Disable Active Directory Group

tile_DeprovisionGroupHow to disable Active Directory Groups

The Disable Active Directory Group functionality is completely missing from Active Directory. You can effectively disable an AD group with by changing group settings of the group and group membership. “Disabling” groups is preferable to deleting the group because the group SID (Security ID) is retained for auditing and management purposes, but it must be done correctly. The idea is to prevent the group from being used for security or distribution list purposes without actually deleting the group object itself.

Understanding the difference between Security and Distribution group types is important here. When a user is authenticated all Security groups for which the user is a member are listed in the user’s token/ticket; Distribution List membership is not added tokens because they are not used for security. By changing the group type from Security to Distribution you prevent the group from being used for security purposes.

Now the tricky part, if you have are running Microsoft Exchange or are syncing the group to a cloud based email system, you will need to take steps to prevent the group from being used as a distribution list. If you are using on-premise Exchange, you will need to set the security on the group so that it is not presented to users. If the group is being synced to Office 365 or to Google Apps, you will need to change the attributes of the group to prevent it from being seen by ILM or Google’s Sync solution.

Cayo Administrator: Suspend performs these tasks for you automatically plus it has a “right-click” UNDO, Reporting and Object Retention if you no longer need the group and want it to be deleted in a month or two down the road.

View all contributions by