In MOSS2007 there are significant limitations to utilizing AD Groups for applying permissions due to the way that UserInfo table works.
UserInfo sync
The User Profiles will crawl the AD based on an LDAP query and pull in the AD Users. This does not automatically update the UserInfo table in each Site Collection. This is done via a SharePoint Job Timer that runs once very hour, a "quick" sync runs once a minute per web app. The issue here is that this does not scale very well with large Enterprise implementations e.g. 50,000+ users.
Select People and Groups
A good example of this is if you want to use the "Select People and Groups" interface rather than using the check names in a People Picker to find a AD User or AD Group...the AD User or AD Group has to be in the UserInfo table. This means that unless that AD User has authenticated to that Site Collection OR been explicitly added as an AD User with permissions to an object in the Site Collection the AD User will not be in the UserInfo table and therefore not in the "Select People and Groups" interface search screen. This is a major limitation of trying to use AD Groups for permissions in a Site Collection, and if you go back to using AD Users instead, you will hit the limitations of 2000 AD Users within a SharePoint Group.
My Links in My Sites
Another example of how reliant SharePoint is on UserInfo table is with "My Links". If a AD User is not added explicitly to a Site for permissions into the Members Group, it will not add the Site to the "My Links" in their "My Site" automatically.
External References
Comments (1)
Oct 31, 2009
Anonymous says:
You really should check out http://sharepointchick.com/archive/0001/01/01/user-p...You really should check out http://sharepointchick.com/archive/0001/01/01/user-profiles-and-the-user-information-list-or-userinfo-table.aspx
to see how this actually behanves