Active Directory Groups vs. SharePoint Groups for User Management: A Dilemma
<UPDATE date=”2011-02-22″>
If you find this topic interesting, you might also like to read my follow up post Active Directory Groups vs. SharePoint Groups for User Management: The Denouement
</UPDATE>
I’m working with a small municipality and, like I always do, I recommended that they manage user groups in Active Directory as much as possible. Then they can add those AD groups as “users” to their SharePoint groups and inherit all the AD goodness.
In doing some research on this, I found a nice post by Alexander Brütt that does a good job in painting the differences between the two approaches in a nice little table, which I’m lifting and showing below. Note the bullet that I’ve highlighted; I’ll talk about it more below.
Source: SharePoint Groups vs. Active Directory Groups by Alexander Brütt
But wait a second. It’s not that simple. In thinking about this, I’ve been blessed in the past by IT inability to manage AD effectively. What I mean is that I’ve always recommended that groups from AD be used for things like department membership. However, in EVERY SINGLE CASE that I can remember, the answers were things like “But all of the data in AD is wrong” or “IT won’t let us do that”. So I suggest that the fix the data: “Too hard – we’d rather maintain our own data.” (What??? It’s easier to create your own data than fix what’s basically already there?) Talk to IT about making this work: “Forget it, that’ll never happen.” (What??? That’s your IT department’s service message?)
Listen up, IT folks: making your AD a walled fortress doesn’t serve you at all well. You don’t want people saying things like “those idiots in IT can’t manage data” (someone really said this to me once). Active Directory is supposed to be the one place that manages user identity and demographic data. At least that’s its intent. In most cases, there are 3 or 4 or even a dozen other systems stitched together to manage some aspects of user information instead because AD or its guardians are seen as too hard to work with. As much trouble as the User Profile Service seems to be to work with in SharePoint 2010 (see Spence Harbar’s articles before you even think about setting up UPS), AD is still the best source for user information.
So, the reason for the bit of a rant above is that now that I’m in an environment which is small enough and smart enough that AD is in great shape, we’re trying to use AD groups and there’s one hitch. SharePoint doesn’t give us a way to display the members of an AD group in any straightforward way. (I know, with code all things are possible, but we’re trying to go as out of the box here as possible.) A simple example is that we’d like to display the site members on each departmental site. Basically, it’ll be a department directory of sorts. You can easily do this with a SharePoint group using the Site Users Web Part. However, since SharePoint sees the AD group as a “user”, you just get one “user” listed when you’ve added the Site Users Web Part and asked it to “Show people in this site’s member group”.
I turned to Twitter and #SPHelp on this one and the responses I’ve gotten are more of the “tell me how you do this when you figure it out because we need it, too” variety. I’ve had some suggestions that seem too convoluted to me. This seems like it *should* be such a common thing, but apparently it’s not. Maybe my prior experiences with AD are indeed the norm and no one ever really ends up using AD groups so this rarely.comes up.
So, no answers here to my actual dilemma. I’m wondering if this might be a nice little piece of functionality to wrap up as a jQuery plugin, but I’m not sure how to do it. I’d prefer to avoid deploying code to the server in this instance, but I’m open to it if anyone has anything useful.
I’d appreciate your thoughts in the comments!
So Marc, in the very end what did you end up doing?
Hai,
I have a issue it is possible to send a mail to the security group “without” enable Email.It is possible ?
if it is possible please share me any information regards this issue.
thanks,
suresh
suresh:
I’m not sure I understand what you mean. If there’s no email enabled, then how could you send an email? Maybe use a mailto: link?
M.
Hey Marc,
I’m running into this issue of trying to get the members of a sharepoint goup that contains ad groups. I think you noted at some point that it could be done with search, but I can’t find a link. Did you figure out how tho get the members of a group, INLCLUDING ad member?
Thanks,
Russell
Sorry, but nothing useful, Russell, as I outline in these two posts. You end up with one set of issues or another.
I don’t recall any search trick, either.
M.