SharePoint Groups vs AD Groups vs Global Audiences
A recent question came up on the SharePoint Community Group at LinkedIn which asked whether to use SharePoint Groups or SharePoint Audiences to manage users. Here’s my attempt to answer the question. I also want to include a little discussion on SharePoint Audiences as I believe they are a totally underused resource in SharePoint but are so flexible.
Just in case you need a fast refresher here is a quick summary:
- SharePoint Group. A collection of users and groups, managed and stored in SharePoint. Usually administered by a SharePoint Site Owner (Site Admin).
- Active Directory (AD) Group. A collection of users and groups created, managed and stored in Active Directory. Usually administered by an IT person.
- Global Audience. A way to dynamically create a collection of users based on a set of rules. Usually administered by a SharePoint Central Administrator.
So which should you be using – in brief!
To lower your overall administration effort, always choose AD Groups wherever possible to manage your users. For example, if you have a Finance Team, Sales Team, IT Department, create AD Groups and add the users into those. If you have an ‘Ad Hoc’ requirement (e.g. for a temporary 6 month project) using a group that needs to be administered by non-techy would probably be most beneficial, so choose a SharePoint Group. Most of the arguments boil down to reuse, ownership,administration effort and performance.
Pros and Cons of an AD Group
- Once you have defined your structure within AD you can re-use it anywhere. This means that it can be used not only across several SharePoint Site Collections, but also in many different systems. Using technologies such as DirSync you can synchronize your on-premises AD with a remote AD (e.g. Office 365).
- Making the choice to go with AD Groups means you only have one centralised place to administer users, not several. For example, say you create 5 SharePoint Finance Groups and add users into each one, then you’d have an admin nightmare. What happens if someone leaves Finance?
- For larger Farms the guidance is to use AD groups for performance reasons.
- SharePoint site owners can’t self-serve. If you solely decide to consolidate on AD Groups then this means that usually only 1 or 2 people can administer the groups.
Pro’s for SharePoint Groups
- SharePoint site owners can self-serve. This means a SharePoint admin can login, create a group and add some users. None of that relies on the IT department to manage AD.
- A SharePoint Group serves as a container to configure permissions levels against. What this means is that you can create a group, assign a custom permission level to it and then use that group to secure sites, documents, libraries etc. This is more important if you have a site collection with lots of unique permission that are spread out over the topology.
- A SharePoint Group is only scoped to the site collection. This means if you create a group in one site it won’t automatically be available in other site collections. You’d need to manually copy and synchronise it, or write some Powershell to do this.
- SharePoint Groups can only contain 5,000 users (principals) and you can’t embed an SharePoint Group in another SharePoint Group. (Although you can add an AD group to a SharePoint Group :))
- You are limited to 10,000 groups per site collection.
- There are also other limitations around capacity, which can be discovered in this article on Technet.
- SharePoint Groups can contain orphaned users. If you delete someone from AD they will be orphaned in all of the SP Groups, unless you manually clear them out.
- Modelling your staff structure in SharePoint isn’t reusable to other systems unless you write some code to sync the two. Most applications and services today know how to talk with AD.
So which should you be using?
- To lower your overall administration effort, always choose AD Groups to manage your users. For example, if you have a Finance Team, Sales Team, IT Department, create AD Groups and add the users into those.
- If you have an tactical, short-term requirement (e.g. for a 6 month project) go for a SharePoint group so that it can be administered by non-techies. (Be careful though as very often tactical solutions have a habit of being around for years!
- If you don’t need use the security features of a group and purely want to target content to groups of users, look at using Global Audiences as these are so easy to configure and dynamically re-populate with no interaction.
- As you can hopefully see – most arguments boil down to reuse, ownership,administration effort and performance. Find out what’s important to you.
Why not use AD Groups within SharePoint Groups?
If you want to enjoy “some” of the best of both worlds why not use both by embedding AD Groups into SharePoint Groups? If you need to secure a site to just your IT, Finance and Marketing departments, then create a SharePoint Group and add the 3 AD groups into it. You can also do this on a one to one basis. For example, create a “Finance Team (SP)” SharePoint Group and add the “Finance Team” AD group into that.
Have you Considered Global Audiences?
Global Audiences are dynamically created based on a set of rules. If users meet the audience criteria they will automatically become a member of the audience. Audiences can be compiled regularly using a background SharePoint job. Every time the schedule ‘kicks off’ the Active Directory will be searched for users who meet the criteria and will be included in (or excluded from) the audience. This means that the audience membership can change over time, however each time the audience is compiled, only users who meet the specified criteria will be included. By using rules or criteria (assuming that your base information is kept up to date) means that you can be assured that the right users are contained in the audience. The big plus here is that, once the audience rules are set, manual maintenance of audience members is not required.
One thing to note – Global Audiences are NOT a security feature. They simple allow you to target content to a user based on their membership. For example, if you want to show your finance team news ‘targeted’ to them – this is pretty easy. However, if the Finance team wanted to navigate to IT related news they could. Think of SharePoint Audiences as personalised view over your list data and web parts.
Want to know more then read : What is the difference between a SharePoint Group and an SharePoint Audience
Targeting information to groups of users
Regardless of the way you chose to group your users, once those groups are created you can easily target information stored within SharePoint libraries to them and if required monitor who has (or has not read it).
Want to know how to assign a document, video, web page, announcement (and many more) to a group of users?
If you are interested to learn how you can assign a document to a SharePoint Group, Active Directory Group, SharePoint Audience or set of users then please read ‘Audience Targeted Reading with DocRead’. Once you have assigned a document to a “group” each user is then assigned a Reading Task and a deadline to complete it by. With the reports available in DocRead – it’s really easy to track who has and hasn’t confirmed reading the document.
What about Forms-based authentication?
It’s also possible to source your users from other systems such as a SQL Database. This is often referred to as ‘Forms-based Authentication’. In this situation you still have the concept of groups, but they are usually known as ‘Roles’. However, for the purposes of this debate you should think of them as having the same pros and cons as AD. If you want to know more about how to allow 3rd party users onto your SharePoint platform, we recommend looking at a product by our partner company called ‘Extradium for SharePoint’.