Sharepoint Forum

Ask Question   UnAnswered
Home » Forum » Sharepoint       RSS Feeds

Active Directory v/s SharePoint Groups

  Asked By: Naman    Date: Mar 13    Category: Sharepoint    Views: 1718

There is a lot of debate of the use of AD OU admin groups or SharePoint security
groups. What are the true benefits of AD, besides centralized management of
security? It seems like SharePoint groups is a much easier solution. Can you
apply a SharePoint security group that already exists to a site? If so what
level permissions must a user have to do this?
I understand the fact that you can delete someone's account in AD and that
eliminates their access all sites they had access to, but couldn't you just
eliminate that name from the SharePoint Group created? Of course that is if you
can apply an existing SharePoint group to a site.



2 Answers Found

Answer #1    Answered By: Mariel Ferrell     Answered On: Mar 13

One thing I hate is that you can not use Sharepoint groups  for Sharepoint

Answer #2    Answered By: Santana Osborn     Answered On: Mar 13

Authorization (security) in sharepoint  always uses either SharePoint users or
groups. You can't assign SharePoint permissions  directly to AD users or groups,
they must be added either to SharePoint groups  or as SharePoint users. Adding
AD groups as a SharePoint user  or as a member of a SharePoint group  gives Domain
admins the ability to manage SharePoint permissions centrally by managing
membership in AD groups. But SharePoint groups makes it possible to delegate
management of security  in SharePoint to users who aren't domain admins. The
best rule of thumb is that IF security is managed centrally by AD domain admins,
then use AD groups. If it is managed by non-admins then use SharePoint groups.

I know some will say that if you use SharePoint groups users will not show up in
the local SharePoint site. That is NOT true. Any member of a SharePoint group
who has contributed one item to a list or library in a site  will show as a
member of the site. Read-only users and users who have not contributed will not
show as users. There is no reason not to use SharePoint groups in a
decentralized security model for SharePoint.

I also suggest never delete  an AD user. You should deactivate the user instead.
Deactivating a user will preserve their history in SharePoint, but will remove
their ability to login to the system.

Didn't find what you were looking for? Find more on Active Directory v/s SharePoint Groups Or get search suggestion and latest updates.