A Deeper Dive into Active Directory Optimization – Part 1

A Deeper Dive into Active Directory Optimization – Part 1

AD Cleanup – A Place for Everything, and Everything in its Place

Occasionally, it pays to get some extra husband points, so last week I decided to spend some time downstairs with my kids cleaning up their playroom. My wife and I were both tired of picking our way along the different toys, DVD cases, pillows, and little kid chairs, and somehow it had gotten messy *again* – it was my turn to herd cats and “help” the kids get it cleaned up. There were toys on the floor, bins full of mismatched pieces from different games, stuffed animals, and Lego – always lots of Lego.

A couple of days later I was working with a client in a large University in the northern United States and it struck me how similar the job was. They were trying to make sense of their AD environment, and everywhere they looked it was a mess. They weren’t the ones who made it – or at least, not all of it – but they were trying to get some work done and it seemed like every time they turned around there was more stuff getting in the way. It suddenly feel like I was back in my basement, picking up toys. The messes were different – the Lego under the foot hurts more – but the causes were the same.

First, there weren’t many clearly marked places to put things away properly, and when there were, they weren’t used properly. OUs were haphazardly named, different from department to department and admin group to admin group. “If you wanted to create a new user, where would it go?” I asked. There was a pregnant pause. “Well”, the response went, “It really depends…”

Second, it wasn’t easy to figure out what things were for. My basement had pieces from one toy mixed in with pieces of another, and the rest of the toys were in other bins. My client had it the same way – AD users, disabled accounts, service accounts, distribution lists and security groups all mashed together in OUs without naming conventions – well, they did have naming conventions, they just had several different ones. Over time, it became difficult to figure out which name meant what.

Finally, everyone was really responsible. At home, my kids (and my wife and me, too, in all honestly) all contributed to the problem. We’d put toys away in whatever bins were handy, created new bins to hold things that were already held somewhere else, put stuff away in the wrong place out of ignorance, not always knowing which toy went with which – the works. Even when we were trying to make it better, we were making it worse because we were doing it piecemeal, and we all had different ideas what the right way to fix it was. Disaster. My clients – well, lets just say that had the same problem but worse. More people, more sets of rules, more objects… ugly.

Near the end of the call, my client summed up his frustration: “I can’t find anything in here, and when I want to do something new, I don’t know where to put it. Every new project finds a new home, and it just keeps spreading on out…” I knew exactly how he felt. It was time to stop making things worse, and start making things better.

Learn about why you should bother cleaning up your Active Directory in Part 2 of this blog post.

Don’t miss a post! Subscribe to The Insider Threat Security Blog here:

Leave a Reply

Your email address will not be published. Required fields are marked *

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Start a Free StealthAUDIT® Trial!

No risk. No obligation.