The best way to expire an Active Directory group
In the world of Active Directory, groups are binary: they exist or they don't. Other AD objects can be tombstoned, but with groups, they become useless once tombstoned since all of the ACLs and memberships are lost. And AD doesn't give you the ability to expire and renew them while keeping all of this vital information.
So, what do you do? Delete them and hope that nobody complains. If a user complains, you painstakingly recreate the group from scratch. Ouch.
Thankfully, Microsoft's various holes in their infrastructure give an opportunity for enterprising software vendors to fix issues like this. Here's what we think should happen:
I'll try to convey this in one amazing run-on sentence. As an administrator, you set a policy on how long a group should live; x days before it is set to expire, the group owner (or owners) receive a notification with a link to renew the group; if they don't want the group, they let it expire, if they do want it, they renew it; if the group expires, they can still renew it (possibly because they found they lost some access or emails were bouncing), through that same link; but after another preset number of days, the group will be deleted; but, here's the catch, the idea isn't to actually delete it but to disable it in a way that only the admin can bring it back. And in any of these situations, the cycle will repeat itself.
Now why not just keep all your groups active and alive instead of bugging your group owners. Three reasons:
- Security (these groups give access to resources or information)
- Token bloat (too many groups can lead to login failures or worse)
- Confusion in the global address list (hmm, which group for sales should I send this email to?)
This seems so absolutely straight forward that I'm surprised you haven't called us for a demo of GroupID already. We can show you how to solve your issue with a bloated Active Directory and expire and renew your way to improved security.
