Sharepoint Forum

Ask Question   UnAnswered
Home » Forum » Sharepoint       RSS Feeds

SharePoint Groups vs. AD Groups

  Asked By: Angelo    Date: Jan 22    Category: Sharepoint    Views: 5221

Can someone briefly summarize the advantage of using SharePoint groups
instead of AD groups?
Is there such an advantage?



8 Answers Found

Answer #1    Answered By: Ivy Salinas     Answered On: Jan 22

The main advantage is in terms of manageability - anytime someone on
your SharePoint sites wants to change a SharePoint group, they can do
so without involving your AD administrators (assuming proper
permissions, of course). SharePoint groups  are also the default mode
of management for sites, since it makes doing batch changes on
permission levels much easier on a site-by-site basis.

Answer #2    Answered By: Kevin Davis     Answered On: Jan 22

Sharepoint groups  can be created and edited by administrators in
SharePoint who are NOT Domain Admins. That allows security
administration to be delegated to powerusers. That is the main

Answer #3    Answered By: Meenakshi Khochar     Answered On: Jan 22

Of course, Active Directory was designed so that security administration
can be delegated as well (using OUs). So MOSS groups  don't have really
have an advantage that way - it's just a different way to go about it.

Keeping all of your security in a central location reduces maintenance
costs as you scale out, so using strictly AD for your MOSS security may
be a good design. But don't try and mix MOSS and AD groups - use one or
the other. If you want to delegate security administration but can't use
only AD delegation, then use MOSS groups and train your MOSS
administrators to maintain it using ONLY MOSS groups and users - NEVER
AD groups.

Answer #4    Answered By: Latrice Henson     Answered On: Jan 22

I disagree on two counts.

1) Although you can restrict access in the AD to specific OUs, you
have to give the administrator some AD access to those OUs. Using
SharePoint groups  the administrator doesn't need anything other than the
normal ReadOnly access to AD that every user already has. That way you
can't accidentally give someone too much access in AD.

2) Also AD access, even restricted OU access applies to more than
just SharePoint. A Sharepoint Farm administrator can delegate security
in SharePoint without needing to be a Domain Admin. If you administer
SharePoint by limiting access to OUs somebody needs access to all of
them to administer the limitations. If I keep administration in
SharePoint the Farm Admin doesn't need Full AD access

Having said all that, I agree you should keep your groups in one place
and if the SharePoint admins are Network Admins then keep them in AD.
But the strength of SharePoint groups is that you can delegate authority
without having to involve the AD admins at any level. So I still think
SharePoint groups have an advantage in that specific scenario.

Answer #5    Answered By: Nidhi Tiwary     Answered On: Jan 22

If your AD admins have already delegated administration using OUs, then
you still don't need to involve them. You already have control over the
users and group accounts that you need.

I believe that SharePoint resources are just like any other corporate
resource and should be secured just like any other server, file share,
or printer.

Answer #6    Answered By: Beatrice Serrano     Answered On: Jan 22

Agreed. The point is that in a lot of companies AD admins haven't
already delegated administration. In fact in a lot of companies AD
admins won't delegate control of OUs. When that's the case SharePoint
groups should be used.

Answer #7    Answered By: Maya Lewis     Answered On: Jan 22

This is one of those areas where sharepoint  empowering the user is met
with enthusiasm from management and with resistance from I.T.

For sites that will be targeted to a relatively stable audience, we
manage security in A.D.

Authority over ad-hoc collaboration groups  are passed down to a group
administrator so that we don't have to be bothered with frequent

We enjoy a middle ground where we have actually built a tool to empower
selected users to make very limited changes to specific A.D. Universal

Answer #8    Answered By: Paola Mcmahon     Answered On: Jan 22

Most large companies have to mix SharePoint Server 2007 and AD Groups,
fwiw. It works fine as long as the AD Group being embedded in the SP
group is a Universal group. Basically, you should use Universal groups
for the majority of SharePoint stuff - permissions and audiences being
the two I know about.

Didn't find what you were looking for? Find more on SharePoint Groups vs. AD Groups Or get search suggestion and latest updates.