← Go back to the Active Directory Security Glossary
User provisioning & overprovisioning
In Active Directory, user provisioning refers to the creation of user accounts and the assigning of resources to those accounts.
This sounds simple enough but implies a lot of time consuming manual labor and errors. It’s the networking equivalent of paying an opera soprano to peel oranges. Admins were not born to do this.
The solution? PowerShell scripts or, better still, automation tools do all the hard work at the click of a mouse. Even so, where you have provisioning you inevitably have the possibility of overprovisioning. This could mean that more users have been created than are necessary, or that users have been assigned finite resources such as disk space in a wasteful way.
This may result in a formal condition known as Active Directory dystopia: where admins think users have been overprovisioned while the users believe the opposite. Everybody is miserable.
Hand-in-hand with provisioning and arguably more important, is user deprovisioning. It sounds a bit negative – removing a user or resource from Active Directory and revoking permissions – but good directory management depends on it being done well every time.
Users are born, they live for a while and eventually they expire, figuratively speaking. The same applies to computers. As with provisioning, deprovisioning can be done manually, and sometimes is in smaller organizations where someone leaves under a dark shadow and the deprovisioning needs to happen quickly. In large organizations, this is handled by automated tools as directed by HR.
Lesson to take away: Getting deprovisioning wrong is one way to create a lot of unnecessary security risk.
Read more: Understanding user provisioning & deprovisioning