Monday, April 29, 2013

Nested AD group support issues in Sharepoint 2010

Our company is implementing nested AD groups and we found some strange behavior how SharePoint support the nested groups. Here are the nested groups we have.

  • parentGroup includes childGroup and some users
  • childGroup includes childofchildGroup and some users
  • childofchildGroup includes childofchildofchildGroup and some users
  • childofchildofchildGroup includes some users

After we added the parent group like parentGroup to owner group for a site, we could search permissions for any individual users from the nested groups like user2 from childGroup. However, we are not able to display permissions for any nested groups.

We tried to use the following powershell to display the users but could not display any nested groups except leaf nested groups childofchildofchildGroup.

$urlWeb = "http://server/sites/n2ktest/"

Get-SPUser -Web $urlWeb | select UserLogin, @{name="Exlicit given roles";expression={$_.Roles}}, @{name="Roles given via groups";expression={$_.Groups | %{$_.Roles}}},Groups | format-Table -auto

Based on the Microsoft resource, the nested AD group is supported for SharePoint. You could verify our testing result that all the individual users in the nested groups will be granted the correct permissions.

However, After looking at other blogs and discussions, it seems like SharePoint 2010 has some limitations to supported nested AD groups. Some Microsoft team especially MPS team does not recommend using nested groups.

  • Assign permission levels directly to Active Directory groups.
  • Adding security groups that contain nested security groups, contacts, or distribution lists. 
The following functions might have issues if using nested groups and you might follow the suggestions to set up the permissions.
  • Resources sync performance issues in Project server 2010
  • When a security group is added to a SharePoint group for a specific site, the site will not appear in the users’ My Sites. The User Information List will not show individual users until they have contributed to the site
  • Security groups with deep nested structure might break SharePoint sites
  • We will have issue to list all the users who have access the site  
  • Performance
It look to me nested AD group is supported for SharePoint 2010/2013, however it is not recommended by some Microsoft groups.