SharePoint Permissions Active Directory vs SharePoint Groups
Posted: January 25, 2013 Filed under: Permissions, SharePoint | Tags: Active Directory, Permission, Security 4 Comments
What should we use to manage SharePoint Permissions: Secure Active Directory (AD) Groups or SharePoint Groups?
As with everything in SharePoint the answer is, “It depends.” Most people end up using both AD Groups and SharePoint Groups to manage permisisons.
Before we discuss the pros and cons of both AD groups and SharePoint groups, there are a couple things we need to keep in mind.
Keep in Mind
- A distribution list is NOT an AD Group
- An AD Group MAY have a distribution list
- Only Secure AD Groups can be used
|
Active Directory Groups |
|
|
Pros |
Cons |
| Managed by IT The IT Department creates and manages the groups. The Site Collection Administrator and/or Site Owner do not need to add and remove users from AD Groups. |
Can’t see users SharePoint can’t open AD Groups. This makes troubleshooting permission issues a challenge. If the AD Group has a distribution list, put the distribution list in the To: line of an email and expand to see the users. |
| May contain multiple groups (nested) If a department is made up of several teams, the department AD Group usually contains the team AD Groups. This makes managing users easier. |
Can’t use with Person/Group column SharePoint can’t open AD Groups. When using a Person/Group column, under Additional Column Settings we can allow people to select from all users or only users in a selected Group. |
| Great for large groups Adding smaller AD Groups to create a large AD Group makes managing users easier. |
Sometimes not kept up to date IT manages Active Directory. Sometimes there is a delay in communicating changes to IT. Active Directory usually syncs with SharePoint overnight. |
|
SharePoint Groups |
|
|
Pros |
Cons |
| Use for Person/Group column When using a Person/Group column, under Additional Column Settings we can allow people to select from all users or only users in a selected Group. If the SharePoint Group contains an AD Group, there will be no users from which to select. |
Adding and removing users The Site Collection Administrator and/or Site Owner to add and remove users from SharePoint Groups. When a user changes teams, departments, roles and/or companies the Site Collection Administrator and/or Site Owner must move the user to the appropriate SharePoint Group. |
| See users in group Troubleshooting permissions issues is easier when you can see what users are in which groups. You can see individual users in SharePoint Groups, but you cannot see users in AD Groups within SharePoint. |
Can’t nest SharePoint Groups SharePoint does not allow us to add SharePoint Groups to a SharePoint Group. Example: We have a SharePoint Group for each department; IT, HR, ect. We want to create a SharePoint Group named All Departments. We would need to add individual users to the All Departments Group as we cannot add the IT SharePoint Group and HR SharePoint Group to the All Departments SharePoint Group. |
| More flexibility The Site Collection Administrator and/or Site Owner to add and remove users from SharePoint Groups. This allows us to create groups to fit any need. |
|
What other pros and cons have you run into? Leave a comment and they will be tested and added to the lists above.
If you need an overview of SharePoint Permisisons check out SharePoint Permissions So Easy Even a Caveman Can Do It.
Hey Tamara! 