When you make the change in Active Directory Users and Computers, AD sets the value of managedBy on the group object to be the distinguished name (DN) of Mary Taylor’s account. Note that when setting the Managed By value, you have the option to select Manager can update membership list, as Figure 4 shows. If you want only to assign guardianship for informational purposes, then you probably don’t want to select the option, but it otherwise provides a shortcut method of assigning delegated management of the group membership to the guardian.
Be aware that the managedObjects back link isn’t visible in Active Directory Users and Computers in the way that directReports is. To view the back link, you need to use LDAP queries or tools such as ADSIEdit or the new Attribute Editor in Windows Server 2008.
As with the manager and directReports user attributes, you can search for the relationship between the group and its guardian by querying AD using the guardian, as this AdFind example shows:
C:\>adfind -list -b "CN=Mary Taylor,OU=
Standard User Accounts,DC=ad,DC=
fisheagle,DC=net" managedObjects
Figure 5 below shows the results:
Figure 5: Results from search querying AD using the guardian
CN=Management Team,OU=Groups,DC=ad,DC=fisheagle,DC=net
CN=Project Management Team,OU=Groups,DC=ad,DC=fisheagle,DC=net
CN=Consulting Team,OU=Groups,DC=ad,DC=fisheagle,DC=net |
Or you can query AD by using the object for which the guardian is responsible, as the AdFind example below shows:
C:\>adfind -list -b "CN=Consulting Team,
OU=Groups,DC=ad,DC=fisheagle,DC=
net" managedBy
Here are the results of that search: CN=Mary Taylor,OU=Standard User Accounts,DC=ad,DC=fisheagle,DC=net.
Setting Guardianship for Other Object Types
You can extend the concept of ownership to include any other type of AD object. For example, computer and organizational unit (OU) objects spring to mind as likely candidates. Both of these support the use of the managedBy and managedObjects linked attributes, so you can use the same method shown for groups above to define the guardian relationship.
Guardianship and Object Lifecycle Management
The guardianship concept works best if it’s incorporated into your organization’s provisioning and de-provisioning procedures. It’s important to set the guardian whenever you provision an AD object that you want to keep track of.
Similarly, when you de-provision a standard user account, you should ensure that any guardianship relationships associated with that user are either removed or transferred to another user account. For example, if Mary Taylor from our scenario above leaves the company, I would need to consider what to do with the objects for which she is guardian. In the case of groups and meeting rooms, I would probably transfer the guardianship to another account. If Mary has a secondary account for administrative purposes for which she is guardian I would probably de-provision that at the same time.
Also bear in mind that that people often change roles within an organization. When this happens, your re-provisioning procedures should reflect the fact that someone may no longer be the appropriate guardian for AD objects.
Cleaning Up Your Existing AD Infrastructure
With a working guardianship in place for newly provisioned objects, you need to address the task of identifying existing objects that have no guardian, then configure the appropriate guardian relationships. Before you do that, however, you should remove any objects from AD that are no longer required.
Within AD, objects can be created for a specific reason and simply forgotten. For example, accounts and groups might be created to support a new document-management system. If the organization decommissions the document-management system a few years down the line, the associated accounts and groups might not be removed in parallel. These stale objects could linger in AD indefinitely, or until someone questions their existence.
Below are some examples of using command-line tools to find unused objects. These are by no means comprehensive, but should provide you with a starting point. I use AdFind in all three examples for consistency, but I could also have used OldCMP or the built-in dsquery tool for the inactive user and computer object searches.
Finding Inactive User Objects
The example below, written as one line, uses AdFind to search for user accounts that have either never logged on to the domain or haven’t logged on to the domain since the beginning of 2008. The output is in CSV format.
adfind -csv -default -tdca -utc –binenc
-bit -f "(&(samaccounttype=805306368)
(|(lastLogonTimestamp
2008/01/01}})(!(lastLogonTimestamp=*)))
(!(userAccountControl:AND:=2)))" last
logontimestamp pwdlastset account
expires whencreated
The search excludes disabled users because most organizations tend to leave de-provisioned user objects in a disabled state for a period of time prior to deleting them. The search uses the lastLogonTimestamp attribute, a replicated attribute that gets updated periodically (and which is consequently not as accurate as the non-replicated lastLogon attribute), and lets you detect stale objects by querying a single domain controller (DC) rather than attempting to consolidate the lastLogon results from all DCs in the domain. The lastLogonTimestamp attribute is available with Windows Server 2003 and later.
Finding Inactive Computer Objects
Similar to the search for inactive user objects, the example below, written as one line, uses AdFind to search for computer objects that have either never logged on to the domain or have not logged on to the domain since the beginning of 2008:
adfind -csv -default -tdca -utc –binenc
-f "(&(objectcategory=computer)(|(last
LogonTimestamp
(lastLogonTimestamp=*))))" name operat
ingSystem operatingSystemServicePack la
stlogontimestamp pwdlastset whencreated
Finding Groups with Empty Membership
It’s very difficult to determine whether a group is still in use within AD. At least with user and computer objects you can query for when the user or computer last set the password (using the pwdLastSet attribute) or when the user or computer account last logged on (using the lastLogonTimestamp attribute). But groups don’t have passwords and don’t log on to AD, so there are no useful attributes to help you determine whether a group is still in use.
A group with empty membership might be a good indication that it isn’t in use, but realistically the only reliable method is to set a guardian. (You could then set up a process periodically requesting confirmation of the guardians that a group is still in use. If a confirmation isn’t received within XX days, the de-provisioning process of a group could be initiated.)
In the example below I use AdFind to search for any groups that have no members, which is one indicator that the group might not be in use. Note that I exclude critical system objects (e.g., Enterprise Admins, built-in groups) as these can be legitimately empty and should never be removed:
adfind -csv -default -f "(&(object category=group)
(!member=*)(!isCritical SystemObject=TRUE))"
samaccount name description managedby
It’s important that you question the validity of the results of your searches. An LDAP search against AD for the information (such as those in the examples shown above) is just one aspect of the overall task. You should qualitatively assess each result.
For example, it might be entirely valid for a user object corresponding to a resource mailbox (e.g., a meeting room) not to have logged on to the domain for 12 months or more. Another example is a group that has no members but is required to be present for a specific application to function.
Minimal Effort, Maximum Reward
Whatever terminology you use—manager, owner, contact, or guardian—the concept of linking AD objects to real people isn’t new. In fact, Microsoft makes some provision in AD for defining the relationship through the managedBy and managedObjects linked-attribute pair for use with certain object types.
I strongly recommend that you consider implementing the concept of guardianship in your environment. The effort involved in setting up the required procedures is low and far outweighs the cost of dealing with an uncontrolled environment. The sooner you do this the less effort you will need to spend on clean-up tasks at a later date.