Most people know that when you construct a SharePoint site you can grant permissions a couple of ways. You can assign it user by user (time consuming and tiresome) or you can use groups.
But what type of group to use? You can either use a group created in SharePoint (a SharePoint group), or you can create a group in Active Directory which can be granted permissions in SharePoint (an Active Directory group).
After doing some research I came across some broad guidelines that I thought others might find helpful.
Use a SharePoint group when:
- You want membership updated online.
- You are a SharePoint administrator, the business line you support has given you an urgent request and the Active Directory team isn’t returning your emails, phone calls or pages and hasn’t offered any handy tools for managing Active Directory groups.
Use Active Directory groups:
- When one already exists for the site you are creating
- For broadly used SharePoint sites – if there are easily identified attributes that define group membership (like ”department “)
- For sites that have a large membership – When the site gets crawled for updates it will need to look at all of the individual members. With a group, there is only one member and all updates are handled on the Active Directory side so the crawl is much faster.
There seem to be a couple of sticking points to using Active Directory groups for the majority of your SharePoint applications. The first is that many companies’ Active Directory controls may be lacking. In other words, there may not be confidence that the marketing department group really is that group and doesn’t also include Sharon from operations who was in marketing two years ago. That is easy to solve with automated provisioning and dynamic group membership.
Another concern seems to be that it can be difficult for SharePoint administrators to react quickly to the requests of the business when they had to go to the Active Directory team and ask for a new group. Similarly, Active Directory administrators are seldom thrilled to get those “need it now” requests. Everyone’s job becomes much easier if there is a simple solution to create new groups and maintain them dynamically.
With GroupID, you can even take the final step of using Active Directory groups which allow end users to join or leave them. With our Self Service module implemented as a web part, end users can create, manage, join and leave groups in Active Directory which can be given permissions in SharePoint. And that can be done with workflows which give IT and SharePoint administrators the proper control over the process.
GroupID also gives the ability to manage Active Directory security groups dynamically. Write as complex or as simple of a query as needed to ensure that everyone in that group is correct. Don’t take a chance that the Active Directory group is out of date for something as important as SharePoint.
Let us know if you would like to see how GroupID can solve these Sharepoint group problems.
Jonathan Blackwell
View ProfileSince 2012, Jonathan Blackwell, an engineer and innovator, has provided engineering leadership that has put GroupID at the forefront of group and user management for Active Directory and Azure AD environments. His experience in development, marketing, and sales allows Jonathan to fully understand the Identity market and how buyers think.