Active Directory Groups

PROS

  • Maintained regularly by IT folks.Because AD controls user access to the rest of company properties (email, laptop, network drives), AD is usually pretty well maintained
  • Can be nested.That means you can embed 1 AD group inside of the other AD group. This is useful when you want to build hierarchical security structure (various groups within the department)

CONS

  • Managed by IT department. This means that if you need to add a user to the site (in other words, you first need to add user to an AD group) on the fly, you need to be good friends with IT guys within your organization if you want this to be done quickly
  • Can’t see members inside of an AD group in SharePoint. If you add AD group to the site, you can’t drill inside of it and see who are its members. For that, you will need to contact IT
  • Can only contain members that are part of the organization (employees). Since AD group controls access to company Intellectual Property (IP), it is rarely used to store account information of non-employees. In SharePoint, that means that you will need to rely on SharePoint group for external sharing.

SharePoint Groups

PROS

  • Managed by SharePoint Site Owner. That means that users can be added to the group relatively easily “on the fly” by the site or group owner.
  • You can see members inside of the SharePoint groups.This depends on how SharePoint security groups is setup, but typically, you can see who the members of the given SharePoint group are
  • You can easily check individual user’s permissions to the site. If your members are part of a SharePoint group, you can easily check their site access using Check Permissionsfunctionality. You can’t do that when your users are part of an AD group.
  • Can contain non-employees. SharePoint groups can and will contain external users when you share your site externally

CONS

  • Cannot be nested like an AD group.SharePoint groups are flat. Each site contains 1 level of groups and you cannot nest 1 SharePoint group inside of the other SharePoint Group.
  • Many SharePoint groups are not kept up to date. Due to de-centralized approach and relative simplicity of site/group creation, SharePoint group membership is usually not kept up to date in many cases. Since maintenance of these groups usually falls on the shoulders of the business (site) owners, there is usually a lot of unnecessary group duplication, very little standardization, lack of common naming convention, etc.