SharePoint V3: Pros and Cons of Managing Users and Groups

Here is a whiteboard dump from a session I had earlier today.

Provisioning SharePoint sites using Active Directory users:

Pros:
* Site Members web part displays the names of the users
* Provisioning can be delegated to site owners instead of IT
* User names and respective permission levesls are visible on Permissions screen

Cons:
* Portals with large memberships require a lot of maintenance
* Sub-sites that do not inherit security from parent require a lot of maintenance
* Adding and Removing members requires constant maintenance


Provisioning SharePoint sites using Active Directory groups:

Pros:
* Administration can be done completely from Active Directory
* Mail-enabled security groups provide a way to delegate group membership to people who are not AD administrators (they can manage memberships through Outlook global address book)
* Can nest AD groups within other AD groups to automate the process of provisioning users in SharePoint sites

Cons:
* Site members web part will display group names but not user names
* It isn't possible to view user membership from the SharePoint site permissions page, only group names appear
* Detailed security audit requires parsing multiple queries to Active Directory and SharePoint