downside of using AD groups

Posted on 2010-01-08
Last Modified: 2012-05-08
So here's a couple downsides of using AD groups to secure a sharepoint site.  I'm wondering if anyone has a workaround...

1. Site Users Web Part only displays the AD group; it doesn't expand the membership to show you individual users like it does for SharePoint groups

2. In Word, Excel, etc when you want to see the members of the team site,again you only see the AD group, not the individual members!

Basically the common thread between these 2 is an inability to expand out the AD group membership (both in Site Users Web part, or Office Documents.  Has anyone figured out away to deal with this insufficiency, and is it perhaps addressed in SP 2010?

Question by:crmsharepoint
    LVL 51

    Accepted Solution

    No.  Sharepoint manages it's own permissions model that allows AD groups to be part of the Sharepoint groups, however, AD group membership will always remain outside Sharepoint.  Sharepoint can be configured for Form Based Authentication so they decided to keep the external authentication separate.

    When you are using Word or Excel you are connected to AD so it's a different list.

    In some cases our team has written custom code to sync Sharepoint groups with email enabled security groups so we can setup the ability for participants to join or subscribe to Sharepoint team sites without the site owner having to manage the members.
    LVL 3

    Assisted Solution

    Expand on Tedbilly's answer, here are two things I think you may be interested!
    There are some SharePoint site user web part likeSharePoint Site User Directory web part which improves the original web part a lot. I have not used that yet, therefor I have no idea whether those improvements are useful or not.
    We are usually use SharePoint groups over AD security groups. The reason is  AD groups does not allow you view the members in SharePoint, so it is difficult to determine who has access to what.
    Hope this helps1
    LVL 1

    Author Closing Comment

    We can't use SP boost as based on my research the company is of Chinese origin.  It is viewed as a potential threat in this particular environment.

    For AD groups I found another drawback today.  The people picker can only be restricuted based on SP groups!  If you add an AD group to a SP group, then limit a people picker field to use that SP group, it will not be smart enough to figure out that AD members.  Shame.  Ah well.

    Featured Post

    Why You Should Analyze Threat Actor TTPs

    After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

    Join & Write a Comment

    For SharePoint sites, particularly public-facing ones, there are times when adding JavaScript, Meta Tags, CSS Styles or other content to the page <head> section is more practical than modifying master pages.  For instance, you could add the jQuery l…
    Pimping Sharepoint 2007 without Server-Side Code Part 1 One of my biggest frustrations with Sharepoint 2007 in the corporate world is that while good-intentioned managers lock down the more interesting capabilities of Sharepoint programming in…
    Migrating to Microsoft Office 365 is becoming increasingly popular for organizations both large and small. If you have made the leap to Microsoft’s cloud platform, you know that you will need to create a corporate email signature for your Office 365…
    Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…

    734 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    20 Experts available now in Live!

    Get 1:1 Help Now