“It’s Active Directory cleanup time,” says your boss.
“What for?” you ask. “It’s running fine.”
“It’s part of our move to the cloud. We’re modernizing our Active Directory for Azure and Office 365 before we synchronize to Azure AD.”
You can think of at least five other duties you’d rather perform than hunting down and cleaning up Active Directory problems. Your boss knows what you’re thinking.
“Find the fun in it,” says your boss. “Pretend all of the duplicate AD objects and inactive accounts are tribbles, and you’re the crew of the Enterprise.”
The Trouble With . . . Active Directory Cleanup
Like it or not, your boss is right.
Obsolete gunk in your on-premises AD can wreak havoc with your on-premises authentication. That problem will just compound itself once you synchronize your Active Directory to the cloud and start relying on Azure AD for authentication in cloud-based apps like Office 365 and SharePoint Online.
Dr. McCoy: From my observations, it seems [tribbles reproduce] at will. And, brother, have they got a lot of will.
An insider threat or an unintentional change to a domain controller can replicate across your on-premises AD. With the proper controls in place, you can stop the threat and roll back to a time before the changes are made. But you run the risk of replicating tribbles from your local environment to the cloud. Microsoft invests plenty in keeping Azure and Office 365 secure for you, but they’re only as secure as your own on-premises AD.
Worse yet, if you don’t take care of Active Directory cleanup before synchronizing, then you’ll have Alex’s tribbles in two places: on premises and in the cloud.Take Alex. He started in your company’s warehouse eight years ago, where he had a certain set of permissions and shares. Then he went to Facilities, where he belonged to a different group. Then he moved to a different division, in a different organizational unit (OU). Then he came back, and now he works in Sales. Permissions and shares are all over him like tribbles on the Enterprise, but he really needs only the ones for his current position.
Costly Mistakes in Active Directory
Dr. McCoy: I like [tribbles]... better than I like you.
Spock: They do indeed have one redeeming characteristic.
Dr. McCoy: What's that?
Spock: They do not talk too much. If you'll excuse me, sir.
That’s true: tribbles do not talk too much. Neither do the obsolete objects in your AD, and that’s a problem, because unlike tribbles, they’re not always easy to find. With on-premises AD, the tribbles don’t cost you real money, but in the cloud, they can cost you plenty.
Suppose your fellow employee Ana leaves the company, so you remove her network access. If you have strong processes for provisioning users in on-premises AD, your changes will be synchronized to Azure AD. But if it takes you six months to disable Ana’s user account in your on-premises AD, then you’ll pay six months of per-user fees for Azure AD and Office 365 subscriptions that nobody is using.
How Do You Clean Up Active Directory?
Let’s get back to your boss’ request to clean up your on-premises AD before you start synchronizing it with Azure AD. What does that involve?
Dr. McCoy: Jim! I think I've got it. We quit feeding them, they stop breeding!
Capt. Kirk (covered in tribbles): Now he tells me.
Yes, something like that. To quit feeding the problems that can make replication to Azure dangerous, first clean up (or modernize) on-premises AD in four areas:
- Normalized structure – Streamline it for fewer domains and forests.
- Consolidated and cleaned-up OUs – Avoid having user objects spread across different hierarchies within AD.
- Good security delegation and good management – Grant access only to the people who need it.
- Solid provisioning and de-provisioning – Remove permissions as soon as users no longer need them.
Get your AD house in order before you start synchronizing it to Azure. If you don’t, you’ll soon see the complexities of integrating into Azure AD grow and the benefits of Office 365 shrink.
We’ve published a paper called Modernizing Active Directory for Azure and Office 365 by Darren Mar-Elia, Microsoft MVP and frequent speaker on Windows infrastructure. The paper goes into greater detail on the four areas I mentioned, highlights the significance of Office 365 and explores identity as a service with Azure AD. Read it for a systematic look at and a different perspective on Active Directory cleanup.
After all, if you have tribbles in your AD, you can’t do what Scotty did and simply transport the whole lot of them into the engine room of a Klingon vessel (“where they’ll be no tribble at all”).