We're a 500-person services business, relatively new to SharePoint and recreating many legacy applications in SharePoint. We have a couple developers and an administrator and have been trying very hard to segregate those roles. The administrator controls Audiences, SharePoint groups, Distribution Lists, etc. Developers have read access to Active Directory, but no rights to view or edit SP groups, Global Audiences, or Distribution Lists. When user issues arise, the developer must always suspect a group membership problem but can't know enough to confirm or deny. I would love to hear how others handle this. Do your developers have admin rights? (And what problems does that cause?). Do you have strict naming conventions to differentiate GA from SP from Dist List? Do you have 3rd party tools to synchronize groups, so you can have perfect confidence that the Global Audience "Busboys" contains exactly the same users as the Active Directory group "Busboys?" Is there a way for developers to have read-only access to the various groups so they can troubleshoot membership problems without endangering security?

Well, let me start by saying that I come from the Admin side of this fence, but I think many people will agree with me on this, you do not give your developers administrative rights on your production servers. Development should be done in a separate environment that mimics your production setup as best as you can from a configuration standpoint. In this development setup the developer has total access and administration power. Once development is completed and tested, you then move that as a solution and deploy it into your production system.Imagine what we could be...If we could just imagine. Daniel A. Galant

That would be the perfect solution if I had a way to mimic my production groups. But I don't, which is the whole problem. We do have a dev environment, but I don't know how to reproduce the production groups in there. Do I ask the admin to manually create them and thereafter to perform every group adjustment twice, once in production and once in development env? A) that will never happen, B) we wouldn't trust it anyway, without a tool to validate it. All I really want is for developers to have read-only access to all groups (Global Audiences, Dist Lists, SP groups), which would be sufficient to analyze any particular issue. Since developers have a role in visibility and security of data and applications, they need to troubleshoot when users don't see what they should. I would expect this to be essential information for Help Desk functions as well. I'm surprised that this isn't a universal difficulty in SharePoint shops, that I'm not finding tons of native and 3rd party tools to solve it. Am I looking at this wrong? Does the rest of the world look at audience and security as purely an Admin function? Thanks for the response!