Defining a Security Group Retirement Policy
Updated: March 28, 2003
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
When security groups become obsolete due to personnel changes, project completion, or corporate reorganizations, they need to be identified and retired (deleted) to minimize security risks. This task usually falls to the organization’s IT department. It is important to create a policy for the retirement of security groups.
In this policy, include procedures for:
Gathering information about security groups, especially information related to the expected lifetime of the group or the group’s renewal interval. For more information about sources for this information, see "Defining a Security Group Creation Policy" earlier in this chapter.
Identifying potentially obsolete security groups.
Deleting obsolete security groups from Active Directory.
Deleting a security group from Active Directory is non-reversible because access to resources is based on the group’s unique SID. If the wrong group is deleted, or if a group is deleted because it is thought to be obsolete when it is not, the IT department must create a new group in place of the deleted group and reintegrate it into the domain.
Identifying Obsolete Security Groups
Although account groups for very small teams might not change frequently, large account groups experience almost constant turnover in membership. If an account group’s membership has not changed at all for some time, the group might be obsolete. The Active Directory Users and Computers snap-in allows you to search for potentially obsolete groups by entering a Lightweight Directory Access Protocol (LDAP) query for a list of security groups whose definitions, including membership, have not changed since a specified date. A query in the format (&(objectCategory=group)(whenChanged<=YYYYMMDDHHMMSS.0Z)) returns groups that have not been modified past the specified date. For example, to query for groups that have not been modified since midnight on December 31, 2002 in Pacific Standard Time, the query is (&(objectCategory=group)(whenChanged<=20021231240000.0-8)). The last portion of the query (0-8) signifies the Pacific Standard time zone, which is eight hours less than Greenwich Mean Time.
For more information about building LDAP queries and about generalized time, see the Windows Platform SDK link on the Web Resources page at www.microsoft.com/windows/reskits/webresources.
After you have identified groups whose membership has not changed for a period of time, you can verify the status of each group by querying the group owner, the group members, or the appropriate departmental administrators. Be sure to keep a record of your investigation for future reference.
Resource groups typically become obsolete when the resource is no longer needed, perhaps because projects requiring the resource have ended or because the hardware resource is moved or retired. Because resource groups are often configured as local groups on the computer that controls the resource, identifying obsolete resource groups is often a task for the computer owner or the resource manager. Finding obsolete local groups configured as resource groups is more challenging than finding domain-based account groups. Computers controlling resources are typically not domain controllers, so Active Directory is not available, and LDAP queries for unmodified local groups are not possible.
One approach is not to track local resource groups because local groups do not populate Active Directory. If your reason for identifying obsolete groups is to reduce the number of Active Directory objects, monitoring domain-based account and resource groups might be all that you require.
Another approach is to document and create a database of shared network resources. Typically, this database would include information about corporate resources rather than file shares or similar resources shared from a user’s desktop, for instance. If the share type, location, owner, creation date, and any other relevant information are recorded, then periodic reviews can be conducted to verify that resources and their associated resource groups are needed or obsolete.
Deleting Obsolete Security Groups
When you have identified an obsolete group, you can disable it for a trial period before deleting it from your domain. You can disable a security group by changing it into a distribution group for a set period of time, such as two months. Changing a security group into a distribution group does not alter its SID, scope, or membership; however, it effectively disables all access provided by the group because SIDs of distribution groups are not included in a user’s access token. If you do not receive any notification that a user’s access permissions have changed after the established wait period has expired, you can safely delete the group.
You must have the appropriate permissions to delete a security group. By default, Account Operators, Domain Admins, and Enterprise Admins have the ability to delete security groups. This permission can be granted to other individuals or administrative groups by editing the ACLs of OUs and containers.
Group deletion is immediate and permanent. Limit the number of persons to whom you delegate the ability to delete groups.