with Active Directory Groups – Part 3
When Users need to control their own SharePoint portals, delegate Active Directory group membership management
One of the best practices as it relates to group management is to delegate what you cannot automate. This concept is true especially when you’re an organization that uses SharePoint and want to move leverage Active Directory Groups.
Microsoft provided a way to use Active Directory for the purpose of controlling access to content on sites but no way to manage them from the portal. To make group concepts possible, they also added SharePoint native groups which have no connection to Active Directory groups. For the Active Directory administrator, this may defeat the purpose of leveraging common groups as defined by a role or purpose.
It is also necessary to delegate control of who has access to the person(s) who create author, or otherwise control the content in the site created. This is most often NOT the same person who manages groups. Microsoft went so far as to provide a way for users to control groups in SharePoint, but these are not Active Directory groups. There is no built-in tool to manage Active Directory groups.
What your site owners really need is a way that they can be delegated the ability to add and remove membership from the security groups that are managing access to content. This way, there are not two sets of groups in the environment. This delegation needs to be done in such a way that there is confidence in the delegation. That confidence comes from granular control and oversight with appropriate approvals when necessary. Perhaps you want users who do not have access to request access of the site owner if they do not have it? Do all of this within the same browser that they access the SharePoint site itself.
Let me introduce you to GroupID Self Service.
Deploy a web portal where control can be delegated to specific people to control the Active Directory groups that provide access to the site they govern. Allow if you wish for other users to discover and request access to the SharePoint site with the owner of such content approving or rejecting such requests. All meanwhile, confidence remains in tact that at any time you can see the complete change history for the group through detailed logging.
Empowering your site owners to also manage membership of Active Directory groups that are used to grant access to the sites that they govern will lighten the load of the IT staff. At the same time, increasing the relative time to productivity. Further, enabling users to request access to a SharePoint site through the same web-based interface, you further reduce the communication and unnecessary hurdles and obstacles placed in the way of efficient workers.