Sharepoint 2007: Active Directory and Sharepoint Groups

I have a Sharepoint 2007 installation and several Active Directory Domains. Now, since I can't have a user from Domain A be in a Security Group in Domain B, I need to create groups within Sharepoint to include the neccessary users.

I could possibly just put the AD Security Groups in the Sharepoint groups, but we had problems with that approach when mixing it with audiencing, which is why I want to have the Sharepoint Groups contain individual user instead of AD Security groups.

But something "feels" wrong about this. Some groups contain a thousand users or more, and I feel like I would be unneccessary complicate things and add another maintenance burden.

How is this done in other companies? How do your manage your Sharepoint Groups in a Multi-Domain Environment?


Solution 1:

You're right... out of the box, having SharePoint groups with thousands (or even hundreds) of individual users will be an administration nightmare.

Unfortunately SharePoint doesn't sync AD users with with AD (profiles, yes. users, no.), so once you have manually add a user to a SharePoint group or manually grant permissions to an individual user, they will remain in Sharepoint for all time (until you manually remove them), even if you remove that user from AD.

If you assign permissions to SharePoint groups holding AD groups, you gain the benefit that once a user is removed from AD, they no longer have permissions on SharePoint. It is so much easier to manage group membership in a single location (with good tools) than it is to manage group membership twice.

Long story short, I would suggest trying to figure out the problem you are hitting with audiencing before I would suggest putting a thousand users in SharePoint groups. If you absolutely must do so, don't do it with out of the box tools... invest in Quests's Site Administrator for SharePoint (http://www.quest.com/site-administrator-for-sharepoint/)

Solution 2:

We have thousands and thousands of users. We use AD groups and do NOT put individual users inside of SharePoint (unless it is a small departmental site and the department is responsible for managing user rights).

We have seen Search stop indexing ACLs correctly when you add more than about 2,000 individual users to a SharePoint site collection.