New Job - AD is a mess. Is this normal
Posted by Auno94@reddit | sysadmin | View on Reddit | 136 comments
Hello,
I switched employers and in both my previous ventures the AD was more or less fine. Both in terms of Users/groups and file permisssions.
My new job hasn't deleted any group, or user in the last 7 years, they have onboarded and never correctly offboarded tools to "fix" their mess and only ever made it worse.
While I am in the process of getting a proper audittool for it (perhaps Netwrix Auditor) my question is. Is this "normal" as in was I just lucky that we implemented processes to kill unneeded AD Objects and offboarded stuff AD wise in a decent way?
Company is around 350 people big and before I started cleaning up it had (roughly)
2300 user accounts
3000 Groups
200 Service accounts
Chao7722@reddit
Yes, it is normal for Microsoft AD groups to become disorganized in environments that have been running for years. Unlike Novell eDirectory, where you can precisely determine which files or folders a group has access to, Microsoft Active Directory does not provide a direct mechanism for this. You need to scan all file servers to identify where a specific group has access or is being used.
Even then, it is only the tip of the iceberg, because you also need to scan application servers or platforms like Microsoft SharePoint and so on to determine whether the group is referenced elsewhere.
Aggravating_Art203@reddit
How is it being a sys admin? I'm in college learning in labs with active directory and group policy work and eventually want to become a sysadmin as well.
man__i__love__frogs@reddit
I would rather rebuild than fix that. There are probably countless opportunities to modernize and optimize, like going with an internal.contoso.com domain and that sort of thing. Structure your GPOs correctly by function, implement security baselines, set up nested group structures, dfs namespace, etc...
biga_bada_boom@reddit
No 3rd party tools required, some off the shelf powershell should help with this
Have a bottle of something strong ready when it comes to opening the group policy console which will either be clean as a whistle or next level group policy dredge
Dychnel@reddit
Before I fire up google, can you recommend any sites to check out for off the shelf powershell scripts? Is there anything decent in Microsoft Learn to follow?
TheRealLazloFalconi@reddit
Powershell in a month of lunches is the way to learn. I wouldn't suggest you run any scripts off the internet until you have a basic understanding of what they're doing.
Auno94@reddit (OP)
I already use a lot of powershell for reporting, sadly with the File permission groups I hit an obsticale as there are so many, and so many are so bad, that my recursive Groupmember search csv was 200k lines long and many file permission groups are not needed as they are logical duplicates
mk9e@reddit
I've dealt with this. Get with HR, get a list of active user accounts. PS to find all accounts that aren't apart of that group. Be mindful of service accounts and figure out how you need to filter for those.
Then go ahead and mass disable. Something will break. You can also filter by item properties, like last login time or last time password was updated.
Top-Perspective-4069@reddit
I bet Sites and Services is all fucked up too. Probably lots of old DC metadata and just a single 10.0.0.0/24 subnet.
I'd also be willing to bet that the DNSDomainZones and DNSForestZones are pointing to machines that don't exist anymore.
Auno94@reddit (OP)
Not that bad. A lot of 10.X.X.X/23 zones that are logical. There is also a lot to do. DNS is another issue as a lot of old entries are there and together with a DHCP Config that just needs a sledgehammer I want to erase it and build it anew. Interesting though is that DNSDomainZones and ForestZones aren't an issue
Top-Perspective-4069@reddit
For a company that size, multiple 10. /23 networks seems like a lot.
Also, too early in the morning, I meant 10.0.0.0/8 in my original comment. I've seen that dumb shit a lot when I was a consultant.
Auno94@reddit (OP)
/23 is to big, agree. Galdly it is logical set, but all is static routes.
Ur-Best-Friend@reddit
Hard disagree - run Ping Castle on your AD environment and check the list of problems it finds and you'll change your mind too, unless you're in a damn unicorn environment or you've already done that.
Sure, if it's just a matter of removing old accounts from people that haven't been with the company for years, you absolutely need nothing other than powershell and a bit of time, but how much do you wanna bet that there's a dozen accounts with an AdminSDHolder=1 attribute? How about accounts with DES encryption?
When you come to an AD environment with such obvious mismanagement, you can bet that there's other, less obvious problems under the hood. You need to do AD audits, whether you hire someone to do it for you or do it yourself, and you kinda need third-party tools to be thorough.
ConsciousEquipment@reddit
powershell has no buttons etc to do all that, a actual software product can just show you here do this or even do it for you
fearless-fossa@reddit
Someone please tell me this is satire, I'm scared.
linebmx@reddit
🙈🙈🙈
iamoldbutididit@reddit
Its totally normal. From personal experience its related to the maturity of HR. If they never tell you that Sally left you will never delete Sally's account.
Oh and by the way, Bob starts tomorrow. Bob knows how to use excel so please have a laptop with 32GB of memory, and a new triple-screen iPhone ready for him.
Morkai@reddit
This is a fight I'm currently having with a department head over some external contractors. They're offshore, and no one tells us when they come and go, so there's people finishing their contracted work period, and the accounts are just left active and no one says anything. Somehow others don't see this as a major issue.
jooooooohn@reddit
Network breach, lateral movement, privilege escalation waiting to happen.
natflingdull@reddit
I had that fight for years at other companies. However At my current company HR is totally on the ball. Two week lead time on every new user, accurate listing of what access the user needs, exact end dates for contractors/vendors, zero surprises. Totally organized. Feels like the twilight zone
buzz-a@reddit
We monitor for idle accounts, just most recent logins.
You could be aggressive with those in the contract employee OU. If no login within 7 days disable.
I find when our management don't see things as a problem I have to present them with a business risk assessment that includes the COST if things go wrong. As soon as they see a cost break down and it's a thing that really could happen it becomes a priority.
Often our insurance company is my best friend for these, we have a list of things they are requiring us to do to stay insured. You can bet management are willing to do those things. :-)
Morkai@reddit
We have a deadline to be compliant with Essential Eight maturity level 2 by July 2027 so this is giving us all the justification we need to tighten the screws and enforce all sorts of new processes and requirements in the near future.
The CEO has our back, so our pathway forward got significantly easier in the near future.
Jaybone512@reddit
If they can't/won't give you an engagement end date for the contractors, just set reasonable expiration dates on the accounts. E.g. the end of the current or next week/month/quarter, whatever is reasonable for the org.
Morkai@reddit
That's a fair point, at least then when the account is expired, there has to be a conversation around "hey their account doesn't work, but they're still here for another month"
Thanks for the idea, I'll have a chat with the team tomorrow.
himji@reddit
And Bob needs access to install applications on his machine so make him a domain admin
Distracted-User@reddit
I have one user who uses software that requires elevated privileges every time it updates. Their tickets always have some form of
"xyz has updates that I don't have permission to install myself...." or "xyz needs an update, someone needs to come put a password in since I can't do it.
YOU'RE NOT GETTING ADMIN SO STOP WITH THE SNARK
Sheesh
Ur-Best-Friend@reddit
Excuse me, r/ShittySysadmin is that way.
DesertDogggg@reddit
Lucky you. You get a full day's notice. They usually just show up to our office the day the person is starting and then demand we move mountains for them.
Disastrous_Meal_4982@reddit
Before you go head long into deleting things. Create a decom process and disable and archive accounts until you know what the audit requirements are for your type of business. Main thing to take into consideration is if you need to look through logs and verify activity belonging to a recently terminated/delete user belongs to the SID you are seeing in those logs in a timely manner?
lewas123@reddit
Yeah but if that person came back to the business.. /s
music2myear@reddit
I haven't seen one that bad. But poorly-managed AD isn't that uncommon. The extent of badness does vary.
JasonBNE83@reddit
Very normal, have you looked at GPO yet
Windows95GOAT@reddit
You mean our default domain gpo that has everything in it?
ITSec8675309@reddit
PTSD Activated
Windows95GOAT@reddit
Tbh when i first encountered it i was pretty impressed, the creation date was 2002. Which afaik is pretty close to the AD release date. They just upgraded endlessly.
mk9e@reddit
This is my company. There's still a one instance of server 2008 that I'm pushing for us to get off of but every other server is 2016 at least.
michivideos@reddit
I honestly rather 200 gpo specific to one setting each than 10 gpo with a soup of settings, scopes and exclusions
DesertDogggg@reddit
I would rather 200 GPO as long as they are named correctly. So easy to manage an individual GPO setting if needed.
ScriptThat@reddit
We do that.
When I started at this job they had one GPO, and it did everything. Now we have a rather large number, they they each do one specific thing and are named logically. (and documented).
the_red_raiderr@reddit
Or 20 repeat GPOs with no labelling/documentation but with slight setting changes and WMI filtering…
DesertDogggg@reddit
A few years ago I corrected NTP misconfigurations that left our environment out of sync. Due to our structure, I created three GPOs: one for the authoritative time source (DC1), one for DC2 and other servers, and one for clients. A new engineer later requested consolidating them into a single GPO for tidiness. This required complex item-level targeting, which I advised against. While it didn’t noticeably affect GPO processing negatively, the merge felt unnecessary. I'm aware to avoid security filtering and item level targeting whenever possible because it could slow down GPO processing.
Cormacolinde@reddit
A single GPO using a WMI filter with win32_product is worse than any of these.
theshapester1980@reddit
Or 10 GPO that contradict and each other :)
IWantsToBelieve@reddit
Loopback has entered the chat.
One_Put_8904@reddit
This guy admins
Nexzus_@reddit
I remember inheriting an AD a couple years ago that still had some Small Business Server remnants around. Nothing too egregiously stupid, but still, Sideshow-Bob-stepping-on-rake sound.
Auno94@reddit (OP)
They are non, as they migrated to Intune
Bright_Arm8782@reddit
They did the migration and didn't take the opportunity to trim what they were migrating?
If they are all licensed then you have the opportunity to save the company a fortune.
altodor@reddit
The only thing you get charged for is licensed user accounts, not the existence of user accounts, devices, or Intune policies.
Bright_Arm8782@reddit
I know, but if these accounts aren't being disabled then it's a fair bet that they aren't having the licenses removed either.
Cormacolinde@reddit
Are you saying your servers don’t have any baselines applied? Oof.
Auno94@reddit (OP)
They have, but all on them as local GPOs. It is sadly/gladly already on my Todo
Samhigher92@reddit
I love finding all the old SBS GPOs that are still active.
AtarukA@reddit
"Why are updates not working"
Jazzedd17@reddit
Lol
uptimefordays@reddit
A staggering percentage of environments of this size are disasters because they are large enough to withstand poor decisions but small enough that they never need to worry about scaling.
natflingdull@reddit
Its extremely normal for a bunch of reasons, and not all of them will be stupid (but most are). Ive handled multi forest domains with ten year old expired accounts. Group policy is also normally messy they kind of go hand in hand.
You’ll discover onboarding/offboarding is one of the most important and most dysfunctional parts of any company. I have developed a low opinion of the HR profession as a result (not across the board, my current HR dept is actually pretty good). It is always baffling to me when I work at places that will spend all of this time and money to hire people but are unable to give adequate notice to IT when they come and go. Like you made this poor schmuck go through 5 interviews but couldnt tell me they were starting until after they were already on site? Sheesh
starien@reddit
Completely normal for every single account to be in the default Users OU, too.
Good luck.
jaqian@reddit
How many admin accounts? Where I used to work they were using admin accounts in place of service accounts. Took a couple of years to bring it down from 70 odd to under 10.
Auno94@reddit (OP)
Too many. Boss already approved my concecpt of redesigning the privileg system, both for our IT Operations admin accounts and where to scream test admin accounts
jaqian@reddit
I love scream tests 😂
Best way to find out what's in use etc. Take it slow, don't want to break everything all at once lol
weHaveThoughts@reddit
Totally normal.
Calleb_III@reddit
This will be either a golden opportunity to shine, if manglement buys in your prospered service improvements. Or it’s going to be hell.
Recent_Carpenter8644@reddit
We didn’t delete any ex users for the first 25 years or so. Only 150 employees, fairly low turnover.
pbaupp@reddit
do you anonymize them? if not how are you compliant with gdpr?
ConsciousEquipment@reddit
...lol.
Rage333@reddit
GDPR hasn't been a thing for 25 years, and still isn't outside of EU. Inside of EU, many companies seem to just go off of "anything internal from old users is fine" if they don't have a proper offboarding procedure, since the chance of an audit or a request to be forgotten is so slim and really only happens with B2C companies, and then only with customers and not former employees.
Kuipyr@reddit
I wish GDPR applied everywhere.
WinterFamiliar9199@reddit
Worked at a place whose policy was never delete an account. Just disable and move… 20 years of people leaving.
Another place was a big company… 110k security groups.
Another one 500 service accounts that they didn’t know what they were for.
So yeah, it’s common.
gambeta1337@reddit
You never delete AD accounts, you disable them.
Auno94@reddit (OP)
As we are legally obligated to have as little Data as needed. Why should I NEVER delete AD accounts. I understand that I don't just delete them on the last day.
If I have the AD Trashbin (so that I can reinstate an account if needed) and I have a process for accessing Data and mails. What is the benefit of not deleting unneeded data.
DesertDogggg@reddit
I think it depends on the environment. For example, I work in a school district. By law, the government requires us to keep accounts and data for 5 years before deleting it. You can leverage PowerShell against accounts. If they haven't been signed into for X amount of years, either remove them or put them in a OU dedicated to disabled accounts. We call ours purgatory.
You can also use PowerShell to audit account attributes. I found a lot of mismatched settings in our environment. A few accounts even had "password not required." Thankfully, the users didn't know this and they were still using passwords.
CriticalMine7886@reddit
In our environment, data is discoverable if it exists, but so long as it's been deleted in accordance with a policy, what's gone is gone.
We disable accounts when a user leaves and move them to an archive OU. After 6 months, the account is permanently removed. We increase that time for sensitive accounts, but on a per-case basis.
Emails are protected in a Mimecast archive forever, so those remain accessible
OldCmp from joeware https://www.joeware.net/freetools/tools/oldcmp/ is a handy tool for finding unused accounts - originally designed to find stale computer accounts, it has a -user switch. Can be used to disable and move objects as well as report. Nothing you can't do with PowerShell, but it's already written and tested - I've used Joe's tools for over 20 years at this point, worth a look at his site
KStieers@reddit
Yep. We also use oldcmp for this very thing.
Bright_Arm8782@reddit
Because you can't then show that you've disabled the account when you get audited.
CoLDxFiRE@reddit
Because if you just delete the accounts you could run into other problems in the future when you get a new employee with the exact first and last name as a past deleted employee. This is especially true when you have a hybrid AD environment with a bunch of different systems connected to it. Then you have Exchange, SSO... Etc.
Even if you delete the account from AD, some parts of it, security identifiers or what not, may linger somewhere, thus causing issues.
At least that's why we disable accounts instead of just deleting them.
HighRelevancy@reddit
That's exactly why I've seen it done before, but we don't have quite the peak of privacy laws that Europe has.
MidgardDragon@reddit
I was specifically asked in my interview if I could fix the mess a contractor that they hired to "fix" their AD had made of it for my upcoming job lol
davidm2232@reddit
Yup, that's the norm. I was the only IT guy at a small bank for 5+ years. There were still AD groups I had no idea the purpose. At my current company, we have GPOs dating back to the original Server 2003 upgrade and if we try to change them, it bricks half our machines. If an update goes out that disables SMBV1, we can't access any of our older servers. But we can't update the policy because as soon as we change anything, it bricks. We have moved most PCs to a new domain but the old servers still have this issue. Not enough time or interest to fix. We will just let them go obsolete.
hevvypiano@reddit
Sounds about right. We're using SolarWinds ARM and although it's clunky, it's a way to limit changes and helps with auditing.
Secret_Account07@reddit
Best practice? No
Normal? Yes
Before you start making any changes, after audit, take a look at GPO? If you’re going to clean up this mess let’s do it all at once. Are correct CIS/Security benchmarks applied? Password expiration? Etc etc
do_not_free_gaza@reddit
Fix it ?
Ever_Mythrain@reddit
Was provided the title of IAM. And let me tell you...imagine 30 years of AD use where accounts were only disabled, not deleted. All of them, and worse still inside some of our primary applications. I found an active account with the last sing in just before 9/11/2001.
19610taw3@reddit
When I started at a previous job it was the same issue. Group policy was nuts and no old accounts were even so much as deactivated.
Independent-Sir3234@reddit
Yeah, inherited ADs like that are way more common than clean ones. Worst one I took over still had orphaned groups from an acquisition eight years earlier, and nobody could explain what still drove half the ACLs. I wouldn't delete much until you can disable in batches, watch for breakage, and roll back fast, because the weird service account tied to one finance share is always what bites you.
cnr0@reddit
Do you have a proper XDR? Some of them has tools directly addressing this problem.
For example SentinelOne can audit your Active Directory and provide you very detailed info about misconfigurations and risks.
andrew_joy@reddit
LOL yes , very normal
Centimane@reddit
There's so much randomness in IT I don't think I'd call anything "normal".
Definitely a bunch of places have bad AD. Many have good AD (because they're doing very little with it). Same as every other tech could be good or bad, flip a coin.
AffekeNommu@reddit
Mm mm circular membership
RustyRoot8@reddit
Quite normal unfortunately. Run pingcastle against it. Free if you’re not using it to generate revenue
AppIdentityGuy@reddit
It's depressingly common and any environment in that condition invariably has pretty serious security issues as well.
double-you-dot@reddit
We never delete user accounts. We just disable them and move them into an OU for separated users.
This way, their names are still attached to NTFS objects that they were owners of but are still in use by others. If we were to delete the account, the NTFS owner would appear as the creator’s SID which isn’t as useful to the end users.
FittestMembership@reddit
How many of those are active, and how many are disabled? As long as offboarding has been happening and accounts have been locked when needed, there's no massive need to clear out old users and accounts. Especially if it's an industry where there's a lot of staff movement, often users will return and having fully deleted their AD object causes more issues than leaving it in a disabled state (and maybe even in a disabled users OU).
Auno94@reddit (OP)
A lot had only their password rotated and where active as in the account wasn't disabled. My boss started a Project "Restart Active Directory" as I have been pointing out the mess and the inability to audit and that we need to first cleanup users, so we can see what groups are irrelevant and migrate to a new approach regarding permisssions. As they had Solarwinds ARM and just created groups for every folder and subfolder you can imagine shared across 3 different, broken DFS settings
FittestMembership@reddit
I've seen worse but not having users sign in blocked is pretty bad for an extra 2000 users...
Ur-Best-Friend@reddit
I'm willing to bet good money that a few of those 2000 accounts are old accounts with "password doesn't expire" and a very secure password like password123.
Ur-Best-Friend@reddit
You don't need to go for the nuclear option, nothing you described is unsalvageable, and redoing everything is a bigger pain in the ass than you imagine. Not to mention that even with that there's still things you'll need to fix that won't neccessarily be obvious.
Run PingCastle from a random workstation (it's free for non-commercial use, which includes using it to audit your AD environment), then go through the items in the report one by one, investigate them, and fix them, and you're 90% of the way to a clean AD environment.
himji@reddit
Even when users leave and return it's best to either delete the accounts or at the very least remove them from all security groups/dlists. Often users return with a new role and you don't want them having permissions from the old role
Apprehensive_Bat_980@reddit
They’ve not been doing Access Reviews
Durovigutum@reddit
Normal? Two weeks ago when attempting to fix an AD where none of the domain controllers sync we found something new that I never knew existed (AD since Win2K) - a deep buried setting that allows you to ignore when FSMO roles don’t sync successfully, that the customer had turned on at some point. We assume this exists to allow a borked AD to limp on until it is replaced, but this setting was changed at least five years ago and the AD is just about clinging on in extended life support (picture a hospital bed with tubes coming out of everywhere).
This is a bit extreme, and I see the broken 95% of the time, but I’d say there are more “broken” AD domains than perfectly running ones.
mcapozzi@reddit
The only perfectly running AD domains are the ones you just finished creating...😂
bobs143@reddit
I have never seen an org that AD didn't need some sort of cleanup. Old GPO's, users who are active but left the org years ago.
glitch841@reddit
Yes, I’d be more shocked if it was all clean and properly maintained.
Only thing you can so now is carry on with the auditing. Just delete objects carefully, take your time here unless its a security risk or something.
Use the AD recycle bin and verify backups/restore procedures work before any major changes and you should be good.
Ur-Best-Friend@reddit
Where possible, you disable and move to a "disabled accounts" group or similar, if you disabled too much you can always just re-enable the relevant accounts later, then you let it lay for a while, then you delete.
Auno94@reddit (OP)
So I just was lucky that in my old company (7 years) we established processes long before the lack of them became an issue
glitch841@reddit
Yeah, the truth is its really random. Depends on budget, employee conditions, individual professionalism, management and so on.
Also makes a big difference if you have to deal with the headaches you cause, that will always make you think a bit more carefully.
SecAdmin-1125@reddit
Very normal to see this.
zantehood@reddit
Hot-Contribution8536@reddit
Very unfortunately… this is pretty normal.
The good news is you’ve got a great opportunity here to learn the environment, put a plan together, and really rework it the right way. This is one of those rare chances to truly make the environment your own.
I’ve honestly never walked into an environment that didn’t need cleanup, especially coming in behind MSPs or years of unmanaged growth. There’s almost always a mix of broken policies, abandoned users/groups, and remnants of half-finished and failed “fixes" or half assed, unplanned projects that didnt go anywhere.
It looks overwhelming at first, but it’s also exactly the kind of situation where you can bring real structure and long-term improvement.
This is a fantastic opportunity for you and your career growth too. Most likely since this is that rough the rest of the environment is too - this is where IT heroes are born, solving lingering issues that users just gave up on, terrible performance that is just accepted at this point, and building a report with users that they've maybe never experienced before.
Im not sure what your leadership situation is, but this can be a great opportunity for you to head into that path as well, especially if you are the take charge sort of person.
I bet all of us with experie ce have been where you are now, so dont be afraid to ask advice and see where we have failed and succeeded...the road is already paved, there are potential holes and construction but you certainly dont have to travel it alone!
fnordhole@reddit
Yes. Thiz is common.
Is it solely your responsibility to fix?
Recent_Perspective53@reddit
My first job was mostly a mess, took me a long time to design it and create proper OUs, gpos, and cleanup (ps i don't delete accounts, disable, change passwords and remove from all AD groups, including Domain Users).
2nd job was decent, several OUs but nothing spectacular about it. Mostly for users 1 OU, Admins another. He believed in deleting everyone instantly.
Current job, reminds me a lot of my 1st and I have some work to do.
Wolfram_And_Hart@reddit
AD Tidy is very helpful at the start. Launch as admin.
Top-Perspective-4069@reddit
The offboarding thing is process that needs to get worked out. I've had clients in the past who didn't ever want to delete anything, user or computer records. It's batshit crazy but sometimes the best you can do is give input and hope they listen.
godsglaive@reddit
Super normal lol
sambodia85@reddit
They’re rookie numbers, you’ll be fine.
Measure twice, cut one.
Professional-Heat690@reddit
Try an almost 20 year old AD supporting 12k users.
Burning it and building new as part of a multi year endeavour.
Morkai@reddit
We currently have 82 devices in Intune, and almost 700 devices in Entra. Yes, it's normal (unfortunately) for environments to be an absolute bin fire and needing a steady hand to clean up and right the ship.
ConsciousEquipment@reddit
all normal, as long as the licenses are removed and it doesn't cost a bunch of money you don't need to bother
Auno94@reddit (OP)
Sadly I need to bother. Legal compliance, and the wish to have a 27001 cert
ConsciousEquipment@reddit
yeah that always sucks. good luck tho
R555g21@reddit
Not deleting user old accounts isn’t an issue. You keep them disabled. In fact we were always told to just keep them for auditing purposes. We had NERC CIP compliance which is like literally strictest compliance standard out there. It was never an issue in an audit.
KavyaJune@reddit
That assumes licenses are being removed properly
Borgquite@reddit
Not surprised but you might find this tool (free, I’m not the developer) helpful for cleaning up the mess.
www.cjwdev.co.uk/Software/ADTidy/Info.html
Absolute_Bob@reddit
Everything that guy made is stupid useful. I like the service analyzer to find services tied to non system accounts.
Hot_Individual5081@reddit
i work for one of the biggest retailers in europe and these smaller ad environemnts always make me chuckle, as an example just the other week i disabled as part of the remediation over 4500 stale service accounts... and thats nit even main AD domain
Absolute_Bob@reddit
It's damn near the rule. Cleanup is usually the path of least resistance (outside of ignoring it), but some messes are so insane it's better to just stand up a new domain, figure out what's really needed and migrate. Not a simple task even in smaller environments sometimes.
HomelabStarter@reddit
completely normal, youre not unlucky at your previous jobs you were just lucky. most AD environments ive walked into look exactly like this, especially places that have been around for 10+ years without a dedicated identity management person.
the biggest trap is trying to clean it all up at once. what worked for me was starting with a powershell script to find all accounts that havent logged in for 90+ days, disable them first (dont delete), wait 30 days, then delete. for groups i ran a report on empty groups and groups with no members who had logged in recently. that alone usually cleans up like 60% of the mess without breaking anything.
ping castle is free and will give you a health score plus specific findings ranked by severity, way faster than waiting on budget approval for netwrix. run that first and it'll tell you exactly where the scariest stuff is
mapbits@reddit
These environments are so satisfying when they're finally clean.
Try running a free and non-persistant assessment tool like Ping Castle or Purple Knight to see if there are issues more urgent than the ones you've identified to address.
I've run Netwrix Auditor previously and it worked well, including providing some SIEM-like capabilities, but it also introduces a significant attack surface on its own - don't go into this lightly.
KavyaJune@reddit
Pretty normal tbh. I’ve seen a lot of environments where offboarding just never happened properly.
While you’re cleaning things up, also check for security gaps like reversible password encryption, accounts without passwords, weak password/lockout policies, etc.
For AD reporting, you could try AdminDroid as well. Free version has 200+ reports.
Auno94@reddit (OP)
Security is a mess, but more a fixable mess. Privileg Escelation is trivial at the moment but the solution just needs a workday to implement and maybe a workday come up with a concept. Gladly they did improve the security and implemented least privileg in entraID, so I know I can keep that load of work for later
Wrong-Celebration-50@reddit
It's normal hahahaha 🤣
MajStealth@reddit
i would be way more concerned if they only had a single ad-admin that is used everywhere for everything and the users share 1-3 users with a 2 letter long password, synced to ms365 without mfa. mostlikely the backup was never checked and also never inspected in the last 3 years. or worse, shares use the user instead of apropriate groups in which the users/or org-groups might be in some form.
and yes that is also from experience....
theshapester1980@reddit
Its usually been a complete mess in my experience. The issue I find is that the mess is too tricky to untangle for many and it just gets ignored, groups can be used for various folder permissions or many other things and cleanups break thing when not done carefully and slowly.
Candid_Ad5642@reddit
Good luck finding time to fix it though
Don't be surprised when there is no time to fix stuff that isn't "broken"
Tekashi-The-Envoy@reddit
So normal that seeing one in good shape would be abnormal.
MasterPay1020@reddit
Lol. Yes.