I have found that it is best to add AD groups to SP groups. When you add people
one by one it becomes a maintenance nightmare that will eventually have to be
fixed by an administrator. If you want to control MySites, the only way to do it
(that I've found anyway) is to deny that privilege to each group or individual
with access to the site.

> I have found that it is best to add AD groups to SP groups. When you add
people
> one by one it becomes a maintenance nightmare that will eventually have to
be
> fixed by an administrator.

Normally I take this stance as well, but there have been situations where an
organization delegates its site administration to the relevant business
units. In that scenario, it actually makes more sense to let individual
site admins control access to their own site groups. Keeps the AD guys from
having to worry about that as well, especially where AD groups don't map
very well to the SharePoint taxonomy.

True, as long as the site admins follow best practices. But if a site admin gets
lazy and just starts adding people one by one, and then moves on to another
job...

But that argument could be used for the AD group scenario as well; in fact,
it's even more likely since there's more effort involved in getting someone
added to the requisite AD group.

This is a long running discussion, with vocal parties on both sides. Let's
remember, SharePoint is designed to be an end user driven product. That
means, it is meant to be managed by the users, for the users. Site
Collection admins and Site Owners have the ability to add users to their
sites, and should be adding users to their sites. If an AD group exists,
that fits the need, then sure, use it. If not, create a SharePoint group and
add the proper users to that group. There i8s no need to get AD involved.
There is a very good section in the Best Practices book about this. Trying
to manage SharePoint access permissions via your AD is a mountain you really
don't want to climb.

Thanks to all for your responses. My questioin has to do with tracking access to
SharePoint sites where enterprise-level functionality has been enabled. We're
not using an AD group to control access to SharePoint but as a convenient
container for holding IDs of users who have been assigned Enterprise CALs. We
compare the members of the AD group against the All People list in SharePoint
applications where enterprise functionality has been enabled.

The problem with this is that you can add a user to SharePoint but unless you
assign him or her(or the group, either SharePoint or AD, that he or she is in) a
permission level, thereby allowing access, they are not required to have an
Enterprise CAL.

Any ideas on making sure only those users who have been assigned Enterprise CALs
access enterprise-level functionality?

My questioin has to do with tracking access to
SharePoint sites where enterprise-level functionality has been enabled. We're
not using an AD group to control access to SharePoint but as a convenient
container for holding IDs of users who have been assigned Enterprise CALs. We
compare the members of the AD group against the All People list in SharePoint
applications where enterprise functionality has been enabled.

The problem with this is that you can add a user to SharePoint but unless you
assign him or her(or the group, either SharePoint or AD, that he or she is in) a
permission level, thereby allowing access, they are not required to have an
Enterprise CAL.

Any ideas on making sure only those users who have been assigned Enterprise CALs
access enterprise-level functionality?

If you can figure out a way to segment the sites into separate Web
Applications in SharePoint, you might be able to use a permission policy
to control this.
technet.microsoft.com/en-us/library/ff608071.aspx

As several users have noted you need to add the people with Enterprise CAL's to
a group whether it be AD or SharePoint.

There is no way for anyone other than your admins to know who has an Enterprise
CAL and who does not.

Plain and simple you need to create a group for them and assign that group to
the Enterprise CAL's

my Powershell skills are not elite enough , but I am pretty sure
that *someone* could write a script to cycle through all sites, check
for that particular feature being enabled and then catalog the users who
have access to that site...

True, I guess you are suggesting people be added to a SP group, right? That
would work as well. My aim is to keep people from being added singly to a site.
Yesterday was kind of hectic, and I probably didn't communicate that clearly!

Right; SP groups are much more maintainable by the people who should have
the power over their silos.