SharePoint Groups Vs AD Groups which should we prefer?

A question will always come related to your user management, Should I create SharePoint groups or should we use Active Directory (AD) groups to manage users. The answer is not very much straightforward. As per my knowledge, there is no such hard and fast rule for choosing SharePoint group or AD group.

First of All, where are SharePoint Groups and What are AD groups?

SharePoint Groups: Collection of users or groups stored in the SharePoint and managed by your SharePoint site admin people.

AD groups: Collection of Users and Groups stored in your Active Directory and managed by your company’s IT people.

SharePoint Groups or Active Directory (AD) Groups

Here are a few points to consider before you decide for SharePoint groups or AD (Active directory) groups.

  • The administration effort to maintain an AD group is always lower than the SharePoint group. So let’s say you have a company where you want to give read access to all the users to all the dept like IT, HR or Finance, then create AD groups and give read access to the group in all the sites. But let us say in your company there are few contractors in HR dept, you want to give some specific access, then you should create a SharePoint group which you can delete after their contract get over.
  • Re-usability of an AD group is more flexible than SharePoint groups. You can create an AD group, you can reuse it anywhere, you can reuse that group in any site collection, even you can sync to your Office 365 site also. But if you have created a SharePoint group, then you can reuse it within that site collection (including subsites if any). If you need that group to exist in multiple site collections, then you have to manually add that group, or you can also use PowerShell to do that.
  • Maintainability of AD groups is easier compared to SharePoint groups. Suppose you want to add a user to a site or you want to give access to a new user, then in an AD group, you have to add in one place. But if you have various site collections based on the dept, then you have to add him/her in multiple places.
  • Similarly, if you want to remove one user from the AD group, then it will be easy and you have to remove from one place only. But in SharePoint groups, you have to manually remove from all the groups, else the user will exist as orphaned.
  • A lot of unique permissions: If you have a SharePoint site collection where you have the requirement to have lots of unique permissions to different list and libraries, then you should create SharePoint groups so that anytime site admin can add a user to groups or remove users from the group. And also a site owner can give custom permission levels if required. In these cases, you will not have to rely on your IT dept.
  • In another scenario, let’s say you want to give permission to a few people for some enhancement work, you can create a SharePoint group and give appropriate permission. Once there development over you can remove their access. You do not want to rely on the IT department. To get work done by IT dept is always difficult compared to your site admin.
  • One problem with the SharePoint group is that they are scoped to a particular site collection. Changes will not reflect other site collections automatically. You have to do it manually or by using PowerShell.
  • Also, you can add only 5000 users to a SharePoint group and 10,000 groups possible for a single site collection.

So it always depends on some condition whether to go for a SharePoint group or will go for an Active Directory group. I hope you can like, SharePoint Groups Vs AD Groups.

You may like following SharePoint tutorials:

  • >