Yet another way for me to use my blog – as a way to remember things better. 🙂 Erik mentioned this little tidbit today for the second time while I was in hearing range. It bears repeating so you can learn from it too.
When managing the security settings for entities (sites, lists, libraries, items, etc) in SharePoint administrators can use AD groups, SharePoint groups, or a combination of the two in order to set the desired permissions. There are a number of reasons to choose one or the other, but one detail you may not have heard about before may be affecting your performance and search:
If you are using SharePoint groups – adding users or AD groups to a SharePoint group – because these permissions are stored in the database as part of the site, this is considered a change to the site that SharePoint determines requires a FULL CRAWL of the site. This might not be a big deal for some sites, but as you build larger sites (including the sub site hierarchy) having to do a full crawl can be a big deal.
To avoid having to do a full crawl every time the permissions on a site are changed, you can use AD groups. Once an AD group has been added to a site – the SharePoint security group – yes, this part will require a full crawl… But once the AD group has been put in place, someone can manage the AD group – adding or removing users – without changing any of the data in the SharePoint site and therefore NOT requiring a full crawl of the site.
This is just one more concept to consider as you plan your security governance topics.
And yes, you should bug Erik about not blogging more… or at all…
How does one get AD groups into SP? I do not ‘own’ the AD in my environment and the profile import was set up to import users. The filter reads, ‘(&(objectCategory=Person)(objectClass=User))’. What would I change or add to have groups added?
The import filter you’re talking about is to import users into the Profile Database. You don’t need to (and I’m pretty sure can’t) import AD security groups into the profile database – these are basically two separate issues.
As long as your SharePoint environment is in the domain, you can use AD security groups (not distribution groups) in that domain to assign permissions in SharePoint – either directly or within SharePoint security groups. As long as SharePoint can recognize the AD group, it should work. You don’t have to import anything for the AD group to be recognized.
One thing to check is whether or not the AD group you’re using is a security group and not just a distribution group. Distribution groups cannot be used to assign permissions. What is confusing is that some group entities in AD are both distribution groups AND security groups. 😛