Hi, Can someone point me to an article or blog that discusses the pros and cons of setting groups (owner, full control, contributor, read only) in the Active Directory verus just connecting MOSS 2007 to the AD and building the groups directly in MOSS? MOSS 2007 only. Is there any functionality that is lost by building the groups in AD and adding people there rather than building groups in MOSS and adding people there? Thanks!Thanks! Patti N.

this blogs have very good descrpition: http://hermansberghem.blogspot.com/2008/04/windows-security-groups-vs-sharepoint.html and this one also http://www.alexbruett.net/?p=158 hope this help thanks -wsSharePoint administrator, MCTS,MCITP

There's also a very good discussion of this over several pages of the Best Practices ... book. The book is probably the best non-development SharePoint 2007 book and is full of useful practical advice. (http://www.amazon.com/exec/obidos/ASIN/0735625387/heme0f) 2010 Books: SPF 2010; SPS 2010; SPD 2010; InfoPath 2010; Workflow etc. 2007 Books: WSS 3.0; MOSS 2007; SPD 2007; InfoPath 2007; PerformancePoint; SSRS; Workflow Both lists also include books in French; German; Spanish with even more languages in the 2007 list.

The way I learned to configure this from several instructors was: Users are already created in AD > Users belong to AD Security groups > AD Security groups belong to SharePoint groups The benefit with this model is that when new users join the company and are added to the proper AD security groups, they will then already have the correct permissions in SharePoint. -Brian

Interesting Brian, because as an instructor I will also argue the opposite. There is reason to use both methods. If there is already an Active Directory group that fits the need, then by all means use it, but place that group within a SharePoint group. If there is not, don't go creating groups in AD, use SharePoint as it was intended to be used, create your groups there and add the users. If you use AD groups, then as a Site Owner I cannot see who has access to my site because AD group membership is not enumerated by SharePoint. There are a number of other reasons to not do this all with AD groups. As mentioned, the Best Practices book has a nice discussion on this.Imagine what we could be...If we could just imagine. Daniel A. Galant

Daniel, I completely agree, and should clarify that the model I presented was from the 5060/5061 "Implementing WSS/MOSS" courses I believe. This works well for very large companies with thousands of users and seperate Active Directory/SharePoint teams. The environments I've worked on usually have a hybrid approach like you've mentioned. Plenty of reading material on this topic, -Brian

Hi Daniel, Can enumerate some other reasons. I'm kind of in a hurry and won't have time to buy the book. Our company is heading down the path of using AD and, personally, I'd like to give them reasons not to. We're a fairly small group of IT people, about 250. Thanks! Patti N.

Hi, Firstly, SharePoint groups and AD groups are in different system. And an AD group will be considered as a whole thing like a SharePoint user. So you cannot use AD groups in placing of SharePoint groups. Otherwise, the users cannot use the mysite function as Daniel mentioned and lose the flexibility of the permission management in SharePoint. Secondly, you, of course, can use AD group to help manage SharePoint permission for users as Brian mentioned. For instance, you can add AD users group to SharePoint visitors group to let everyone has read access to SharePoint site and you don’t need to add this user into SharePoint whenever new hires are on board. So, how to plan your permission management structure will be based on your detail requirements. Hope it is helpful! Seven