Remove From My Forums

inactive groups in Active Directory

Question

0

Sign in to vote

/Need a way to find the list of inactive user groups(Security) in AD, for a cleanup. How can I find it

Wednesday, March 25, 2015 5:59 AM

Reply

|

Quote

Answers

0

Sign in to vote
> /Need a way to find the list of inactive user groups(Security) in AD,

> for a cleanup. How can I find it

You cannot. Groups are not "active" in the way a user or computer is

active. You don't know which user needs which group memberships because

you don't know in which ACL a given group was/is used.

So you need to scan all your file servers, print servers, SQL and

Sharepoint servers, Exchange and Web servers and collect an inventory of

all groups used in any ACL found. After that you can justify if a group

is required or not :)

Greetings/Grüße, Martin

Mal ein gutes Buch über GPOs lesen?
Good or bad GPOs? - my blog…
And if IT bothers me - coke bottle design refreshment (-:
- Proposed as answer by Meinolf Weber Monday, April 13, 2015 10:36 AM
- Marked as answer by Frank Shen5Moderator Wednesday, April 15, 2015 9:41 AM
Wednesday, March 25, 2015 8:26 AM

Reply

|

Quote

All replies

0

Sign in to vote
> /Need a way to find the list of inactive user groups(Security) in AD,

> for a cleanup. How can I find it

You cannot. Groups are not "active" in the way a user or computer is

active. You don't know which user needs which group memberships because

you don't know in which ACL a given group was/is used.

So you need to scan all your file servers, print servers, SQL and

Sharepoint servers, Exchange and Web servers and collect an inventory of

all groups used in any ACL found. After that you can justify if a group

is required or not :)

Greetings/Grüße, Martin

Mal ein gutes Buch über GPOs lesen?
Good or bad GPOs? - my blog…
And if IT bothers me - coke bottle design refreshment (-:
- Proposed as answer by Meinolf Weber Monday, April 13, 2015 10:36 AM
- Marked as answer by Frank Shen5Moderator Wednesday, April 15, 2015 9:41 AM
Wednesday, March 25, 2015 8:26 AM

Reply

|

Quote

0

Sign in to vote

Which is the attribute that decide the group is active or not? How AD can understand a particular group is not being used?

Friday, March 27, 2015 6:57 AM

Reply

|

Quote

0

Sign in to vote

> How AD can understand a particular group is not being used?

As I already wrote: It cannot :)

Greetings/Grüße, Martin

Mal ein gutes Buch über GPOs lesen?
Good or bad GPOs? - my blog…
And if IT bothers me - coke bottle design refreshment (-:

Friday, March 27, 2015 8:22 AM

Reply

|

Quote