A better way to manage AD or SharePoint group permissions
While reading Gartner’s research paper titled, “Identity in SharePoint 2010” by Kevin Kampman, I was struck by one particular phrase that is at the heart of the AD or SharePoint group debate: “visibility is not provided into domain group memberships; SharePoint administrators cannot directly examine the members of an AD group, although it is possible to examine group membership with SharePoint.”
This mirrors our own research into the matter and is supported by anecdotal evidence from many customers. See, we want them to use AD groups because we can help them with the membership accuracy. But if their SharePoint users can’t see that accurate membership, they still won’t use them.
Eventually, we got one customer to give us the exact use case they wanted to solve this problem. They wanted a site owner within SharePoint to be able to pop up a window with every Active Directory group that was being used to grant permissions to that site. From that window, they wanted the site owner to be able to pick a group and either view or manage memberships within it. They would then close that window and still be sitting there in the SharePoint admin site.
So we did it. Here’s how:
From the Permission Tools section of Site Actions, the user will click on a “Self Service Permission” tab within the ribbon. This whole ribbon can be customized and this tab can be called something more intuitive like “manage domain groups.”
Then a pop up window will appear listing these domain AD groups that define permissions within this SharePoint site.
Once the user clicks “Edit Membership” the GroupID Self Service page appears to manage or view that membership.
Interestingly enough, all of this work is within SharePoint and utilizes its APIs to figure out which of the groups are domain groups. Once there, it is simple to access GroupID Self Service for that particular group. If the site owner is indeed one of the AD group’s owners, he or she can update the group membership. If they are not the owner, they can simply view the membership and determine if this is the group they want to have permissions within their site.
This method should help ease the internal struggle between AD and SharePoint groups. In fact, if done right, you can eliminate SharePoint groups entirely, allowing a quick method to create groups from that same ribbon pane or have all SharePoint site owners be additional owners for AD groups. A lot of possibilities exist that are more productive than the “let’s just let our SharePoint groups get out of date” method that is so often used.
