~500 users ~700 mailboxes ~400 groups Not many computers Early stage planning currently, just weighing up my options. There no real structure to it at the moment, and groups have been repurposed many times over, so any documentation we have, can't be assumed good. I can find where service accounts are used for actually running services, but I haven't yet worked out a way to find which "service" accounts are in use that get configured within applications (things like ldap lookup accounts, and SQL accounts). I'm also struggling with a plan to work out how to audit group membership and a plan to migrate to a Sane (or at least, well documented and process driven) RBAC system for users and access. I know what my groups are, but I don't have a complete picture on where/how they are being used in many places. (again, windows stuff, I can report on, but *within* applications, I'm at a loss). I'd like to be able to do it without resorting to scream-testing things, but I'm slowly coming to the conclusion that this won't be possible.