So you need to determine the best way to manage SharePoint users, Whether to use SharePoint groups or Active Directory groups to manage permissions in SharePoint?
Well, Both SharePoint Group and AD Group have their own advantages and disadvantages. Let me list down some of them:
- Manageability: Any SharePoint site owner/admin can manage users on SharePoint groups within SharePoint (Self-Service!). But AD group creation and adding/removing users can be done only by AD administrators, unless delegated. So, to create new users or removing accounts, you may have to wait for AD Admins/Help-desk! However, AD Groups Serves better in Centralized management, performance, Minimum administration efforts
- Scope: Since AD Groups are created globally, you can re-use them in any different SharePoint site collections (even in different systems like File Shares, Exchange, etc.). E.g., You may be having existing department wise AD groups created, say “Sales Team” and you can grant permission to any SharePoint site collection to the AD group. But SharePoint groups are scoped at site collection level and can’t be re-used beyond that boundary. So, If you have an existing SharePoint group with 5000 users, you’ll end-up recreating it in a different site collection (Although PowerShell can help!)
- Users from Multiple Authentication Sources: AD Group consists of users from AD, but SharePoint groups can be the combination of users from AD as well as non-Active directory authentication sources like SQL Server, LDAP, Live, Google, Facebook, Yahoo, etc.
- List All Users of the Group – If you want to list users of the group, SharePoint groups can be listed with “Site Users” web part. But you can’t do it with AD Groups – You can’t look inside them from SharePoint (without custom solutions!) SharePoint considers AD group as a single user.
- Nested Groups: AD Groups can be nested, But SharePoint groups can’t be added under any other SharePoint group. (However, you can add an AD Group inside SharePoint group!)
- Group E-Mails: If you use SharePoint Group, There is no way to send alerts to all of them OOTB, But you can use E-mail enabled AD Group to subscribe to an Alert in SharePoint!
- Audience targeting – does not work with AD groups, only with SP security groups!
- Orphaned Users – When you delete a user in AD, SharePoint groups can still hold them as orphan users!
- securable objects with unique permissions – When you have a requirement for dynamically changing security needs, SharePoint groups provides better flexibility.