Sharepoint Forum

Ask Question   UnAnswered
Home » Forum » Sharepoint       RSS Feeds

AD Groups vs SP Groups

  Asked By: Ali    Date: Jan 09    Category: Sharepoint    Views: 3160

(WSS only) If I create a group in AD is there anyway to tie that group to a
group in SharePoint? Or does SharePoint just do a one time AD user pull in?



6 Answers Found

Answer #1    Answered By: Varun Mehta     Answered On: Jan 09

Not sure what you're after here, but you can add an AD group  as a member of a
SharePoint group and the members of the AD will then have the permission level
access as given to the sharepoint  group. SharePoint doesn't "pull in" users from
AD for permissions. SharePoint handles all permissions itself, it simply checks
with AD to see if the user  is valid (authenticated). Now profiles on the other
hand, SharePoint does pull  this in from AD and does it based on a schedule that
you configure. (But that's with MOSS and you have WSS, so forget about user

When using AD groups  to control access to SharePoint there are a few things to
consider. SharePoint does not expand or display the AD group membership, so in
SharePoint you will not know who you have given access to. When adding users,
this will need to be done through your AD and thus takes control out of the Site
owners hands and puts the burden on your AD administrators instead. There have
been several discussions concerning how to control access to SharePoint and
should you use AD groups or SharePoint groups. I fall on the side of SharePoint.
AD groups have their place, and I use them when warranted, but for the most part
I prefer to create  SharePoint groups and add the users directly to those groups.

Answer #2    Answered By: Junior Jarvis     Answered On: Jan 09

Can you restrict SharePoint Users using AD Groups? Here are my thoughts /

I have AD groups  ADGroupA, ADGroupB, ADGroupC, ADGroupXYZ on the DC
Server. On the WSS 3.0 SharePoint Server I have a SharePoint sites called
SPSiteA-Root and SPSiteB (inherits permissions from SPSiteA-Root) and a SPGroup
called SPGroupB no permissions anywhere yet.

Q. I want only the DC groups ADGroupA, ADGroupXYZ to have access to SPSiteB, is
it possible?

My thought:

[pre-req I am a Site collection administrator for Root Site [SPSiteA]]
I break inheritance from SPSiteA-Root on SPSiteB and remove all the current
users and groups that I do not need
Then I add the AD Groups ADGroupA, ADGroupXYZ to the SharePoint group  SPGroupB
Then I add the SPGroupB to SharePoint SPSiteB with permissionX [i.e. read, full
control, contribute, custom perm, etc.]

End result, everyone that is added and removed from the AD Groups ADGroupA,
ADGroupXYZ can access the with permissionX [i.e. read, full control, contribute,
custom perm, etc.]

Does this sound right? Should those not SC Admin or in SPGroupB get access

Answer #3    Answered By: Sanjay Lohar     Answered On: Jan 09

Yes, that is possible. But be careful changing group  membership at the site
level. Membership of a group is handled where the group is created. Change
the membership of the group anywhere and you change it everywhere. I
normally recommend creating all groups  and permission levels in the root
site. You can create  groups and permission levels wherever you like, but it
gets confusing after a while, so I usually try to stick to creating them in
one place. What you change at the lower level when you break inheritance is
the specific permission level assigned to the group for that site, not the
membership of the group itself or the permissions included in a permission
level. But remember, permissions in sharepoint  are always additive. If a
user belongs to any group that has permission to that web site there is no
way to restrict their access.

Answer #4    Answered By: Mason Salazar     Answered On: Jan 09

Yeah, I ran into that issue with the memberships and where they where created
and changing them, so I made it a best practice for myself to always make sure I
am in the root b/c I know it will then filter down unless I specifically define
a site not to, I am still playing clean up two months later b/c of that!

Answer #5    Answered By: Jesus Davis     Answered On: Jan 09

Is it possible to add multiple SPGroups to a new SPGroup? I.E. Can I add
SPGroupA, SPGroupC and SPGroupZ to SPGroupB? I was getting error but not sure if
I was doing the steps right or if it truly is dis-allowed!

Answer #6    Answered By: Narasimha Kamane     Answered On: Jan 09

SharePoint Groups cannot be nested inside each other. AD Groups can be
nested inside a SharePoint group.

Didn't find what you were looking for? Find more on AD Groups vs SP Groups Or get search suggestion and latest updates.