SharePoint 2010: Choosing Between AD Groups or SharePoint Groups

Introduction

Which way should you go when coming up with a security infrastructure for SharePoint: use Active Directory (AD) or SharePoint groups?

Pro AD groups

• Company rules may dictate the use of AD groups WHENEVER  you can as the basis of a permission structure.
• Companies may agree to use AD groups or SharePoint groups within their portal as the basis of their security infrastructure, but not both. In this case, it's hard to avoid using AD.
• AD provides a centralized store for your security needs that can be reused over and over again, which is more transparent.
• To do justice to the differences between AD and SharePoint, you can create a OU dedicated to SharePoint. This causes the AD to have duplicate groups: one targeted for normal use within the network, the other dedicated to SharePoint.
• "Business rule" based AD group provides security on the basis of certain attributes (ex., Cost Center, Business Unit etc) which helps in easy maintenance.

Pro SharePoint groups

• AD is created to secure networks. AD groups may match with custom applications such as SharePoint, they may also have a totally different meaning. E.g., it's highly unlikely that you'll find matching AD groups for site owners, site members, site visitors etc. SharePoint is a different beast, respect that fact.
• AD groups may not be fine grained enough for your SharePoint purposes. E.g.: all employees in a department may be member of the same AD group, but the permissions they get in SharePoint may be a lot more fine grained than that.
• Typically, in large organizations, because of delegated control, it's easy to have a new SharePoint group created. This is typically not so easy for an AD group, where you might have to go through an approval process with an uncertain outcome, or experience a time delay because the AD admins are busy. As a result, SharePoint groups tend to be more workable. By choosing only AD groups, you will sacrifice the convenience of membership control and process built in SharePoint group.
• Within SharePoint, you can't check to see the members of AD group, whereas you can check the members of a SharePoint group. This can lead to problems that are harder to diagnose (such as a user thought to be a member of an AD group that in fact isn't, it will take extra time to contact the appropriate administrators to verify this fact).
• A SharePoint group can be synced to an AD email distribution group by enabling SharePoint Directory Management service, which helps to tie both concepts closer together. It allows you to manage SharePoint groups and users within SharePoint and keep the changes synced with AD.
• AD structures haven't been designed with SharePoint in mind, they serve a different purpose. Namely, to provide structure for securing your network.

Best practices

• Reuse AD groups within SharePoint groups whenever you can.
• Use SharePoint groups for precise control of unique access, reuse departmental AD groups whenever you can.
• Sync a SharePoint group to an AD email distribution group by enabling SharePoint Directory Management Service whenever you can (from http://technet.microsoft.com/en-us/library/cc288433.aspx):
  • A site collection administrator creates a new SharePoint group.
  • The administrator chooses to create a distribution list to associate with that SharePoint group and assigns an e-mail address to that distribution list. 
  • Over time, the administrator adds users to and removes users from this SharePoint group. As users are added to and removed from the group, the SharePoint Directory Management service automatically adds and removes them from the distribution list, which is stored in the Active Directory directory service. Because distribution lists are associated with a particular SharePoint group, this distribution list is available to all members of that SharePoint group.

Please note:
**
**You can only assign permissions to AD security groups, not to AD distribution groups.

See Also

• SharePoint 2010 Installation – Adhere to the security practice of least privilege
• Claims authentication: http://sharepointdragons.com/2012/01/30/claims-in-sharepoint-2010/ and http://sharepointdragons.com/2012/04/26/claims-in-sharepoint-2010-the-sequel/
• ForeFront Identity Manager 2010 (FIM): http://www.microsoft.com/en-us/server-cloud/forefront/identity-manager-overview.aspx
• Info about AD: http://technet.microsoft.com/en-us/library/bb727067.aspx
• Info about SharePoint permissions: http://technet.microsoft.com/en-us/library/cc263239.aspx

Please note: This Wiki page was inspired by forum discussion http://social.technet.microsoft.com/Forums/en-US/sharepoint2010general/thread/1791d4f4-35bd-40d4-8bf1-0553f713af11
 

Best Practices Overview

• Also check out the SharePoint 2010 Best Practices page: http://social.technet.microsoft.com/wiki/contents/articles/8666.sharepoint-2010-best-practices-en-us.aspx

Other Languages

This article is also available in the following languages :

• fr-FR : SharePoint 2010 : Best Practices - Choisir entre des groupes AD et des groupes SharePoint (fr-FR)