SharePoint Permissions Active Directory vs SharePoint Groups

What should we use to manage SharePoint Permissions: Secure Active Directory (AD) Groups or SharePoint Groups?

As with everything in SharePoint the answer is, “It depends.” Most people end up using both AD Groups and SharePoint Groups to manage permisisons.

Before we discuss the pros and cons of both AD groups and SharePoint groups, there are a couple things we need to keep in mind.

Keep in Mind

  • A distribution list is NOT an AD Group
  • An AD Group MAY have a distribution list
  • Only Secure AD Groups can be used

Active Directory Groups

Pros

Cons

Managed by IT
The IT Department creates and manages the groups. The Site Collection Administrator and/or Site Owner do not need to add and remove users from AD Groups.
Can’t see users
SharePoint can’t open AD Groups. This makes troubleshooting permission issues a challenge. If the AD Group has a distribution list, put the distribution list in the To: line of an email and expand to see the users.
May contain multiple groups (nested)
If a department is made up of several teams, the department AD Group usually contains the team AD Groups. This makes managing users easier.
Can’t use with Person/Group column
SharePoint can’t open AD Groups. When using a Person/Group column, under Additional Column Settings we can allow people to select from all users or only users in a selected Group.
Great for large groups
Adding smaller AD Groups to create a large AD Group makes managing users easier.
Sometimes not kept up to date
IT manages Active Directory. Sometimes there is a delay in communicating changes to IT. Active Directory usually syncs with SharePoint overnight.

SharePoint Groups

Pros

Cons

Use for Person/Group column
When using a Person/Group column, under Additional Column Settings we can allow people to select from all users or only users in a selected Group. If the SharePoint Group contains an AD Group, there will be no users from which to select.
Adding and removing users
The Site Collection Administrator and/or Site Owner to add and remove users from SharePoint Groups. When a user changes teams, departments, roles and/or companies the Site Collection Administrator and/or Site Owner must move the user to the appropriate SharePoint Group.
See users in group
Troubleshooting permissions issues is easier when you can see what users are in which groups. You can see individual users in SharePoint Groups, but you cannot see users in AD Groups within SharePoint.
Can’t nest SharePoint Groups
SharePoint does not allow us to add SharePoint Groups to a SharePoint Group. Example: We have a SharePoint Group for each department; IT, HR, ect. We want to create a SharePoint Group named All Departments. We would need to add individual users to the All Departments Group as we cannot add the IT SharePoint Group and HR SharePoint Group to the All Departments SharePoint Group.
More flexibility
The Site Collection Administrator and/or Site Owner to add and remove users from SharePoint Groups. This allows us to create groups to fit any need.

What other pros and cons have you run into? Leave a comment and they will be tested and added to the lists above.

If you need an overview of SharePoint Permisisons check out SharePoint Permissions So Easy Even a Caveman Can Do It.


4 Comments on “SharePoint Permissions Active Directory vs SharePoint Groups”

  1. […] our next session we will discuss the pros and cons using AD Groups and Users to manage SharePoint […]

  2. locatech says:

    One big advantage of Active Directory security groups is when you need to manage many different SharePoint list item permissions. SharePoint runs into constraints when you assign ~ more than 1500 list item permissions, and grouping people in SharePoint groups doesn’t help, only grouping them in AD groups. Also, you can use the active directory synchronization service to copy AD user info to SharePoint.

  3. Here is a link to an example of a Permissions Matrix spreadsheet. http://sdrv.ms/WlVcmw


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s