During our company’s collaboration with several business institutes, an interesting question arose. Many of them wanted to know whether to choose Active Directory Domain-based groups or SharePoint groups for maintaining security in SharePoint.
While both methods have their pros and cons, it’s better to look at them from a broader aspect before making a recommendation. That’s exactly what I’m going to do in this write-up.
So let’s do a thorough comparison between AD groups & SharePoint groups.
SharePoint groups are the security groups containing the site users within the SharePoint environment. There are three security groups in a SharePoint site: Visitors, Members, and Owners.
Each group has a different level of access, but all the users within a single group have the same set of permissions to sites and content. Let’s take a look at the advantage and disadvantages of this type of group in SharePoint.
- »Easily managed by site owners.
- »Can see the members list inside the group.
- »Easier to create exceptions and manage permissions.
- »External users can be added.
- »Automation is much easier.
- »Can’t be reused in other site collections.
- »Hard to keep up to date.
- »Can’t be nested within other groups.
Furthermore, SP groups’ security needs can be dynamically changed, which is both a good and bad thing, especially when you compare it with Active Directory groups. Speaking of which…
What is Active Directory(AD) Group?
Before I explain what an AD group is, we need to learn about the Active Directory itself. Active Directory is a database that contains various information about a company’s user accounts. This directory is used to keep track of users’ passwords, activity, roles in an organization, etc.
Basically, all kinds of employee information, along with necessary permissions, are maintained via Active Directory. For example, if you leave a company, your AD account will be permanently removed, and you won’t be able to access work mail or log in to the company’s PC anymore.
Besides storing employee info, AD also allows the company admins to create groups of its employees. These groups are called Active Directory groups. These groups can be used for collaboration and have assigned permission based on the organization’s needs.
Anyway, these are some of the pros and cons of Active Directory groups:
- »Centralized management.
- »Offers minimal effort.
- »Tight security.
- »Can be nested/embedded within another AD or SharePoint group.
- »Same AD group can be used by multiple applications.
- »Re-usable as security groups within or outside site collection.
- »Creates bottlenecks when managing simple group tasks.
- »Can’t add external users.
- »Automation requires additional coding.
- »Members list can’t be checked.
Now let’s do a proper side-by-side comparison of AD groups with the SharePoint group to get a better overview.
Since both approaches have their own advantages and disadvantages, we need to list the attributes of AD and SP groups side by side to easily pinpoint the key takeaways. To do so, here’s a comparison table for Active Directory group vs. SharePoint group:
| Active Directory(AD) Groups | SharePoint(SP) Groups |
|---|---|
| AD groups are centrally managed by organization admins unless delegated. So to create an AD group or add/remove group members, you’ll have to rely on AD admins or the help desk. | A site or group owner can manage a SharePoint group. As a result, they can easily create/delete a new group or add/remove participants in a SharePoint group. |
| AD groups can be nested. Meaning an AD group can be embedded into another AD group to make a hierarchical system or multiple layers of groups for departments within a department. | SharePoint groups are flat, so they can’t be nested or layered within another group. Although, an AD group can be added under a SharePoint group. |
| After adding an AD group to a SharePoint site, users won’t be able to see who its members are. To drill inside an Active Directory group, you’ll need to contact the organization admins. | Depending on how the SharePoint group’s privacy has been set up, you can typically view who its members are. |
| Active Directory domain-based groups can only have members who are AD users. These groups can’t contain external users. | SharePoint groups can contain members from both Active Directory and non-AD-associated sources like Facebook, Google, Live, Yahoo, SQL, etc. So a SharePoint group can contain external members when you share your site. |
| SharePoint considers the Active Directory group as a single user. | SharePoint divides SP group members using the Site Users web part. |
| Audience targeting doesn’t work on Active Directory groups. | Audience targeting works with any SP group. |
| Removing a user from an AD group permanently removes them from the server. | If you remove a user from an AD, SP groups can still host him as an orphaned user. |
| OOTB automation requires additional and external support for an Active Directory group. | It’s easier to do OOTB automation on SharePoint groups. |
| Active Directory group provides more streamlined security. | SharePoint group offers dynamic security changes for better flexibility throughout the site. |
| AD lists or groups can be re-used in any SharePoint site collection. | SharePoint groups can’t be re-used beyond its site collection. |
Based on the above overview, you should now get a proper idea about the differences between the two security groups. In case you’re still confused about which one you should choose for better security, here’s my verdict:
If you’re not too tight on the security aspect, SharePoint groups are much-preferred options over AD groups. Why? Because SP groups are easily managed by site owners, while AD groups can only be maintained via IT/admin.
So there are more hassles to do basic things like adding/removing members in an AD group. But if you want top-notch security and already use Active Directory for all corporate needs, then go for AD groups.
Frequently Asked Questions
How to create groups in Active Directory?
To create Active Directory groups, go to the AD Users & Computers console and select the group container(typically Users) from the navigation panel. Now click Action > New > Group and fill in the necessary boxes. Then select Security from the Group type section and hit OK.
Can you add Active Directory groups in SharePoint?
Yes. SharePoint groups can also include Active Directory Domain Service(ADDS) groups. You can add AD groups in SharePoint by clicking on the gears icon > Site permission > Share site. Then enter your AD group’s name and click Add.
Does SharePoint need Active Directory?
For service accounts, an Active Directory domain is required in SharePoint 2019 server for certain functionality, like SQL, ADDC deployments, etc.
