Thursday, July 31, 2008

AD Groups and SharePoint Groups

Choosing between AD Groups and SharePoint Groups. What is the best approach for assigning permission levels in SharePoint?

Here are some guidelines:

A general rule of thumb is the less security principals you have, the more scalable your security design will be.  In other words, it is easier to assign permission levels to 1 group than 100 users.

Avoid assigning permission levels directly to user accounts—use either an Active Directory (AD) group or a SharePoint group to contain the users.  If there is a one-to-one mapping between an AD group and a SharePoint permission level, you could assign permissions to the AD Group rather than creating a SharePoint group, but if you always use a SharePoint group, you have a clean way to add more users/groups later if you need to.

Use SharePoint groups over AD security groups.   You can delegate control of SharePoint groups to site administrators.  If you use AD groups, there could be a bottleneck getting users added/removed from them since only a select few in the organization have permissions.  Another issue with AD groups is you cannot view the members in SharePoint, making it difficult to determine who has access to what.

Difference between SharePoint Groups and AD Groups:

Domain Groups

  •       Normally created and maintained by the IT department
  •       Can be used across different SharePoint sites and site collections
  •       Organizations may already have good AD group structures that map well to your SharePoint implementation
  •       Groups can be nested - e.g. you can add another AD Group as a member to an existing AD group
  •       No features for users to submit a request to join a group

SharePoint Groups

  •       The creation of groups can be done by business users
  •       When a group is being created, you can define who "owns" the group
  •       Can allow users to submit a request to join a group
  •       Can determine who has permissions to see the users within groups
  •       Groups are created within a particular Site Collection - cannot be used in other site collections
  •       You cannot add a SharePoint Group as a member of another SharePoint group (no nesting)
  •       SharePoint Groups cannot be used in other systems (e.g. network Shares)
  •       The SharePoint Groups are separate from Active Directory - so you can go wild with the SharePoint Groups without upsetting your AD administrator

References:
http://www.sharepointblogs.com/johnwpowell/default.aspx
http://guru-web.blogspot.com/2007/10/difference-between-sharepoint-and-ad.html

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)