SharePoint groups vs. Active Directory groups
Before I start setting permissions on SharePoint sites and libraries I need to determine the best way to do this. Do I use SharePoint groups and manage permissions directly or create groups in Active Directory, then use these to assign permissions?
Here are some of the reasons for and against each method:
|SharePoint Groups||Active Directory Groups|
|Accounts can be created for users that don’t have Active Directory accounts||Users must have an account in Active Directory|
|Users can be managed from within SharePoint. Site owners can be delegated permission to do this.||Users can be managed within Active directory. Only AD administrators will be able to do this.|
|Users can view members of these groups||Users cannot view members of these groups|
|Other SharePoint groups cannot be added as a member||Other Active Directory groups can be added as a member|
I have decided to use Active Directory groups as it suits the needs of most large organisations. With the IT helpdesk regularly creating accounts for new users, and removing accounts for leavers, they do not have to worry about managing permissions inside SharePoint as the existing groups that define job roles will be used to define SharePoint permissions too.