| Subcribe via RSS

SharePoint Groups vs. Active Directory Groups

Mai 19th, 2009 Posted in SharePoint

I’ve discussed this topic quite often during the last months. After those discussions I figured out that its more a question when to use what kind of group rather than what kind is better than the other. In this post I just write down some advantages and disadvantages of the group types and let you choose what kind fits better for your needs.

SharePoint Group Active Directory Group
plus Members of this group can be added/removed from within SharePoint. The permission to add or remove users from the group can be delegated to SharePoint users. plus Members of this group can be managed within Active Directory. Only Active Directory administrators have the permission to modify group memberships.
plus Members of this group can be visible to users. minus Members of this group are not visible to users.
minus Cannot contain another SharePoint group as member. plus Can contain another Active Directory Group.
plus Must have a unique name on site collection level. The name is the unique identifier of the group. minus Can cause serious problems in lage scale scenarios: A user might only be a member of 1024 Active Directory groups (recoursively). If this number is reached the user is no longer able to log on to Windows.
Read the Microsoft documentation for more information.
plus Can contain SharePoint users that do not exist in the Active Directory.

8 Responses to “SharePoint Groups vs. Active Directory Groups”

  1. Mads Nissen Says:

    Might be relevant to add a “With 3rd party” rowset to the matrix. I.e. with 3rd party activedirectory webparts you’ll be able to explode groups and see users, and potentially also manage some AD OUs from a sharepoint environment.


  2. Alexander Brütt Says:

    Hi Mads, indeed there is a builtin Web Part that displays the members of an Active Directory Group. I should mention this in the post.

    If you have any examples for 3rd party tools just let me know. I havent’s seen any 3rd party SharePoint controls yet that can manage AD items (Groups/OUs).


  3. Tom Winter Says:

    Possibly another thing to add is that you cannot “normally” create alerts for SharePoint groups, as you can for AD groups. Here’s a workaround though: http://www.amosfivesix.com/sharepoint/21-how-to-create-alerts-for-sharepoint-groups


  4. Phil Says:

    There is no builtin webpart that will display the members of an AD group, only SharePoint groups.


  5. Jamie Says:

    Can Active Directory permission,sink over to Sharepoint?


  6. Albert van Grondelle Says:

    How is this builtin Web Part, that displays the members of an Active Directory Group, called in SharePoint 2010?


  7. Denis Says:

    Is it possible to restrict access to a specific Sharepoint sub-site based on AD OU, rather than Sharepoint group?
    Or I need first to sync all users from AD, then create Sharepoint groups for them and populate with migrated profiles?


  8. Bastiaan Kortenbout Says:

    Audiencing on webparts using AD groups does not work.


Leave a Reply