When you move out of a house, do you just toss everything into boxes, then throw the boxes into a truck?
That’s a pretty tempting approach to moving, especially if you don’t really want to move in the first place. But look what a mess awaits you at the new house. You can’t put your hands on anything useful when everything’s in a jumble. Worse yet, you also realize that you’ve missed a good chance to get rid of the useless things.
“Every house in the world has too many coffee makers,” a mover friend told me. “You never know you have so many until you get ready to move out.”
Trimming obsolete Active Directory groups and users (and coffee makers)
That’s why it makes more sense to go through your closets and cupboards, see what you don’t need and what doesn’t fit you anymore, and trim it out. You’ll still have a lot of work to do in the new house, but at least you’ll know that you’ve trimmed down to only the things you need.
Now think about the last data migration you managed. When it was over, did you find that your new environment had all the same old coffee makers and Active Directory groups and users as before? Wouldn’t that migration project have been a good time to trim out obsolete objects like non-existent users, redundant groups and accounts with unnecessary access?
But as my friend pointed out, you never know where those objects are until you get ready to move out.
Pre- and post-migration analysis with Enterprise Reporter
Enterprise Reporter offers insight into your Microsoft environment in the form of reports you can use for migration analysis before and after your move. I mentioned migration analysis in a previous post.
Enterprise Reporter maintains a repository with ready answers to the most important questions about your pre-migration environment, both on premises and into the cloud:
- How many domains, users and groups do we have?
- Do I have any duplicate users, computers and groups?
- What about dependencies or matching conflicts?
- Which accounts, files and groups can we exclude from the migration project?
- How can we make migration neater?
Consider this migration scenario: Before the move, you receive a request to identify all users, groups and group memberships for a particular domain, and to provide an inventory report in spreadsheet format for tracking purposes. Then, after all users have migrated to a new domain, you’ll run the same report and compare the output. Enterprise Reporter provides all that insight for all the steps along the migration path:
- Inventory Windows environments
- Analyze how assets are being used
- Identify unused assets for cleanup
- Determine the impact of consolidating and restructuring AD groups
- Find the best way to stage the migration project
- Verify migration is completed as planned
- Ensure a smooth tenant or domain migration
“Can’t I use the Active Directory Users and Computers (ADUC) plug-in for those?” you ask. Yes, you can use native tools for some of those steps. But it’s like watching a tennis match through a keyhole.
For example, you can manually go into ADUC and view the members of the Domain Admins group, whereas Enterprise Reporter allows you to view that group and dozens of others at a glance. It also lets you automate the periodic collection of that membership and email it to a department head or auditor.
Take action, immediately
In a previous post, I described how Enterprise Reporter Suite lets you take action and remediate permissions. Suppose that, during your pre-migration assessment, a report in Enterprise Reporter identifies a domain group that should no longer have access to a particular folder; for example, the “Everyone” group (“1”) in this screenshot:
Within the report, you can click the folder path (“2”) and the Security Explorer UI opens, allowing you to remove the group permission and reduce your risk of unintended access to the folder.
Plus, as Security Explorer opens, its backup feature prompts you (shown below) to keep a copy of the existing permission before you remove it, just in case you change your mind later:
That way, you can easily restore the permission if need be.
After migration, a neater (and more secure) environment
Mind you, there’s a big difference between moving out of your house and performing an IT migration. Four coffee makers in a house may be silly, but one user with too much access can be dangerous.
Think about longtime users who have worked in several organizational units and acquired lots of AD group membership in places where they no longer need it. Unnecessary access is a security risk.
Enterprise Reporter can help you find Active Directory users and groups with access they shouldn’t have anymore. Trimming down permissions and consolidating groups is good practice, and Enterprise Reporter is a valuable part of your IT tool set, not only for administration but also for security.
Next step: Download the 30-day trial version
Try Enterprise Reporter for 30 days and see how much pre-migration insight it has for you. Analyze what needs to move, what you can consolidate and what you don’t need anymore. Then, run a post-migration analysis to make sure that only the users, groups and other AD objects you need are in the new environment.
And get rid of a few of those coffee makers you don’t use anymore. Why wait until you move out?
Photo credit: Lotzman Katzman CC 2.0