objects that are obviously in use, but who or what is using them isn’t clear. It’s costly having objects in this state: Periodic cleanups of AD become labor intensive and expensive, AD restructures or migrations become more complex, and even simple change management becomes more difficult.
To gain control over your AD environment, you need to deal with three key elements of object lifecycle management. The first is determining the appropriate way to provision, re-provision, and de-provision objects. The second is setting up controls so that all new objects conform to the provisioning methodology. The third is the sometimes arduous and time-consuming work of cleaning up existing objects so they either conform to the methodology or can be deleted from AD.
In this article I provide advice and tips that will assist you with the first two aspects by introducing the concept of guardianship of AD objects. By associating real people (guardians) with AD objects, you can gain greater control over your AD environment. I also offer some examples to assist you with the clean-up task.
Clarifying Terminology The “guardian” for an AD object is the human being directly responsible for, or most closely associated with, that object. A better term might be “contact,” but I’ll avoid that because it’s already used to represent a specific type of object in AD. Another term might be “owner,” but this too has meaning in AD security in the context of the creator/owner of an object.
It would be handy if there were an AD attribute named “guardian” that we could use for setting guardianship of different types of AD objects. Unfortunately, there isn’t so we must either create a new attribute (which involves extending the schema), or using an existing attribute from the default AD schema. For simplicity and because most organizations have a healthy aversion to extending the schema, I use existing attributes as described in the sections below.
Benefits of Guardianship Identifying and removing unused objects in AD can be a thankless and time consuming task. Some helpful tools can assist you with finding unused objects (the Windows command-line tool dsquery is one; AdFind and OldCmp from Joeware are others), but because object deletion is potentially damaging to systems and applications that leverage AD you need to be 100 percent sure that that you’re dealing with an unused object before you delete it. Typically you’ll need to check with the person currently responsible for that object.
In many cases this person isn’t easily identifiable from the object’s attributes. You might have only the object name to work with (e.g., a group named “OKP100 Staff”). This is fine if OKP100 means something to you, but otherwise it’s no help at all. The object’s description might contain some information (e.g., “See JP Carter before making changes”), but what if JP Carter no longer works for the organization?
As you can see, no magic, in-built feature automatically links a human owner to an AD object. It’s something that you have to implement for yourself. This is where the guardianship concept can help you.
Guardianship can also assist you when working with active objects. For example, when processing a request to add a user to a group, your operational staff can refer to the guardian to approve or decline the request.
The suggestions I make for setting guardianship of objects described below all assume that you will use AD as the repository for guardianship information. The same concepts (but clearly different methodology) apply if you already have a tool in place for provisioning AD objects and that tool is capable of storing the required guardianship information.
Setting Guardianship for User Objects Organizations use user objects for a range of different purposes. Aside from standard user accounts directly associated with a warm body, user objects can be created for shared accounts, resource accounts (for mailboxes such as meeting rooms), service accounts, and secondary accounts for administrative purposes.
For all types of user objects, I recommend associating a guardian by setting the value of the manager attribute. Let’s look at an example in which we have a resource account for a meeting-room mailbox named Meeting Room C. We want to set the guardian to be Mary Taylor.
From within the Active Directory Users and Computers MMC snap-in, find Meeting Room C, open up the properties and select the Organization tab. From here, click Change within the Manager section and use the object picker to find and add Mary Taylor’s user account, as Figure 1 shows.
The manager attribute is a linked attribute. The manager attribute is the forward link, while directReports is the corresponding back-link attribute.
Because the attributes are linked, when I set Mary Taylor as Meeting Room C’s manager, Mary Taylor’s user object shows Meeting Room C as a direct report, which Figure 2 shows. The main advantage of using a linked attribute is that the link object can be renamed or moved within AD, and the link remains intact. The link can only be broken if either the forward or back-link object is deleted. Another advantage of the linked attribute is that it lets you search AD for the relationship using either the guardian or the object(s) for which the guardian is responsible.
Below are examples of such searches using the AdFind tool from www.joeware.net. The first example shows a search for all user accounts for which Mary Taylor is the guardian:
C:\>adfind -list -b "CN=Mary Taylor,OU= Standard User Accounts, DC=ad,DC= fisheagle,DC=net" directReports
And the results of that second search look like this: CN=Mary Taylor,OU=Standard User Accounts, DC=ad,DC=fisheagle,DC=net.
Setting Guardianship for Group Objects The manager and directReports linked-attribute pair isn’t available for use with groups. Instead, I recommend using a similar pair of linked attributes named managedBy and managedObjects.
Let’s look at an example in which we have a group named Consulting Team. We want to set the guardian to be Mary Taylor. To do this, locate the group within Active Directory Users and Computers, open the properties and select the Managed By tab. From here, click change within the Name section and use the object picker to find and add Mary Taylor’s user account, which you can see in Figure 4.
An often irreverent look at some of the week's other news, including some post-PDC some soul searching, a Google Chrome OS announcement and a Microsoft response, Windows 7 off to a supposedly strong start, the Jonas Brothers and Xbox 360, and so much more ...
Picking a favorite product from an impressive crowd of competitive offerings is never an easy task, and such was the case with our Editors' Best and Community Choice awards this year. ...
Free CDs Offer Fundamental Content for IT Pros Are you up to speed on the latest technologies and solutions? Don't miss out on your chance to get up to speed quickly on fundamental, in-depth information on some of the hottest topics in our library of content.
Let Your Users Reset Their Own Passwords: Free Download Try a 30 day free trial of Desktop Authority Password Self-Service – it provides an easy-to-use, robust system for allowing users to reset their own forgotten passwords or locked accounts.
Get Windows IT Pro & Mark Minasi’s Favorite Power Tools Guide Order Windows IT Pro now and get "More of Mark Minasi's Favorite Power Tools"--a in-depth guide to the most useful Windows commands --FREE with your paid order! Subscribe today, and save 58% off the cover price!
Deep Dive into VMware vSphere, eLearning Series Join John Savill to explore the major functionality capabilities of the vSphere virtualization platform, including identification of the changes from ESX 3.5.
Previous
Register
