SharePoint Groups vs. Active Directory Groups
As a Product Manager, I often have the opportunity to talk to our customers and prospects about their SharePoint deployments. Many of these conversations have been about the pros and cons of governance policies when using SharePoint Groups or Active Directory groups.
Governance policies are a set of rules and procedures put in place to help with the deployment, configuration, and management of SharePoint. In short, they determine how SharePoint will run, who will use it, and what equipment will be used.
Using governance policies in the assignment of permissions helps to control access and limit security risks. Groups are an indispensable tool in this process. Defining permissions through groups is easy to implement, scalable, and predictable. It’s far easier to define 100 users in a single group and apply permissions once, than to apply permissions to 100 individual users.
So the next question is: SharePoint Groups or Active Directory Groups?
Benefits – The definition and use of SharePoint Groups is under the control of the SharePoint administrators. SharePoint is a more dynamic environment where Sites and Lists are created for short term use by teams as part of a project. SharePoint Groups provide the flexibility to be created when needed and then removed just as easily when the project is completed.
Limitations – The scope of a SharePoint group is limited to a Site Collection. So, if I want to give access to a group of users to more than one SharePoint Site Collection, I need to create that group in each of the Site Collections. If I do that, I end up having to manage membership across each of those SharePoint Groups separately.
Active Directory Groups
Benefits – As the foundation of the operating system and Exchange, most companies are familiar with Active Directory Groups. They are used as security groups for access to network devices and other infrastructure and applications. They are also used to manage distribution lists in Exchange.
Limitations – Active Directory Group management (adding/removing users) is usually controlled by the Network group within IT. Due to the impact of these groups, IT departments usually have very strong controls and policies around membership requests and changes. These controls make it difficult for the SharePoint administrators to be responsive to the dynamic nature of SharePoint – meeting the needs of a collaborative use model.
So, Which Is Better?
You’re going to hate this answer – It depends… I’ve spoken to many customers that tell me that they have a strong governance policy in place that requires the use of Active Directory groups. Many of these companies are also using SharePoint groups when someone needed access to a list or project site and they couldn’t wait for the user to be added to the Active Directory group!
How can ControlPoint help?
Of course, ControlPoint has unique functionality that can help you manage those SharePoint groups. The number one issue (as described above) is that the scope of a SharePoint group is limited to a single site collection. If I create a SharePoint group, I can only grant permissions to the group to the sites, lists or items within that site collection. However, with ControlPoint you can create a single group in any site collection and then synchronize its members and/or permissions levels to SharePoint groups in other site collections. So, you only need to define the SharePoint group once – and then synchronize the membership with any number of groups in other Site Collections. You now have that “Global” group definition like you had with Active Directory groups.