RSS Feed Feed your read!

Bookmark and Share







Tag Cloud

ASP.NET Generic, Best Practices, Business Intelligence, Freeware Releases, InfoPath, Infrastructure, jQuery, Lunch & Learn Events, Project Server, Random, Reporting Services, Search, SharePoint Administration, SharePoint Business Analysis and Project Management, SharePoint Development, Silverlight, Social Networking, Speaking Events, White Paper Releases, Workflow Foundation,

Archives

June 2007 (3)
August 2007 (1)
November 2007 (2)
February 2008 (2)
April 2008 (5)
May 2008 (7)
June 2008 (8)
July 2008 (7)
August 2008 (3)
September 2008 (7)
October 2008 (1)
November 2008 (3)
December 2008 (3)
January 2009 (7)
February 2009 (5)
March 2009 (10)
April 2009 (2)
May 2009 (6)
June 2009 (3)
July 2009 (4)
August 2009 (6)
September 2009 (3)
October 2009 (9)
November 2009 (10)
December 2009 (1)
January 2010 (1)
February 2010 (3)
March 2010 (6)
April 2010 (2)
May 2010 (3)
June 2010 (4)
July 2010 (3)

SharePoint Groups or AD Groups: When to use Which? 

Tags:

It is often stated that you ought to use Active Directory(AD) groups as much as possible, if not always. However, any seasoned SharePoint administrator will know that it is impossible to always use AD groups, and there often develops a blurry line between when to switch over to SharePoint groups. Another complicating factor is knowing when it is appropriate to simply add users individually to SharePoint objects without first adding them to a group. These "explicit" permissions can be hard to control.

 

Below is a decision tree I put together to know when to use which. Start at stage 1, and use what is suggested when you first answer "Yes". If the first 5 stages all come back as "No", just add the users individually. Hope it helps!

 

 

DECISION TREE FOR GROUP TYPES:

 

1 - If the group will contain more than 50 users:

    If yes, an AD group is required.

 

2 - If the group needs to be leveraged across multiple Site Collections:

If yes, an AD group is required.

 

3 - If the group will be provisioned onto objects that have audit implications:

    If yes, an AD group is required.

 

4 - If the group will be provisioned onto multiple objects within the same Site Collection:

    If yes, a SharePoint group is required.

 

5 - If membership to the group requires approval by the Site Collection administrator (sensitive assignments):

    If yes, a SharePoint group is required.

 

6 - Else, adding users to the objects individually is acceptable…

 

 

 

RATIONALE OF EACH STAGE

 

STAGE 1) If the group will contain more than 50 users, then AD Group

The milestone of 50 users is nothing set in stone, but it is important to remember that as group membership increases, so does maintenance. If you have a site collection administrator managing SharePoint groups with hundreds or thousands of users therein, that will undoubtedly consume large amounts of their time. It is a better practice to offload that maintenance onto an IT help desk of some sort, whose specialty is such activities and can commit to SLAs, etc.

 

STAGE 2) If the group needs to be leveraged across multiple site collections, then AD group

SharePoint groups never span a single site collection. Therefore, if a group of users needs to be given permissions within multiple site collections, SharePoint groups will not be an option. Rather, an AD group is required.

 

STAGE 3) If the group will be provisioned onto objects that have audit implications, then AD group

When dealing with SOX or HIPPA information, it is best to stick with AD groups because there are more third party reporting appliances that can be leveraged during an audit.

 

STAGE 4) If the group will be provisioned onto multiple objects within the same site collection, then SharePoint group

You never want to recreate the wheel. Why manage the same set of users in 10 different places? It is better to create a SharePoint group, even if it only has 5 users in it.

 

STAGE 5) If membership to a group requires approval

Built right into SharePoint, you can setup requests for group membership which can be approved or denied. If you have sensitive content in your site collection, you may want to leverage these approval capabilities because if people adds users individually to content, there is no notification or approval process that you can tap into.

 

 

STAGE 6) Else, adding users to the objects individually is acceptable…

If stages 1-5 come back as "No", there's no reason to not simply add the users individually without adding them to a group first.

 

Phil

 
Posted by BENDER\pwicklund on 21-Oct-09
0  Comment  |  Trackback Url  | 0  Link to this post | Bookmark this post with:        
 
Failed to render control: Value does not fall within the expected range.

Comments

Bookmark and Share

Note: Facebook no longer sends notifications for comments, so it may be a number of days before I see your post. For urgent matters, click "Contact Me" on the top nav. More info: Click Here.