+1-202-802-9399 U.S. Headquarters

Thycotic’s CyberSecurity Publication


Group Management Server Scales for Enterprise

September 5th, 2012

Wait, what is Group Management Server?

Group Management Server is Thycotic Software’s brand new self service Active Directory group management tool.  IT Admins can designate Group Owners to control Active Directory Security Group and Distribution Group membership.  Reporting and full audit trails are maintained throughout the system on group management activities including adding, deleting, editing user group membership. These audit trails can be used during security audits to demonstrate compliance.

Group Management Server can be installed quickly and does not require Active Directory Schema Extension.  Even very large Active Directory environments can be quickly synchronized and managed from an easy-to-use and secure web interface.  Implementing robust Role Based Access Control and an approvals workflow, Group Management Server can automate IT Admin functions to tighten security, minimize risk, and reduce labor costs associated with managing group membership.

Let’s get back to how Group Management Server scales for the enterprise…

One of the highlights in Group Management Server is the performance during Active Directory synchronization.  Active Directory synchronization is a process in which Active Directory data (groups and users) are populated in Group Management Server.  The synchronization process makes Active Directory group management tasks lightning fast, as opposed to waiting on the Active Directory Users and Computers application to slowly search for the correct group.  In our testing, synchronization with 6 domains (one domain contained nearly 150,000 groups and 100,000 users) was completed in well under 5 minutes.  See figures 1-3 below for before and after screenshots of Active Directory synchronization with Group Management Server.

In Figure 1, this Group Management Server instance manages groups in six domains.  These domains range in size from small (250 objects) to large (100,000+ objects).  Note that domain synchronization has been started at 11:34:08 AM (highlighted in red).

Figure 1

In Figure 2, synchronization has completed for all six domains at 11:38:55 AM.  The elapsed time for the synchronization was
4 minutes and 47 seconds!

Figure 2

In Figure 3, domain statistics are displayed for synchronization.  In less than 5 minutes, Group Management Server synchronized more than 160,000 Active Directory groups and nearly 100,000 user objects spread over six separate domains.

Figure 3

Setting up Active Directory synchronization with Group Management Server

To synchronize with Active Directory, log in as an Administrator for Group Management Server.  Then click Administration -> Active Directory.  Click on the New Domain button and fill out the fields with your specific domain information and click Save.  Group Management Server will begin to synchronize with the newly added domain.  As with test example above, synchronization will take a few minutes depending on the number of groups and other objects in your domain.

Group Management Server information and resources

Try it here:  thycotic.com/products_groupmanagementserver_try.html

Support:  thycotic.com/products_groupmanagementserver_support.html

Forums:  thycotic.com/products_groupmanagementserver_forums.html

The following two tabs change content below.

2 thoughts on “Group Management Server Scales for Enterprise”

  1. I would be interested in knowing if this Group Management Server can help in roles based access control. Some of our clients have been struggling with how to audit access provisions for groups, so this could help. This is a major painpoint and one of the forums I am one has a very pertinent discussion on it How to audit access granted to a security group in Active Directory?.

    If this solution can help, I would be happy to share with our clients. Thank you for letitng me know. We help many clients with identity and access management challenges, and this is major one for many.

    Comment by Ryan Kauffman on September 13, 2012 at 11:26 pm

  2. @Ryan – Group Management Server currently offers self service AD group management (end user makes request then manager can approve/deny) and also allows you to delegate management of distribution groups and security groups to the business managers.

    We do provide auditing of group changes within the tool that can then be used to satisfy auditor requests. Tracking the actual permissions on the groups and AD objects will be coming soon along with where (and why) the groups are used to grant access to specific resources.

    Comment by Thycotic Team on September 21, 2012 at 1:25 pm

Leave a Reply