Active Directory Groups vs. SharePoint Groups for User Management: The Denouement

Last week I did a post about when you might decide to use Active Directory groups versus SharePoint groups. It was less about managing the security, and more about understanding the membership of the groups.

I got a *lot* of comments, emails, tweets, grumbles, and groans about the post. This seems to be a really common question, and while there are some possible answers, they aren’t all straightforward or cheap. Here are a few of the suggestions that I received:

And the warnings:

  • Watch out for performance
  • Nested Active Directory groups means that you could get into infinite loops in expanding them (This seems like it would be the developer’s fault for not handling the possibility to me, though.)
  • Issues with the information in SharePoint groups and Active Directory groups being out of synch
  • and on and on…

So what did we decide to do? We chucked the idea of using Active Directory groups in favor of the ease of use of SharePoint groups. No, we didn’t like this answer, either. I would posit that there needs to be a SIMPLE way to expand an Active Directory group within SharePoint that doesn’t involve custom coding. While there are many third party tools out there that sort of tackle this, they are mostly overkill and in most cases, it’s not even clear if they would do the simple thing we were looking for.

My client may at some later point decide to buy one or more of the third party tools for other reasons, which may give them a solution for this as well. It just didn’t make sense at this juncture.

So the score of the game for this one was SharePoint: 1, client requirements: 0. I feel that it was an unfortunate outcome, but one that we couldn’t improve upon.

p.s. At least I got to use the word denouement in a post about SharePoint. There’s always that.

Active Directory Groups vs. SharePoint Groups for User Management: A Dilemma

<UPDATE date=”2011-02-22″>
If you find this topic interesting, you might also like to read my follow up post Active Directory Groups vs. SharePoint Groups for User Management: The Denouement

I’m working with a small municipality and, like I always do, I recommended that they manage user groups in Active Directory as much as possible. Then they can add those AD groups as “users” to their SharePoint groups and inherit all the AD goodness.

In doing some research on this, I found a nice post by Alexander Brütt that does a good job in painting the differences between the two approaches in a nice little table, which I’m lifting and showing below. Note the bullet that I’ve highlighted; I’ll talk about it more below.


Source: SharePoint Groups vs. Active Directory Groups by Alexander Brütt

But wait a second. It’s not that simple. In thinking about this, I’ve been blessed in the past by IT inability to manage AD effectively. What I mean is that I’ve always recommended that groups from AD be used for things like department membership. However, in EVERY SINGLE CASE that I can remember, the answers were things like “But all of the data in AD is wrong” or “IT won’t let us do that”. So I suggest that the fix the data: “Too hard – we’d rather maintain our own data.” (What??? It’s easier to create your own data than fix what’s basically already there?) Talk to IT about making this work: “Forget it, that’ll never happen.” (What??? That’s your IT department’s service message?)

Listen up, IT folks: making your AD a walled fortress doesn’t serve you at all well. You don’t want people saying things like “those idiots in IT can’t manage data” (someone really said this to me once). Active Directory is supposed to be the one place that manages user identity and demographic data. At least that’s its intent. In most cases, there are 3 or 4 or even a dozen other systems stitched together to manage some aspects of user information instead because AD or its guardians are seen as too hard to work with.  As much trouble as the User Profile Service seems to be to work with in SharePoint 2010 (see Spence Harbar’s articles before you even think about setting up UPS), AD is still the best source for user information.

So, the reason for the bit of a rant above is that now that I’m in an environment which is small enough and smart enough that AD is in great shape, we’re trying to use AD groups and there’s one hitch. SharePoint doesn’t give us a way to display the members of an AD group in any straightforward way. (I know, with code all things are possible, but we’re trying to go as out of the box here as possible.) A simple example is that we’d like to display the site members on each departmental site. Basically, it’ll be a department directory of sorts.  You can easily do this with a SharePoint group using the Site Users Web Part. However, since SharePoint sees the AD group as a “user”, you just get one “user” listed when you’ve added the Site Users Web Part and asked it to “Show people in this site’s member group”.

I turned to Twitter and #SPHelp on this one and the responses I’ve gotten are more of the “tell me how you do this when you figure it out because we need it, too” variety. I’ve had some suggestions that seem too convoluted to me. This seems like it *should* be such a common thing, but apparently it’s not. Maybe my prior experiences with AD are indeed the norm and no one ever really ends up using AD groups so this rarely.comes up.

So, no answers here to my actual dilemma. I’m wondering if this might be a nice little piece of functionality to wrap up as a jQuery plugin, but I’m not sure how to do it. I’d prefer to avoid deploying code to the server in this instance, but I’m open to it if anyone has anything useful.

I’d appreciate your thoughts in the comments!