In principle, this is nothing new: an non-transparent permission structure in Active Directory comes with significant disadvantages.

• It increases security risks
• makes it more difficult—or even impossible—to comply with regulatory requirements
• and results in an insufficient data basis for IAM and IGA projects

From a professional standpoint, there are therefore many good reasons to finally clean up historically grown Active Directory structures in a consistent manner.

Why, then, do we keep encountering customers who continue to postpone this topic?

In discussions with IT and IAM stakeholders, the same arguments almost always come up:

• There is a lack of suitable tools to analyze permissions in a clear and understandable way.
• Excel-based evaluations are extremely time-consuming and prone to errors.
• The available resources are barely sufficient for day-to-day operations—let alone for an in-depth analysis.

These concerns are understandable and explain why many cleanup initiatives are repeatedly put on the back burner.

A practical recommendation

Our Managing Director and expert in Identity, Access & Role Management, Peter Dauner, recommends:

This is exactly where a pragmatic approach is required. A tool that has proven itself in practice is the Active Directory Analyzer. It helps make the actual distribution of permissions in Active Directory transparent and significantly reduces the required resource effort.

Detailed information about the Active Directory Analyzer can be found here: