Key Business Problems for Systems & Data Admins

We wanted to take a minute and discuss some of the key business problems that Systems and Data Administrators face on a daily basis. Hopefully, bringing them to light will help you to examine what's going on in your organization's environment, and will help you to preempt some potentially costly situations.

There are three main areas that, in the places that they intersect, form the basis for data with real Business Value:



When you look at your environment, the areas of biggest concern can be broken down even further.

Permissions –Starting with Active Directory, users and groups form the foundation of control over what resources can be accessed on the Domain. Windows and distributed file systems extend the boundary of where users and groups can be created and have access to the resources that reside on those systems. Digging even deeper, users and groups can be granted access to shares, folders, and even to individual files. In order to assess and/or secure your data, all of those points and inheritance spots must be evaluated and considered in the equation of determining a user’s effective level of access to resources on the Domain. Care must be taken before removing users from any of those permission points, as the removal or deny action could break their access to other valid and business critical resources across the domain.

Changes – Knowing who has what level of access to resources is important. Knowing who gave out that access or who is using their access to interact with resources is critical, especially when something goes wrong.

Content – On average, storage costs organizations $55/GB of data per month to maintain. Gartner estimates that 70% of unstructured data goes untouched 90 days after creation. That translates into gigabytes to terabytes of stale data, depending on the size of your user base. Archiving data to lower cost storage tiers can help or slow the capacity demands, but deleting the data will actually free up valuable storage resources.

Active Directory Maintenance & Cleanup

If you're an Active Directory administrator dealing with Maintenance and Cleanup of your systems, you know what a daunting task it can be. To help, we've come up with a list of Best Practices / Tips that every admin should know:


Users
User objects are often tied directly to different application and
service licensing agreements. Many organization get around this
issue by negotiating to an official employee count. Beyond licensing,
user objects left in AD create overhead for the directory backup,
restore, and other application synchronization tasks. They make
finding the right user more difficult, which leads to wrong users
being added to resources, security groups, and distribution groups.
The impact to your messaging environment includes a growing
Global Address List, longer download times for mobile users,
misdirected email messages, and extra disk space that’s required for
abandoned mailboxes and system processing when email is returned
from mailboxes that are at capacity. Cleaning up stale and unneeded
user objects reduces the operational impact, end user experience,
unintentional actions, and also reduces security exposure where
older accounts are prime targets for hackers.

TIP 1: Combat these risks by using each user object’s Last Logon to
Domain timestamp as an indicator to find stale and unneeded
employee, contractor, and service accounts.

TIP 2: Survey managers at least on an annual basis to re-certify these
accounts and/or request permission to disable and/or delete them.

Computers
Computer objects are continually added for servers, workstations,
and mobile devices. Much like user objects, these are usually tied
directly to different application and service licensing agreements.
Inaccurate system counts can lead to gross overpayments for
applications and services. Active Directory is supposed to be the
authoritative source for understanding and securing what’s in your
infrastructure, but when these stale objects are not maintained, the
information becomes unreliable. Any application that relies on the
systems stored within AD will begin to have issues with finding and
interacting with systems, which may cause failures or delays due to
processing times. Cleaning up stale and unneeded computer objects
reduces operational impact, administrative time, and unintentional
actions. It also reduces security risks, as older accounts are prime
targets for hackers.

TIP 3: Combat risk by using each computer object’s Last Logon to
Domain timestamp as an indicator to find stale and unneeded
servers, workstations, and mobile devices.

Tip 4: Survey managers at least on an annual basis to re-certify these
accounts and/or request permission to disable and delete them.

Tip 5: Track and trend system administrators/custodians while
systems are in production for reference when systems are offline,
having issues, missing, or being retired.

Distribution Groups
Having an excessive amount of stale or unneeded Distribution
Groups causes situations where mail can be misdirected, and
increases the potential for security leaks, where sensitive
information gets sent to inappropriate individuals, groups, or even
outside parties.

Tip 6: Track and trend message logs for a review of who is sending to
what distribution groups, as well as, what distribution groups are no
longer being sent to at all.

Tip 7: Review distribution groups that are nested inside other
distribution groups to identify exceptions of direct mailing statistics.

Tip 8: Survey managers at least on an annual basis to re-certify
groups and their direct and effective membership, and/or request
permission to delete any that are no longer needed.

Security Groups
Security Groups, in addition to their user accounts, define what
individuals have access to within the infrastructure—including
computers, applications, and data. Stale or unneeded Security
Groups in the environment present confusion, and often there’s no
oversight to ensure that direct and effective group memberships are
accurate.

Tip 9: Review the last Direct or Effective Member Change Date as an
indicator of security groups that have gotten stale or are no longer
needed.

Tip 10: Survey managers at least on an annual basis to re-certify
groups, their direct and effective membership, and/or request
permission to delete any that are no longer needed.

To see the rest of the tips, an introduction to Active Directory Cleanup, and an overview of how tools like StealthAUDIT can help you with your maintenance processes, visit our Active Directory page!