SharePoint Permissions Active Directory vs SharePoint Groups

What should we use to manage SharePoint Permissions: Secure Active Directory (AD) Groups or SharePoint Groups?

As with everything in SharePoint the answer is, “It depends.” Most people end up using both AD Groups and SharePoint Groups to manage permisisons.

Before we discuss the pros and cons of both AD groups and SharePoint groups, there are a couple things we need to keep in mind.

Keep in Mind

  • A distribution list is NOT an AD Group
  • An AD Group MAY have a distribution list
  • Only Secure AD Groups can be used

Active Directory Groups

Pros

Cons

Managed by IT
The IT Department creates and manages the groups. The Site Collection Administrator and/or Site Owner do not need to add and remove users from AD Groups.
Can’t see users
SharePoint can’t open AD Groups. This makes troubleshooting permission issues a challenge. If the AD Group has a distribution list, put the distribution list in the To: line of an email and expand to see the users.
May contain multiple groups (nested)
If a department is made up of several teams, the department AD Group usually contains the team AD Groups. This makes managing users easier.
Can’t use with Person/Group column
SharePoint can’t open AD Groups. When using a Person/Group column, under Additional Column Settings we can allow people to select from all users or only users in a selected Group.
Great for large groups
Adding smaller AD Groups to create a large AD Group makes managing users easier.
Sometimes not kept up to date
IT manages Active Directory. Sometimes there is a delay in communicating changes to IT. Active Directory usually syncs with SharePoint overnight.

SharePoint Groups

Pros

Cons

Use for Person/Group column
When using a Person/Group column, under Additional Column Settings we can allow people to select from all users or only users in a selected Group. If the SharePoint Group contains an AD Group, there will be no users from which to select.
Adding and removing users
The Site Collection Administrator and/or Site Owner to add and remove users from SharePoint Groups. When a user changes teams, departments, roles and/or companies the Site Collection Administrator and/or Site Owner must move the user to the appropriate SharePoint Group.
See users in group
Troubleshooting permissions issues is easier when you can see what users are in which groups. You can see individual users in SharePoint Groups, but you cannot see users in AD Groups within SharePoint.
Can’t nest SharePoint Groups
SharePoint does not allow us to add SharePoint Groups to a SharePoint Group. Example: We have a SharePoint Group for each department; IT, HR, ect. We want to create a SharePoint Group named All Departments. We would need to add individual users to the All Departments Group as we cannot add the IT SharePoint Group and HR SharePoint Group to the All Departments SharePoint Group.
More flexibility
The Site Collection Administrator and/or Site Owner to add and remove users from SharePoint Groups. This allows us to create groups to fit any need.

What other pros and cons have you run into? Leave a comment and they will be tested and added to the lists above.

If you need an overview of SharePoint Permisisons check out SharePoint Permissions So Easy Even a Caveman Can Do It.


Upload Documents in SharePoint 2013

There are at least two ways to upload documents to a SharePoint 2013 library.

  1. Old School – Click on Documents tab and in the New Group, select Upload. Just like in 2007 and 2010.
  2. New School – Just drag and drop the document into the library. No need to open in Explorer View, get a cup of coffee while you wait for it to open, and then drag and drop files.

Click on the video below to check it out.


SharePoint Permissions So Easy a Caveman Can Do It

CavemanThese drawings, found in a cave in Redmond, WA, date back to early 2001. The pictographs have stumped archeologists throughout the ages, until now.

122812_2042_SharePointP1.png

Recent discoveries by a SharePoint addict reveal the true meaning of these images.

“It looks like the four building blocks of SharePoint permissions.” Take a look at the cave drawing again, this time with annotation.

122812_2042_SharePointP2.png

But how do SharePoint Permissions work?

Here are the basic steps:

  1. Add users to the SharePoint group
  2. Give the group a permission level
  3. Grant the group access to somewhere

12-17-2012 11-42-50 AM

Of course if you are not satisfied with the permission levels or SharePoint groups that are available, given the correct rights, you can create your own groups and permission levels.

Although it is not considered a Best Practice, you could also give permissions directly to a user.

  1. Give the user a permission level
  2. Grant the user access to somewhere

12-28-2012 2-53-34 PM

Some of the drawings show another figure. This additional figure depicts secure Active Directory (AD) groups.

  1. Add AD groups to the SharePoint group
  2. Give the group a permission level
  3. Grant the group access to somewhere

12-28-2012 2-03-46 PM

Further interpretation of the drawings revealed another option

  1. Give the AD group a permission level
  2. Grant the AD group access to somewhere

12-28-2012 2-09-29 PM

Some archeologists were stunned that there was no pictograph for audiences, but then someone pointed out that SharePoint audiences are not part of permissions or security. SharePoint audiences are just a way to reduce noise on a page.

In our next session we will discuss the pros and cons using AD Groups and Users to manage SharePoint Permissions.

12-28-2012 2-30-07 PM

View and download the entire deck here.