What are the best practices for using SharePoint Groups with AD Security Groups

Mike T
  • What are the best practices for using SharePoint Groups with AD Security Groups Mike T

    Does anyone here have a best practices when applying security policy to SharePoint groups? Do you use security enabled Distribution Lists in your SharePoint groups? Do you say to heck with that and add users manually?

  • Depends who you want to control permissions/access levels to your SharePoint sites. For example: If you control access with AD security groups added into SharePoint groups you might typically only have IT personnel i.e. domain administrators that can add and remove people to those AD security groups. This might result in a cumbersome security model. Using SharePoint groups with individual users you can delegate control to business/end users who may be able to add and remove users to SharePoint groups as required. This might result in security chaos…

    One thing I can say is if you want some of the useful collaboration functionality to work - such as 'My SharePoint Sites' to appear in your Save As dialogues from Word, Excel etc., and for the My Site site memberships to list the sites you are a member of, you need the users be individually added to a site members groups. You can add the AD security groups here to make sure people have the right level of permissions but these other collaboration features don't seem to work unless each user is in the SharePoint Group.

  • In addition to some of the other pros and cons that have already been mentioned one point in favor of using AD groups inside of SharePoint groups is that in large environments it tends to scale better. Here's one concrete example of this related to the indexer for the MOSS search engine (there are certainly other examples as well).

    As you might expect from the name, and incremental crawl will only need to handle changes, so it can usually be run pretty frequently with minimal impact, leaving you with a nice fresh search index. However, if you have large, complex site collections with lots of SharePoint groups and unique ACLs on sites, libraries, etc, you'll find that your incremental crawls are taking a long time to complete even when very little content has changed. That's because the incremental crawl also has to map any security changes that have happened into the index so that search results are security trimmed properly. Since the index has a farm-wide scope, it doesn't really know about all the site-collection level SharePoint groups, which means that anytime the membership of one of those groups changes, it needs to "explode" all the members and reset the permissions accordingly on any items where that SharePoint group is used. However, if a SharePoint group contains an AD group, it just looks like a single "user" to SharePoint, and you can change the membership in AD to your heart's content, without worry about the performance impact to the search engine.

Tags
security
Related questions and answers
  • the default.aspx after login but anonymous users could still see content like in the following list. How do I remove this for an anonymous user? Enable anonymous access You must enable anonymous access...I am using SharePoint 2007 Server x64 on Windows Server 2008 x64. I create a new SharePoint web application with a new site collection at the root of the web application. I select the template "publishing portal" for the site collection. I have also enabled anonymous access. Now the basic function is fine, except that I do not know how to change the first front page (i.e. the page showed to end

  • My colleague found that some scenarios of working with SPWeb objects depend on how you obtain them. I'm not talking of impersonating with UserTokens - that another story. But at times when you write web parts, you get some extra security constraints with SPContext.Current.Web that you don't suffer from with SPContext.Current.Site.OpenWeb(). Does anyone have any further technical guidance on the topic?

  • Using WSS 3.0 running on SBS2008. I have an Infopath form library, to which I have used SharePoint Designer 2007 to attach a custom workflow. It's a pretty normal workflow which updates a property in another list based on a lookup. I have two users, call them Jane and John. Jane is a member of several SP groups, one of which has Full Control permissions. John is a member of a couple of SP groups..., it can't be John's permissions, because John is able to fire the workflow successfully (when working from some workstations). And Jane can do the workflow from anywhere, so the W2 workstation itself

  • I'm pretty new to sharepoint-development, so I thought I'd check real quick with the gurus in here. I've been given the task of building a replacement for the built-in Alert Me feature. The main reason for this is to allow for alerting members of a role with a forms authenticated sharepoint. This is where you guys come in. I know you can build an immediate Alert Me function by creating list item event receivers. However, if I wanted to create the summary-feature (daily/weekly notifications) - what would be the best way to go about this? With very limited knowledge, all I could think

  • I'm some kind of admin on my sharepoint site, but not the big kahuna who runs it all. I can add users and groups and set permissions within my site. What I can't figure out how to do is actually make a user a member, so that when they use the My Links dropdown, they'll be able to see the sites I run as one of the options (that arise from the My SharePoint Sites option). How do you make, and in fact even tell that a user is a member (in 2007)?

  • Our current practices are composed of only using Active Directory groups for large swaths of access, such as the top site collection permissions. Any other permissions are to be handled within SharePoint groups themselves. What is the best way, from a central farm administration context, to manage access given by data owners to other users from within site collections. It would seem to me that the out of the box tools would start to become unwieldy and wouldn't be scalable as the Farm grows. Thoughts?

  • One of the functionalities advertised for Office 2010 was that "People can access document templates stored in SharePoint 2010 via the New Document Wizard in Microsoft Office applications" (see page 26 in the PDF "Business Productivity at Its Best: Office 2010 and SharePoint 2010). However, I can't find a way to set this in Office 2010 applications. I've looked at Workgroup Templates (Word 2010 -> Backstory -> Options -> Advanced -> File Locations...) - I can't store URL or UNC paths - or even a mapped network drive to the SharePoint document library. Trusted Locations (Word 2010

  • I've got 889 groups in People and Groups that I would like to delete. The normal way I can delete one group is: Navigate to the People and Groups management page, /_layouts/groups.aspx Click Edit to get to the Group Settings Scroll to the bottom and Click Delete I don't want to do that 889 times, but I don't want to deploy code to the server to do it. What is the best way to accomplish this? A free third party client based tool would be acceptable or a web services api call if no other way exists.

  • I'm prototyping the best way to dynamically connect web parts at runtime. Essentailly, the application will allow for several disparate application groups to create web parts that will be consumed within the SharePoint front end. All of the web parts will need to automatically detect consumers and providers to create connections at runtime. What we are looking to do is have webparts discover... purposes "best way" means most efficient, elegant and/or standard. We'd like to follow established sharepoint design patterns as much as possible, but code efficiency is somewhat important. I've been able

Data information