[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now


downside of using AD groups

Posted on 2010-01-08
Medium Priority
Last Modified: 2012-05-08
So here's a couple downsides of using AD groups to secure a sharepoint site.  I'm wondering if anyone has a workaround...

1. Site Users Web Part only displays the AD group; it doesn't expand the membership to show you individual users like it does for SharePoint groups

2. In Word, Excel, etc when you want to see the members of the team site,again you only see the AD group, not the individual members!

Basically the common thread between these 2 is an inability to expand out the AD group membership (both in Site Users Web part, or Office Documents.  Has anyone figured out away to deal with this insufficiency, and is it perhaps addressed in SP 2010?

Question by:crmsharepoint
LVL 51

Accepted Solution

Ted Bouskill earned 1000 total points
ID: 26274994
No.  Sharepoint manages it's own permissions model that allows AD groups to be part of the Sharepoint groups, however, AD group membership will always remain outside Sharepoint.  Sharepoint can be configured for Form Based Authentication so they decided to keep the external authentication separate.

When you are using Word or Excel you are connected to AD so it's a different list.

In some cases our team has written custom code to sync Sharepoint groups with email enabled security groups so we can setup the ability for participants to join or subscribe to Sharepoint team sites without the site owner having to manage the members.

Assisted Solution

Leo_Skybird earned 1000 total points
ID: 26280209
Expand on Tedbilly's answer, here are two things I think you may be interested!
There are some SharePoint site user web part likeSharePoint Site User Directory web part which improves the original web part a lot. I have not used that yet, therefor I have no idea whether those improvements are useful or not.
We are usually use SharePoint groups over AD security groups. The reason is  AD groups does not allow you view the members in SharePoint, so it is difficult to determine who has access to what.
Hope this helps1

Author Closing Comment

ID: 31684672
We can't use SP boost as based on my research the company is of Chinese origin.  It is viewed as a potential threat in this particular environment.

For AD groups I found another drawback today.  The people picker can only be restricuted based on SP groups!  If you add an AD group to a SP group, then limit a people picker field to use that SP group, it will not be smart enough to figure out that AD members.  Shame.  Ah well.

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Summary In SharePoint 2010 it is easy to create custom color themes to jazz up a site. Theme colors can also be created in PowerPoint 2010 with a few clicks. But how do the chosen colors actually look in the SharePoint site? The attached PowerPoint…
When using a search centre, I'm going to show you how to configure Sharepoint's search to only return results from the current site collection. Very useful when using Office 365 with multiple site collections.
This video shows how to quickly and easily deploy an email signature for all users in Office 365 and prevent it from being added to replies and forwards. (the resulting signature is applied on the server level in Exchange Online) The email signat…
Integration Management Part 2
Suggested Courses

872 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question