Universal Groups vs Global Groups – Setting up SharePoint Security

As part of my normal design for SharePoint I set up groups for the various roles in a web site. I then set up the same group names in AD – People are added and removed from the AD groups, the process for modifying security roles in SharePoint is built into the Governance policy, and everything is Happy days.
Had an incident recently where I’d set the groups up in SP and the Sys Admin had set the groups up in AD with the members. I then removed all of the named users that were in there and suddenly started to see some odd behaviour with my test user – essentially the access would vary between Partial access (where the user could see a page without a theme applied – similar to when they do not have access to the "Style Resource Readers" group in a publishing site), and no access at all.
Turns out that SharePoint does not like using Universal Groups when you add an AD Universal Group to the SP Group. When you change them to Global groups, everything works fine. I’d never set up groups in AD that weren’t Global groups (this was years ago) – more recently, I guess everyone who’d created them for me had them nested correctly 🙂 Here’s a good blog article from a ‘softie which has some great technet links – http://hermansberghem.blogspot.com/2008/04/windows-security-groups-vs-sharepoint.html.

About Brad Saide

I'm a SharePoint consultant. I'm also slowly going bald, seem to have a permanent spare tyre around my waist and enjoy socialising with friends over a beer or 10. The last 2 may possibly be related. Started working with SharePoint when the first version was in limited beta release (participated in the Technology Adoption Program while at Woolworths) and have been committed to the adoption of the technology as a business enabler ever since.
This entry was posted in Uncategorized. Bookmark the permalink.

5 Responses to Universal Groups vs Global Groups – Setting up SharePoint Security

  1. Hikmer says:

    Can you elaborate? Why can’t universal groups be used?

  2. Pingback: Comparing Active Directory/Exchange/SharePoint defintions of GROUP « RaceTrout – The Blog

  3. Bill Elsey says:

    Brad, it sounds like you can probably help me. I am using SharePoint 2010 and Outlook 2007. I am trying to create a Field Sales (read only) permission group and would like to assign the permission for a preset email group of 300+ from our field team. When I do the search, the email group pops up and I can assign it. I then get an error saying “The user does not exist or is not unique”. I am trying not to have to manually update the permissions due to the size and feel like it must be possible. What am I missing?


    • Brad Saide says:

      Hi Bill.

      Both your “Field Sales” permission group and your Email group need to be Security group objects in Active Directory. If I’m reading your question right, you are trying to add an Exchange Distribution group as a member of an Active Directory group (or a SharePoint “group”) – Either way, that will fail, because they are different object types (One is used to manage access control to securable objects, the other is used to send email to a distribution group).

      The dialog box you are doing the search in does not seem to be contextually aware that you cannot add a distribution group at that point (perhaps there are situations where adding a Distribution group work? I imagine this would be in Audiences in sharepoint…)

      Hope this helps – Brad

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s