SharePoint Security Groups and Active Directory

What do you mean Active Directory Groups don’t work in SharePoint!

That is not a fair statement.  You can use AD groups in SharePoint.  They just don’t work the same as a SharePoint security group.  There is no built in tool in SharePoint 2010 to synchronize a group, even one way from an AD group to a SharePoint group.  I also found out the hard way that SharePoint groups created in one site cannot be used in another site.

Why would I want to do that anyway?

I created a new site called the “Office Standards – Templates” in SharePoint 2010.  This new site contains document libraries that will hold standard documents and templates for the entire office to use.  The documents are provided by various focus and practice groups and we made the decision that each group would have rights only to their document library.

When I went to add the security to the document libraries I discovered that SharePoint does NOT replicate the security groups from one site to another.  I cannot pick an existing group.  This is a problem since we have 40 some SharePoint groups that allow auto-join and users join and leave at will.

Ideally it would be really nice for the groups to synchronize with groups in Active Directory that are used as Exchange distribution lists.  I have a large number of these groups:

AD Groups

In SharePoint we created a blog site for all the focus and practice groups.  Take the Building Sciences Focus Group for example.  The blog site has a link the users click to add themselves to the members group.  After a week or so the SharePoint group no longer matches the AD Exchange distribution group.  I want to use the exact same group in both SharePoint sites and Active Directory and Exchange.

Google to the rescue!

I went to Google and searched for an answer.  I found that this is a BIG deal for most SharePoint sites.  Small City Design’s blog suggests that I should change my expectations.  Seems like I have lowered the bar so far down that almost anything would be an improvement and so I continue on my quest.  Marc D Anderson’s blog described the current state of SharePoint groups to AD groups.  There are many $$$ tools to synchronize users from Active Directory groups to SharePoint Groups.  Most of these tools are around $2000.  I am looking at a couple of these tools primarily because IT (aka me) spends a bit of time managing the Microsoft Exchange email groups and it would be really nice to turn that into a user self-service task using one of these tools and Sharepoint.  Marc’s follow up lists some of these tools.

Time for a RANT

What I don’t get is why Microsoft doesn’t embrace AD within SharePoint.  Yes I can add a group from AD but it doesn’t show the members from a web part.  That leaves you having to do more stuff to expand the group.  I get that you might want them to be separate environments.  I spent the time setting up the User Profile Service Application which clearly says users AND groups.SPAdminUSPS

What it really means is users and users.  No Groups. I missed that in the fine print.  I hope SharePoint 2013 uses AD better than 2010 does.  Please Microsoft, please bring the groups from AD into SharePoint as SharePoint security groups via the User Profile Service.  Please!

Synchronizing SharePoint Security Groups from Site A to Site B

I didn’t want to hold this up any further, and I didn’t want to have to maintain yet another security group.  So I found a free tool that does a one-way synchronization of SharePoint groups from one site to another.  The Sharepoint Site Collection Group Sync tool works well from a batch file as a scheduled task.

cd C:\GroupSync\
del c:\GroupSync\log.txt
SynchSiteCollectionGroups.exe
 -from:http://intranet.dpa.local/
 -to:http://intranet.dpa.local/sites/OfficeStandards-Templates/
 -Clear
 -All
 -log:c:\GroupSync\log.txt

The -Clear option deletes the current SharePoint group members and then adds back all the members.  This allows someone to leave the parent site’s group and automatically get removed from the Office Standards site’s group.  Without this option new users are added, but never removed.

The -All copies ALL groups from site A to site B.  The tool is supposed to read a text file and only copy the groups specified.  I couldn’t make it work.  I think this is because I have spaces in the group names.  Something to go back and work on.

I then went through a made each document library have unique permissions.  I set the practice/focus group owners group to have full control of the library and the practice/focus group members group to have Contribute and Approve rights.

Building Standards Library Rights

Building Standards Library Rights

I ran into a weird behavior when adding SharePoint groups to the document library.  As the picture shows above the library has unique permissions.  I added a group to the list and set the rights.  When I go back to the site root and look at the site permissions the group is added with “limited access” rights.  When I go to the next document library and change it to have unique permissions ALL the groups from the root site are in the new permission set.  I decided that I didn’t want all these “limited access” groups at the root so I deleted the groups.  Guess what, they get removed from the document library too.  The library doesn’t really have unique permissions.  It still has a link to the site permissions.

What about the Active Directory Synchronization?

I haven’t given up on that.  I am looking at a few of the pay for tools to do the job.  I am also thinking that this is an opportunity to work on the tool that is already on Codeplex and add to it the AD sync capabilities.  If only there was more time in the day.