SharePoint University

A general question, and a specific question:

General: How do you use MOSS groups in your organization? We are using AD groups, so it seems to me that MOSS groups is just a duplication of effort and a possible source of confusion and security gaps when the two are maintained separately. They also seem less than intuitive for your average SharePoint user. In addition, it appears that it's fairly easy to add groups to groups to groups, etc. inside of MOSS which seems to be a way to compound the confusion.

All that said, there also doesn't seem to be a way to turn off MOSS groups, is there?

So, what have you done in your organization? Do you use MOSS groups? How did you set up your environment to make the groups intuitive to users?
 
Specific question: My site collection administration managed to block access to the 'site collections owners' group for the top level sites, though they can still get into some of the lower sites. She nor I really know how that happened. What's confusing, though, is that there doesn't seem to be an obvious way to grant the top level sites permission for this group again. Is the proper method to ADD USER, type in the MOSS GROUP, and then GIVE PERMISSIONS DIRECTLY, or am I missing something more obvious than that?

 Add on question: is it at all possible to block the use of MOSS groups if one is going to rely on AD groups?

AD and MOSS groups can be used hand in hand to provide a secure and reliable SharePoint environment.  My personal preference is to have each SharePoint setup with respective group: members, visitors, owners. Members get contribution rights, visitors read only, and owners have full control.  When these groups are setup we add the respective AD groups to the MOSS group... for example: If the page is an HR department site we add "All Users" AD group to MOSS "site visitors" group to ensure that all employees can view but not make changes.  Once that is configured, we add "HR department" AD group to MOSS "HR site members" groups to specify that the entire HR department can make contribution changes to the site.  For specific site admins, they can go under the site owners tab as they will be updating the content and making more changes to the site.  Hope this post brought some insight to what you are trying to accomplish...

I'd like to share my preference as well.

In general I agree with Devin in that you want to keep an abstraction layer between SP and AD by having AD groups be members of SP groups. However, I'd like to go a bit further.

For many IT Pros and operations people, working with SharePoint is 'application management' and not necessarily something they like to do. As such I try to limit the amount of work that needs to be done inside SharePoint by abstracting the SP groups entirely. By that I mean that I prefer to create AD groups that match the SharePoint groups, or even SharePoint permission levels, which is actually something completely different.

Now, by having a dls_SiteOwners, dls_SiteMembers, and dls_SiteVisitors AD groups, and have these mapped to the corresponding SharePoint groups I can let IT do their magic by adding users and groups to different AD groups only, without ever having to open a SharePoint site or application.

This is, in essence, the principle of AGDLP which is a fairly widely adopted pattern for permissions management. Google it if you like to know more :-)

.b

Oh, forgot the specific question.

You can add your users as Site Collection Administrators through the Central Administration->Application page.

.b

If AD groups are being mapped to SharePoint Groups, why use the SP groups at all? Why not just add the AD groups directly?

Also, is this mapping automated or manual?

The main issue is that we're going to have dozens upon dozens upon dozens of sites and everyone can start making their own SP groups as they please. This seems to be an IT nightmare. ;o)

Well, we just got out of a 2 hour meeting talking about all of this and I think we have more questions than answers. ;o)

At this point, it sounds like we're going to hand over group maintenance to site owners. If they want to make groups, they can. I'm a bit wary of this as it seems like this could get messy over time at the site collection level.

Aluminum:

Well, we just got out of a 2 hour meeting talking about all of this and I think we have more questions than answers. ;o)

At this point, it sounds like we're going to hand over group maintenance to site owners. If they want to make groups, they can. I'm a bit wary of this as it seems like this could get messy over time at the site collection level.

This is how we handle it.  It can get messy for sure, especially if your users do not know anything about SharePoint.  I have had to go and clean up a few of our collections because of this.  However, I like this model because as an admin, it provides me a hands off approach.  Users are free to do what they want and do not need to bother me other the Helpdesk anytime a user needs to be granted access to their site.  It is much more convenient for site owners this way.

In this scenario, you should look into a tool like DeliverPoint (http://www.deliverpoint.com).  It provides a great breakdown of permissions by user by site, or by site by user.  It tells you across the board what groups they are in, and where they have unique access both in and outside the group.  These features are available for free(?).  You can also purchase it and it will give you the ability to clone / transfer / delete permissions on the fly. User Management is one major issue within SP in my mind, and DP is able to take care of a number of the issues. 

Nice, I was unaware of the DeliverPoint tool.  I like their moto: "Ignorance is Stupid"  haha!  Will check this out for sure.  Anyways, back to the topic...  I agree with the approach of letting site owners handle groups, but this can get very messy.  I have to clean up after site users all the time because they create a bizillion sub-sites with permissions from here to mars and eventually nobody can get into anywhere (mildly exaggerated).  It really isn't that bad, but you may have to keep a watchful eye over some or better yet, train them in some best practices before you hand them over the reigns.