Single Member AD Group

It is considered a bad practice to have a group with only one member. Creating a group for a single user introduces unnecessary complexity and redundancy. Groups are designed to simplify access management by consolidating multiple users with similar permissions. When a group has only one member, it fails to serve this purpose effectively, resulting in inefficiency from an administration and maintenance perspective. Combining similar users into the same group would allow for more streamlined actions and management.

There might be specific scenarios where having a group with only one user is not only acceptable but also necessary. This is particularly applicable when these groups play a role in a broader role-based access control (RBAC) strategy.

This indicator ignores AD built-in groups (RID < 1000, or name = "DnsAdmins" / "DnsUpdateProxy") because it is a best practice for most of them to have only a single break-glass member or remain empty. You can also ignore other technical groups pre-created by applications in your IT environment.

To enhance simplicity, reduce redundancy, and improve maintainability, groups should be either:

• Used for a group and not for an individual user; in other words, it must contain at least 2 users.
• Deleted

An alternative to using a group with only one user is to assign permissions directly to the user, avoiding unnecessary layers, such as a group acting as a single user.

Name: Single Member AD Group

Codename: SINGLE-MEMBER-GROUP-AD

Severity: Low

Type: Active Directory Indicator of Exposure