A Deeper Dive into Active Directory Optimization – Part 3

A Deeper Dive into Active Directory Optimization – Part 3

Getting it Clean

In my house when the playroom gets to the point where something needs to be done, my wife or I rally the family, we assign tasks, and after grumbling and complaining (not just the kids!) it gets done. Many companies are in the same place – they want to be successful with their new project roll-ups, they want to save costs in time and effort and licensing, and they want to get it cleaned up now before it gets worse. They’ve put it off long enough, but now they want to get things done. How then to do it?

Well, I think of the playroom as an AD deployment in miniature, and it gives me a pretty good model to get you most of the way there. Now, obviously cleaning up AD is a lot more work than my basement, that’s for sure. It’s bigger, more complex, and there are a lot more parties involved. My wife simply has to look downstairs, give me “The Look”, and suddenly my fly fishing trip turns into a basement cleanup. OK, it’s not just my wife – just as often it’s me getting fed up and getting things going too. In a larger company, that decision takes much longer and more people need to come to the same conclusion, but there’s an inevitability to that too – it needs to get done, and eventually it needs to get done enough to actually do it.

A bigger scale, then, for AD cleanup, but the steps are similar:

a) Figure out what you’ve got

b) Have a plan, and make sure everyone agrees to the same plan

c) Break the plan into manageable stages with measurable goals

d) Prioritize – get the big stuff done first

e) Divide and conquer

f) Once it’s clean, maintain

Figuring out what you’ve got in AD is complex, no question about that. Identifying and making use of as much of what exists is crucial to having a plan that will actually work – there are no free “do-overs” in AD – we’re always living with the house we’ve got, we need to make it better. Users, groups, computers are the usual starting blocks. Add in a dash of GPOs, a mix of domains and trusts, throw in some sites, and you’re starting to figure out all of the moving pieces. From there, an assessment has to be made to figure out what those objects are there for, and also who the owner of those objects is if possible – you need to know who to notify and you want input from the stakeholders to help assess an objects function and usefulness. Figure out what can stay, what can go, make lists, and keep your eye on the prize. There’s a lot of digging around here, but all of this up-front work will pay off down the line.

Developing the plan is next, and it’s not simple. But the groundwork you laid down in the assessment is already going to pay dividends here – you’ve got backup for your decisions and you know what has to go. Getting everyone to agree to the plan is something else entirely – everyone needs to agree what goes where, or there’s no way to make progress and have success. Again, preparation will pay off – if you can show them what it looks like now, and what it will look like when it’s done, your chore will become easier. Once everyone is on board, its time to start changing things.

What does a good plan look like? It’s a series of steps with measurable achievements, phased to allow success along the way. Setting unreasonable goals (“Of course we can get everything done in one weekend!”) is a sure way to fail. Each step should tackle one problem at a time, and at the end of each step you should be better off than you were before. Steps should be made as granular as needed – in some cases, the mess is minor and a single step could be “clean up the groups”. Other times, cleaning up the groups is a major undertaking and the steps need to be further refined into “eliminate stale groups”, “eliminate circular nesting”, “reduce the empty group count”, “flatten our nesting structure so less groups are necessary”, and other key tasks. Tie each step to its benefits and be prepared to re-assess along the way.

Now you have a set of steps tied to manageable, achievable, improvements in AD. The next phase is to do the most important stuff first. This is a step that always makes sense when you talk about it, but commonly gets left off the plan – the bigger the bang for your dollars/time, the earlier in the project it should come. Having logon problems because everyone’s security tokens are over-sized? Flattening group nesting comes early on. Do you have a software renewal coming up? Eliminate stale users to reduce your licensing costs. Put the big stuff first – there’s never any guarantee that you’ll get to do everything you want, so make sure you use the time you have to its best advantage.

Once the fixing has started, don’t try to do it all yourself. Everyone contributed to the mess, everyone gets a hand in making it better. Sure, you’ll get some grumbling, but the more folks who have to help clean the less likely they are to mess it up next time. Make sure the goals are clear and the rules are simple to follow, and keep your eyes on progress – just like when you’ve got a 12 year-old who’d rather be playing Minecraft than picking up his sister’s toys.

Finally, once it’s clean, do your best to keep it in that state. Put good procedures in place, do spot checks, publish the rules so no-one can claim ignorance, and remember that when folks do break the rules it’s often for good, business reasons. Patience and consistency go hand-in-hand here to help develop good habits.

We’ve all got some work to do to make our AD environments – and our playrooms – better places to work and play. It’s time to roll up our sleeves and get it done. Speaking of which, I’m pretty sure my wife has discovered my son’s newest Lego creation – and the mess he left behind. Time to remind him about the rules.

Don’t miss a post! Subscribe to The Insider Threat Security Blog here:

Leave a Reply

Your email address will not be published. Required fields are marked *

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Start a Free StealthAUDIT® Trial!

No risk. No obligation.