Automating Group Membership Administration

written by Dave Champine, Quest Software

White Paper

Copyright 2004 Quest Software, Inc. and Quest are registered trademarks of Quest Software. The information in this publication is furnished for information use only, does not constitute a commitment from Quest Software Inc. of any features or functions discussed and is subject to change without notice. Quest Software, Inc. assumes no responsibility or liability for any errors or inaccuracies that may appear in this publication. Last revised March, 2004

QUEST SOFTWARE, INC. 8001 Irvine Center Drive Irvine, CA 92618 Inside U.S.: Outside U.S.: Email: URL: 1.800.306.9329 1.949.754.8000 info@quest.com www.quest.com

CONTENTS
INTRODUCTION ........................................................................................................ 5 UNDERSTANDING EXCHANGE ADMINISTRATION EFFORT................... 6 QUANTIFYING EXCHANGE ADMINISTRATION COSTS ............................ 8 IDENTIFYING THE CHALLENGES FOR IT ........................................................ 8 IDENTIFYING THE RISKS FOR THE BUSINESS ............................................. 10 SOLUTION FOR IT ADMINISTRATORS ........................................................... 11 SOLUTION FOR BUSINESS ADMINISTRATORS................................................. 13 ACCESS CONTROL AND AUDITING................................................................ 14 QUEST MANAGEMENT SUITE FOR EXCHANGE ......................................... 15 ABOUT THE AUTHOR ........................................................................................... 16 ABOUT QUEST SOFTWARE ................................................................................ 17

Automating Group Membership Administration

INTRODUCTION
Administering group membership presents significant challenges for IT managers and inherent risk to the business. Every employee in a company has group membership for accessing resources or email distributions. Creating groups and assigning rights to those groups is widely acknowledged as a best practice for enabling consistent, efficient administration and access. However, the challenge of accurately maintaining membership in a dynamic environment can introduce so much additional effort, that any productivity gains are erased. This paper will discuss ways to proactively manage this issue to reduce administrative effort while increasing security and user responsiveness.

Automating Group Membership Administration

UNDERSTANDING EXCHANGE ADMINISTRATION EFFORT

According to a recent Radicati survey, the top 3 administrative challenges for Exchange are (in time spent):

1) Outlook Client issues (35-40%)

A desktop management group in large organizations generally manages the Outlook client so the impact on messaging administrators is not as significant. Often, incidents raised by end-users as Exchange or Outlook problems are actually caused by network or desktop configuration issues (not to mention user error). Training helpdesk staff and providing them tools to identify these issues can significantly reduce the amount of incidents inappropriately routed to Exchange administrators.

2) Adding and deleting mailboxes (25-30%)

Adding and deleting mailboxes generally follows a well-defined workflow that spans numerous administrative functions. As a result, the lead times for new mailboxes are well known and the impact is limited only to mailboxes being provisioned. The lead times and impact for deleting mailboxes are even longer with less impact to the end-user community.

3) Distribution Group Management (20-25%)

The time spent creating and maintaining distribution groups falls squarely on the Exchange administrator because of the access and skills required to manage them with native Exchange tools. The requests are often ad hoc and come through numerous channels (direct e-mail, helpdesk tickets, and hallway conversations). The expectation is that every request be fulfilled immediately (its just a few names after all) without regard to the effort required or conflicting priorities. Even if the request process is defined, the information provided is often insufficient for even experienced administrators to fulfill quickly. Given limited development resources, IT departments are unable to automate the task themselves.

Automating Group Membership Administration

To better understand the factors driving the volume of change, consider the following. In a typical organization, each employee has group membership based on:

Department for managers to communicate with their staff Location for branch or regional managers to relay relevant
information

Mail Server for administrators to notify employees of planned outages Title, pay class, benefits class, program enrollment, employment
status, et cetera for HR to communicate policy and deadlines

Cost center and signing authority for Finance to communicate

budget and expenditure information

Campus, building and floor for Facilities to communicate

physical maintenance and relocation information

Project participation for communicating status updates to team

members

Charities, volunteer organizations and special interest groups for

communicating company sponsored events

Aggregates and combinations of most of the above groups

It is not unusual for employees to belong to well over 20 distribution groups without even considering groups that are created to support business-specific workflow and communication patterns. Considering the rate of turnover in employees, changes in any of the above factors and corporate re-organization, it is clear that distribution groups play a critical role not only in the performance of messaging systems, but in the effectiveness of corporate communication. This is an area of serious concern given the time required, the level of expertise mandated and the inability to distribute the task safely with native capabilities. The impact is not only felt in terms of administrative overhead, there are some real costs associated with this ongoing daily activity.

Automating Group Membership Administration

QUANTIFYING EXCHANGE ADMINISTRATION COSTS

Recent analyst surveys estimate the cost for administering Exchange 2003 is about $22 per employee per year. Because of incremental enhancements over previous versions, administration cost for Exchange 2000 is slightly higher while Exchange 5.5 costs are significantly higher due to its separate directory and less efficient management interfaces. Given the amount of effort noted above (20-25%), we can assume that the hard cost for distribution group management is $5 to $7 per employee per year. In large companies, the number may actually higher due to inherent inefficiencies in global distribution and sheer volume. A company of 10,000 employees on Exchange 5.5 could easily expect to pay $70,000 per year just for distribution list changes. Factoring in the cost associated with managing security groups could easily push the cost over $10 per employee, per year or greater than $100,000 as an ongoing annual expense. As a point of reference, $100,000 could otherwise be allocated for an additional full-time administrator, nearly 100 terabytes of storage, or 3 production class servers. Now, lets explore the soft costs associated with this management challenge.

IDENTIFYING THE CHALLENGES FOR IT

Responding to the never-ending stream of urgent group maintenance requests reduces the time available for maintaining production servers. The most common cause for performance issues and system outages is lack of proper maintenance. End-users (especially of a certain rank in the organization) are much more persistent and vocal with their requests than a server in need of a minor upgrade. The consequences (perceived or real) for not of responding to a direct request from senior management can often impact the administrators livelihood. The irony of course is that these same users (particularly of a certain rank) are also the most vocal when demanding an explanation for loss of service or data due to inconsistent maintenance practices. Of course there is no direct cause and effect between one distribution group change and a server failure. It is a cumulative effect that can be disastrous if left unchecked.

Automating Group Membership Administration

Whether the end-user requests come in through a help desk or directly to the Exchange administrators, the volume, knowledge, and administrative access required to respond creates significant load on IT operational staff. Assuming that companies dedicate administrative staff to this function in order to reduce the impact on maintenance, they will have introduced additional overhead and expense. The act of making changes to distribution groups is not particularly complex in its own right, but the risk of making a mistake or improperly using the elevated security privileges is significant. The result is that highly skilled, highly paid administrators are allocated to menial labor which they are likely to abandon in favor of more challenging opportunities. Even if it is possible to justify the economics and motivate the staff, the likelihood for error is quite high since it is a largely repetitive task that requires manually transferring data from one application (or human) to another. Again, the larger the company, the more likely the opportunity for mistakes. The presence of redundant and unused lists creates unnecessary load on production servers. Distribution groups account for a large percentage of the total number of items in the Exchange GAL (Global Address List). In some companies there are literally more distribution groups than there are individual employees. Because of the burden required to replicate this useless information, not enough bandwidth is available to efficiently deliver messages. IT departments are no different from other groups in their need to have accurate distribution group membership, particularly when they need to communicate quickly to large groups of employees about system outages or planned maintenance. Whether the task is maintenance to be performed on the messaging system or any other heavily used application, IT relies on accurate distribution group membership to communicate effectively with employees to give them specific and timely instructions. Its hard enough to get end-users to follow directions when you are communicating directly over the phone. If the instructions never reach them, it is impossible and the consequences for inaction may jeopardize the maintenance activity.

Automating Group Membership Administration

IDENTIFYING THE RISKS FOR THE BUSINESS

While it may be frustrating and tedious for IT to maintain group membership, it is an essential service for the business. One of the greatest productivity gains around e-mail is in its ability to quickly distribute information to many people around the globe. Business employees have come to count on e-mail as their primary communication method. More than 80% of companies choose e-mail over the phone for efficiency and many rely on e-mail as their primary communication with partners and customers. This reliance on e-mail raises the necessity for accuracy and efficiency. Business users assume that groups are up to date and communicate major changes and urgent status updates based on that. If a line of business employee or manager does not receive information about a change in policy, the result can be inconsistent operations at the very least or a significant liability for lack of compliance in the worst case. Project teams are often widely distributed and rely on e-mail as their method of status updates and knowledge transfer. Project team membership tends to be highly dynamic as people form virtual teams from different departments and team membership changes over the course of a project. Project timelines (which are often very tight, with little margin for error) can be directly impacted by delays or errors in distribution group membership. Every hour that a project manager has to wait for a list to be updated is counted directly against the completion of a potentially critical path communication event. Security is another aspect of group membership that can have major repercussions for the business. Lets just consider distribution group membership for a moment. If group membership is not diligently maintained, sensitive information could easily be sent to inappropriate recipients. For instance, adding the wrong John Smith to a finance or human resources distribution group could have serious implications. Worse yet, adding external addresses (contacts) to a distribution group could potentially leak sensitive information that would be in direct violation of regulations around corporate control such as Sarbanes-Oxley. When we add security group maintenance, the stakes are raised significantly. Adding the wrong John Smith to a security group for accessing finance or human resources applications (not to mention customer data) exposes the company to direct liability and serious financial and regulatory risk.

10

Automating Group Membership Administration

With so much cost, effort, and risk to manage, companies must explore alternatives to manual administration of group membership. Automation comes in different forms to fully meet the needs of both the IT administrator and the business user. Next, well discuss the different solutions necessary to address this problem, which has reached epidemic proportions in Exchange networks.

SOLUTION FOR IT ADMINISTRATORS

The overall need is for a solution that systematically applies changes to membership in distribution and security groups. The majority of changes are based on well-defined criteria that are updated in various systems (usually HR, finance or directories) by numerous departments and administrative staff using a variety of applications and processes. However, much of the information is updated somewhere in order to effect the necessary change. The challenge is in automating the flow of these changes back into the e-mail system and creating or modifying the appropriate groups that map to the affected criteria. In a perfect world, all data would be updated in a central location and there would be a single (or at least unified) definition of an employee and all the attributes to describe them. Companies have spent (and continue to spend) millions of dollars in Metadirectories, provisioning, single signon and identity management systems (and the consultants that accompany them) to solve this problem. It is absolutely a worthy endeavor and companies who have succeeded have reaped tremendous benefits. However, it is difficult to justify that level of investment or impact in order to solve a single, fairly well defined problem. A more immediate approach is to implement a solution that can either reach out to the databases where changes are made or synchronize the necessary attributes back into Exchange (either 5.5 or ActiveDirectory). The integrity of information is critical to the accuracy of the groups. Utilizing policies and processes (preferably systematic) to maintain consistent spelling and formatting is key and will greatly improve accuracy. The ability to automate distribution group maintenance, therefore, is dependent on a companys ability to manage directory or database attributes.

Automating Group Membership Administration

11

Once the location of the attributes is known it is necessary to define a schedule of the updates. Each distribution group must have a definition of the attributes that define it, their location, any explicit exceptions, the frequency of updates and the scope of the group (which well discuss later). The Exchange administrator needs this level of flexibility to securely and accurately automate this process. In addition to flexible definitions of how to construct a single list, the system must also comply with any system or corporate policies with respect to large distributions of mail. While end-users desire a single, comprehensive list it may be necessary to create multiple, smaller groups for more efficient expansion and delivery of messages. The system must respect the needs of both and represent a single group entry in the directory that intelligently breaks apart the distribution for optimal performance. Access to groups that contain large numbers of users must also be considered in order to avoid Corporate SPAM. Additional complexity must be considered when aggregating groups or combining groups. For instance a Division distribution group should simply be an aggregate of the Department distribution groups that make up its component parts. The system must allow for the definition of these relationships and any exceptions as well. To further simplify administration, an automated system should allow for the creation of new distribution groups based on a new value encountered in an attribute. For instance, in order to manage geography-based distributions, the system should create and maintain groups for every value listed in the City attribute. If a new value were entered in one or more employees attributes (as a result of a move or new office) then a new distribution group would be automatically created for those employees. In this way, moves, adds and changes are dictated by the facilities group, and updates to Exchange occur automatically that evening (or on a scheduled basis) so that employees are up and running the moment they occupy the new location. Of course this new group should also be automatically included in the aggregated group for State or Region. The real value is not just in reduced administrative effort; rather employee satisfaction is key. The business is able to continue communicating efficiently during times of change (which is when communication is most critical). In order to further enhance the businesses satisfaction there should also be a system in place to allow for delegating the administration of distribution groups that are not able to be automated through defined policies and attribute values. There will still be the need for ad hoc groups and groups which employees choose to subscribe to individually.
12 Automating Group Membership Administration

SOLUTION FOR BUSINESS ADMINISTRATORS

The main concern for IT in delegating administration of Exchange is maintaining control and security. When implementing any system for delegated administration there must be a great degree of definition and control over how and where groups will be created as well as who has rights to create and/or modify them. Remote IT staff or departmental administrators are likely candidates for delegation, but in some cases project managers or end-users need to be able to create and/or modify groups. The main concern for the business (who will inherit this process) is ease of use. The ability to define approval workflow is also necessary to ensure that well-meaning, empowered employees dont create redundant groups. The most effective way to deploy an easy to use application to a large audience is obviously as a web site. Employees have grown accustomed to managing numerous aspects of business and personnel related activities through applications on the corporate intranet. Updating group membership or subscribing to groups is something that can be added alongside other administrative processes such as time and attendance or expenses. The benefits to help desk and Exchange administrators are obvious. Here are a few examples of business administrators who would benefit from delegated group membership administration.

Project Managers have an arbitrary collection of employees who

dont necessarily have any common attributes. These teams form quickly and require immediate and ongoing communication. Often, individual members of the team dont even know all the people in the group, but they must communicate status to all of them for the team to function. In this case, the Project Manager could be delegated administrative rights to update group membership instantly as changes occur. This way, there would be no disruption of productivity to the business and no impact on the helpdesk staff.

Departmental Administrators must compile organizational

charts, communicate organizational change and send out urgent updates. They work most closely with team members and know when changes in status (title, location, reporting) occur. Updating this information instantly helps them to maintain efficient communications internally, and assures that other departments who need to communicate with their team can do so effectively. Additionally, they can rely on groups and members as an accurate reflection of their organization in the directory.
Automating Group Membership Administration 13

 Individual Employees have numerous opportunities to volunteer

and participate in various communities within or sponsored by their company. By consulting a central location for all available groups and members, they can choose to participate and/or communicate with others and enrich their work/life experience. This can also reduce the amount of overall general announcements that flood employees mailboxes and interrupt daily activities. Empowering the employee to locate and subscribe (or unsubscribe) themselves to groups eliminates frivolous help desk requests for changes to sports teams or special interest groups.

ACCESS CONTROL AND AUDITING

Implementing these best practices and systems for automating the maintenance of group membership not only provides reduced administrative effort and enhanced employee satisfaction, it also provides consistency and security. Having redundant, out of date, inconsistent group definitions make it difficult to ensure that employees have the right level of access to resources (file shares, applications, mailboxes, etc.). Using the same methods and systems for managing security groups will greatly improve security. For publicly traded companies, this level of control and the ability to demonstrate its systematic enforcement is now mandated by section 404 of Sarbanes-Oxley regulations. These regulations must be enforced before the end of 2004 and impose strong fines and legal consequences for lack of compliance. A system for reporting group membership and analyzing usage of groups and levels of activity is a key component of overall management. Knowing which groups are used most widely and who uses them most can provide useful information for the entire business. From an IT perspective, it is important to know which distribution groups are used most in order to effectively locate mailboxes and deliver messages efficiently. From a business perspective, it is interesting to be able to analyze communication patterns to determine organizational efficiency. The number of groups that an employee belongs to can also indicate their degree of influence, or conversely their level of information saturation. This same reporting system can provide the reports necessary to ensure compliance. Obtaining group membership can be time consuming with native management tools that only have limited capabilities. A complete distribution group management solution would include not only the maintenance capabilities described above, but should report on changes and alert key individuals responsible for auditing and compliance.
14 Automating Group Membership Administration

QUEST MANAGEMENT SUITE FOR EXCHANGE

Quest Software is the leading provider of tools to simplify, automate, and secure Microsoft infrastructure. The Quest Management Suite for Exchange provides all the capabilities for all the scenarios described in this paper. Many companies have chosen Quest Software to overcome the challenges discussed here. Companies worldwide, including the largest Exchange environments in both the public and private sector, manage literally millions of mailboxes more efficiently and with significantly more insight with these tools. Quest works closely with customers to provide the most useful technology and a majority of product enhancements come directly from customer feedback. Quest ActiveGroups (Quest ActiveDL for Exchange 5.5) and Quest SelectDL provide the core capability of distribution and security group management. Quest Directory Integrity Agent ensures that attributes are synchronized and up to date, and Quest MessageStats provides usage analysis reports to ensure that groups are used efficiently and appropriately.

Automating Group Membership Administration

15

ABOUT THE AUTHOR

Dave Champine is the Group Product Manager for the Microsoft
Exchange Solutions division of Quest Software. He has more than 10 years experience as an IT director. Prior to Quest Software, Champine managed messaging and directory services at Citibank and Charles Schwab. He has participated in Microsofts Joint Development Programs for Windows 2000 and Exchange 2000 and was an advisory board member for DEN (Directory Enabled Networks), co-sponsored by Cisco and Microsoft. Dave has been a featured speaker at Microsoft deployment conferences, Networld/InterOp, messaging trade shows and has published and edited articles for Windows & .Net Magazine. Dave has a Bachelor of Arts Degree from Michigan State University.

16

Automating Group Membership Administration

ABOUT QUEST SOFTWARE

Quest Software, Inc. (NASDAQ: QSFT) is the leader in application management. Quest provides Application Confidencesm software to 18,000 customers worldwide, including 75 percent of the Fortune 500. Quest Softwares products manage application performance, Microsoft infrastructures and database performance and availability to help customers develop, deploy and maintain enterprise applications without expensive downtime or business interruption. With this focus, Quest Software enables IT professionals to achieve more with fewer resources. Headquartered in Irvine, Calif., Quest Software has offices around the globe. For more information on Quest Software, visit www.quest.com.

Contacting Quest Software:

Web: E-mail: Inside U.S: Outside U.S.:

www.quest.com info@quest.com
1.800.306.9329 1.949.754.8000

Please refer to our Web site for regional and international office information. For more information on the Quest Management Suite for Exchange or other Quest Software solutions, visit www.quest.com. Quest Software, Inc 8001 Irvine Center Drive Irvine CA 92618

Automating Group Membership Administration

17