Phone Number +1-202-802-9399 (US)

ThycoticCentrify is now Delinea!

The Lockdown

Thycotic’s Cyber Security Blog

Seven Signs It’s Time to Move On from GPO-Only Privilege Management


Written by Steve Goldberg

September 11th, 2018

Many organizations gravitate towards Group Policy Objects (GPO) for privilege management because it offers enough functionality to get started managing privileges. Yet, as your needs evolve, you may find that you require a privilege management system better suited to a maturing, sophisticated organization.

What are some of the warning signs that you need more than GPO alone can provide? What questions should you ask when looking to enhance existing Group Policies with a more mature privilege management tool set?

As your organization becomes more complex, your privilege management needs become more diverse

Getting Started with GPO

Microsoft’s Group Policy Objects (GPO) is a convenient starting point for an organization looking to get a handle on user access rights and managing privileges with centralized policies. After all, if you are already using Windows to manage corporate infrastructure, GPO can seem like the easy choice:

  • It’s free
  • It supports basic password hygiene policies such as defining local access control and setting password rules (length, complexity, frequency of changes)
  • It includes out-of-the-box templates to simplify getting started
  • You can require users to change their passwords on expiration or risk being locked out of key systems

Evolving with GPO 

As your organization becomes more complex, your privilege management needs become more diverse. How do you know you’re outgrowing a privilege management program based exclusively on GPO and should consider tools to enhance your strategy?

1. You’re having trouble keeping up with the number of users and groups in your organization.
It makes sense that as an organization grows, so does the amount of users and groups which need to be managed. The steady stream of new users and groups, coupled with maintaining the privileges of existing ones, can tax even the most organized IT department.

2. You need to support non-Windows machines and third-party users who are not within your Active Directory.
These people and machines may need access to sensitive systems and data to get their work done, but managing them, granting appropriate access, and revoking access when no longer needed requires constant vigilance if you aren’t using the right tool set.

3. You need to meet compliance requirements and generate reports to prove it.
Many industries must comply with particular requirements, rules, and regulations. As part of compliance, you may need to enforce strict logging, audit, and data retention policies, which will, in turn, allow to you to report out on your level of compliance. If you are relying on GPO to meet compliance requirements, you will likely need to make significant modifications or add on third-party applications to address any gaps, resulting in a hodge-podge of systems to maintain.

4. Generating compliance reports is a recurring nightmare.
What good is having extensive logs and data, if generating reports is difficult? Does it take hours or days to generate frequently needed reports? Is it a large part of someone’s job just to generate these reports?

5. You are spending valuable time manually managing local privileged accounts.
The need to create, store and rotate local privileged accounts becomes a nearly unmanageable administrative burden in a burgeoning organization, and if left unchecked could become a gaping security hole.

6. You don’t know who has access to which resources.
When your GPO was first configured, or a user was initially added, it was straightforward to know whether an individual had the right access to the proper resources, correct? Yet, as time passed, if your team hasn’t been rigorous about maintaining access, “entitlement creep” may have set in, and rather than executing a least privilege strategy, you’re now just trying to plug the holes. Your native tools may not include the ability to discover which users have higher privileges than they should. Tools like Thycotic’s Least Privilege discovery tool can help you establish a baseline from which you can take appropriate corrective measures, or at the very least understand the scope of the problem.

7. You keep bolting on additional tools to supplement gaps in GPO’s functionality.
As your organization advances on your security journey you’ll have many choices to make that determine your path. You can spend time and resources configuring thousands of settings in GPO. But, you’ll have to manage multiple settings in multiple places and comb through logs to make sense of the data. And, you still won’t be able to get the visibility and control you’d have with an integrated, enterprise privilege management tool.

If you are experiencing all or some of these hardships, it’s time to consider enhancing Group Policies that are already in place and evolving your privilege management strategy.

Questions to Ask When You’re Considering Enhancing GPO

As you explore your options, make sure you keep in mind the crucial requirements for success: scalability, productivity, and control. Ask the tough questions of any privilege management vendor to make sure their solution is the right fit for your organization and will support your needs as you grow and change.

  • How does it manage local passwords?
  • How does application control support enforcement of a least privilege model?
  • How do you manage privileges for non-Windows and non-domain endpoints?
  • How simple and customizable are your reports?
  • Does it rely exclusively on GPO controls?
  • How does it manage local accounts and protect non-domain endpoints?

The right privilege management solution defends your time and energy and prioritizes productivity, while at the same time helping you reduce risk. People in your organization won’t miss a beat. And, the rest of your IT and support team will thank you.

Download the full whitepaper, Move Beyond GPO for Next-Level Privilege Management, to learn more about how growing organizations can benefit from scalable, flexible privilege management.

Privilege Manager

Implementing least privilege needn't be hard.

Privilege Manager makes least privilege adoption easy for users and reduces the workload for IT/desktop support.




Like this post?

Get our top blog posts delivered to your inbox once a month.