SharePoint Groups vs. Active Directory Groups

I’ve discussed this topic quite often during the last months. After those discussions I figured out that its more a question when to use what kind of group rather than what kind is better than the other. In this post I just write down some advantages and disadvantages of the group types and let you choose what kind fits better for your needs.

SharePoint Group		Active Directory Group
	Members of this group can be added/removed from within SharePoint. The permission to add or remove users from the group can be delegated to SharePoint users.		Members of this group can be managed within Active Directory. Only Active Directory administrators have the permission to modify group memberships.
	Members of this group can be visible to users.		Members of this group are not visible to users.
	Cannot contain another SharePoint group as member.		Can contain another Active Directory Group.
	Must have a unique name on site collection level. The name is the unique identifier of the group.		Can cause serious problems in lage scale scenarios: A user might only be a member of 1024 Active Directory groups (recoursively). If this number is reached the user is no longer able to log on to Windows. Read the Microsoft documentation for more information.
	Can contain SharePoint users that do not exist in the Active Directory.

Comparison of MS SharePoint Online vs On-Premise

	Hosted or Online	On-Premise
Cost	Zero to minimal upfront cost. Capital is not locked up in software and hardware.	Relatively huge upfront software and hardware expenses plus the cost of personnel to install, configure and maintain.
Management	Our team of SharePoint technology experts constantly builds on experience that they are able to cascade across multiple installs.	Only the largest IT shops don’t suffer when one key employee goes on vacation, takes leave or quits.
Accessibility	Browser based hosted apps are accessible independent of location and time.	Maybe you can access the office from remote, maybe you can’t. Who is going to reboot the server?
Technology	We handle all your Microsoft SharePoint online upgrades. Our support team is prepared and our expertise remains in step.	The cost of the time and effort to remain current can be excessive.
Security	Installing the latest patches and upgrades is naturally one of our core competencies.	Devoting resources to patches are typically given a low priority in many organizations.
Scalability	Scale up—no problem. Or scale down and never have to worry about issuing a pink slip.	More hardware + more software + more staff = more money.
Sustainability	Our staff with SharePoint experience is large enough that there is no noticeable impact from turnover and attrition.	The knowledge and expertise is concentrated in too few hands/heads. You’re one “I quit” away from chaos.
Flexibility	Month to month billing means you can change Microsoft SharePoint Online plans or platforms with ease—no questions asked.	Replacing a software platform can often feel like you’ve paid double.
Payment	Bite-sized month to month fees automatically billed to your credit card.	Large purchases involve meetings, approvals, purchase orders and calls from accounting.
Vendor(s)	A single point of contact. We’re here for you 24/7 via chat, email or phone.	Multiple vendors, multiple support contracts, multiple bills, multiple headaches.
Service	No long term contract dictates our mission…keep you happy	Fickle technology staff can be a constant challenge to manage.
Redundancy	Hardened Class A data center with backup power, full fire protection, etc.	It can be done but it’s going to cost you twice as much.
Customization	Customization options can be limited with hosted apps. But how often do you require customization anyway?	Customizing requires expertise, plus time & money. In most cases it can’t be justified when compared to Microsoft SharePoint Online.

What are the major advantages of using Active Directory group in SharePoint?

• Security behind AD is intense. Microsoft's entire enterprise of applications all utilize AD for security
• Allows for client integration, so opening word doc from a library will keep the file connected to SharePoint. This is a little more complex with FBA
• Assuming your're using AD for internal users, you can centrally manage all your users in one auth store
• You can use AD groups in SharePoint
• Easier management of single sign on and BDC connections (if you're using them)
• Active Directory's real benefit lies in Domain management and Integration with other programs (particularly ones like exchange)

What happens behind the scene when we create new Web Application in SharePoint?

When we create a new Web Application in SharePoint, following are various actions which happens behind the scene:

• Creates a unique entry in SharePoint configuration DB for the Web Application and assign GUID to that entry.
• Create and configures a new site in IIS
• Creates and configures a new IIS application pool.
• Configures authentication protocol and encryption settings.
• Assign a Default alternate access mapping for the Web Application.
• Creates the first content database for the Web Application.
• Associate a search service with the Web application.
• Assign a name to the Web application that appears in the Web application list in SharePoint Central Administration.
• Assign general settings to the Web application, such as maximum file upload size and default time zone.
• Updates the web.config file to make entries for custom HTTP Modules and Handlers for SharePoint.
• Creates virtual directories for SharePoint web services and SharePoint layouts folder.

After creating a Web Application in SharePoint, the web site is actually not created yet. It means if you try to access the Web Application using the web app url, it will show you "Page cannot be displayed" error. Basically at this point of time, a web application has been created and all the mandatory configuration has been done. Now the next step is to create a Site Collection using a particular Site Definition, then only the actual site will be created and you will be able to access the site using the url of Site Collection.

SharePoint 2007 Hotfix – KB936867

We had plan to cleaning up a team site getting rid of things that were no longer needed and lists that were no longer used. Well, it just so happens one user executed a click path that sent about 23 of her 78 sites in to the ether and whenever she or her teammates tried to access the sites they would get a plain SharePoint "500 – Internal Server Error" page.

I checked the logs and couldn't find anything in the server error.

After some looking around in the Webs table of the content database for the SharePoint web application, I noticed that the sites were not deleted or missing. So this pointed out to me either we had an IIS problem or an internal SharePoint problem. Since much of the configuration is stored in the database for SharePoint I was sure that this is a SharePoint problem. Especially since we were getting a plain 500 Error page from SharePoint, not like the one that IIS would put out if it had run in to a problem.

Finally I called to Microsoft Support after working through all of my known debugging techniques. The call started with us redoing much of the checks I had already performed, but then the support tech mentioned there is a forthcoming KB article that would mention a Hotfix for SharePoint that would not be publicly available, but you would have to get in touch with Microsoft Support to get it.

The KB article that he was talking about was KB936867. According to him it is in process of being published. The hotfix is supposed to fix about 11 different issues that Microsoft has been seeing with SharePoint that has been the highest on the radar of issues.

Before we started the Hotfix process, I had mentioned to the support technician that the farm we were working with was a B2 installation that was migrated to B2TR migrated to RTM. This was not a concern to him. Nevertheless we started the Hotfix install. Hotfix installed fine, then we needed to run the Configuration Wizard to apply the hotfix to the SharePoint farm. Half way through the applying of the hotfix, the configuration wizard bombs and tells us that half of the SharePoint Database is now upgraded and the other half is not. The 2 databases the blew up was the Shared Services Provider database and the Configuration database.

So now we have ½ of the farm database upgraded and the other ½ not.

Needless to say after some major panic and working through a few different scenarios, the support tech finally gets a product guy in from the Hotfix or SharePoint team (not sure which), but from what I gained from talking to him is that we shouldn't have used this hotfix if this installation was migrated from the Beta 2 bits. Oooops.

From that moment on, it was pretty apparent that I would be rebuilding my SharePoint farm and reconfiguring my web applications, reconfiguring my Shared Service Provider and going through general hell. And we ended up having to recreate the Configuration database and the Shared Service Database.

Lesson to be learned from this. Never ever only ask once if your farm being migrated from beta bits will be a problem. Make sure that who you are talking to knows for sure that this has been tried and proved.

So, if you run across someone that is mentioning to you that you need to install this hotfix be VERY sure that you are not running the hotfix on a Beta 2 migrated installation. Or be sure that it mentions that this is an approved use of the hotfix. If not, you might be running in to a situation like I did and have to go through hell to get your farm backup and running.

Hopefully this will keep you from running in to the same situation.