Sharepoint 2010 Forum

Ask Question   UnAnswered
Home » Forum » Sharepoint 2010       RSS Feeds

AD Groups vs SP Groups

  Date: Feb 20    Category: Sharepoint 2010    Views: 2817

(WSS only) If I create a group in AD is there anyway to tie that group to a
group in SharePoint? Or does SharePoint just do a one time AD user pull in?



6 Answers Found

Answer #1    Answered On: Feb 20    

Not sure what you're after here, but you can add an AD group as a member of a
SharePoint group and the members of the AD will then have the permission level
access as given to the SharePoint group. SharePoint doesn't "pull in" users from
AD for permissions. SharePoint handles all permissions itself, it simply checks
with AD to see if the user is valid (authenticated). Now profiles on the other
hand, SharePoint does pull this in from AD and does it based on a schedule that
you configure. (But that's with MOSS and you have WSS, so forget about user

When using AD groups to control access to SharePoint there are a few things to
consider. SharePoint does not expand or display the AD group membership, so in
SharePoint you will not know who you have given access to. When adding users,
this will need to be done through your AD and thus takes control out of the Site
owners hands and puts the burden on your AD administrators instead. There have
been several discussions concerning how to control access to SharePoint and
should you use AD groups or SharePoint groups. I fall on the side of SharePoint.
AD groups have their place, and I use them when warranted, but for the most part
I prefer to create SharePoint groups and add the users directly to those groups.

Answer #2    Answered On: Feb 20    

Can you restrict SharePoint Users using AD Groups? Here are my thoughts /

I have AD groups ADGroupA, ADGroupB, ADGroupC, ADGroupXYZ on the DC
Server. On the WSS 3.0 SharePoint Server I have a SharePoint sites called
SPSiteA-Root and SPSiteB (inherits permissions from SPSiteA-Root) and a SPGroup
called SPGroupB no permissions anywhere yet.

Q. I want only the DC groups ADGroupA, ADGroupXYZ to have access to SPSiteB, is
it possible?

My thought:

[pre-req I am a Site collection administrator for Root Site [SPSiteA]]
I break inheritance from SPSiteA-Root on SPSiteB and remove all the current
users and groups that I do not need
Then I add the AD Groups ADGroupA, ADGroupXYZ to the SharePoint Group SPGroupB
Then I add the SPGroupB to SharePoint SPSiteB with permissionX [i.e. read, full
control, contribute, custom perm, etc.]

End result, everyone that is added and removed from the AD Groups ADGroupA,
ADGroupXYZ can access the with permissionX [i.e. read, full control, contribute,
custom perm, etc.]

Does this sound right? Should those not SC Admin or in SPGroupB get access

Answer #3    Answered On: Feb 20    

Yes, that is possible. But be careful changing group membership at the site
level. Membership of a group is handled where the group is created. Change
the membership of the group anywhere and you change it everywhere. I
normally recommend creating all groups and permission levels in the root
site. You can create groups and permission levels wherever you like, but it
gets confusing after a while, so I usually try to stick to creating them in
one place. What you change at the lower level when you break inheritance is
the specific permission level assigned to the group for that site, not the
membership of the group itself or the permissions included in a permission
level. But remember, permissions in SharePoint are always additive. If a
user belongs to any group that has permission to that web site there is no
way to restrict their access.

Answer #4    Answered On: Feb 20    

Yeah, I ran into that issue with the memberships and where they where created
and changing them, so I made it a best practice for myself to always make sure I
am in the root b/c I know it will then filter down unless I specifically define
a site not to, I am still playing clean up two months later b/c of that!

Answer #5    Answered On: Feb 20    

Is it possible to add multiple SPGroups to a new SPGroup? I.E. Can I add
SPGroupA, SPGroupC and SPGroupZ to SPGroupB? I was getting error but not sure if
I was doing the steps right or if it truly is dis-allowed!

Answer #6    Answered On: Feb 20    

SharePoint Groups cannot be nested inside each other. AD Groups can be
nested inside a SharePoint group.

Didn't find what you were looking for? Find more on AD Groups vs SP Groups Or get search suggestion and latest updates.