It is often stated that you ought to use Active Directory(AD) groups as much as possible, if not always. However, any seasoned SharePoint administrator will know that it is impossible to always use AD groups, and there often develops a blurry line between when to switch over to SharePoint groups. Another complicating factor is knowing when it is appropriate to simply add users individually to SharePoint objects without first adding them to a group. These "explicit" permissions can be hard to control.
Below is a decision tree I put together to know when to use which. Start at stage 1, and use what is suggested when you first answer "Yes". If the first 5 stages all come back as "No", just add the users individually. Hope it helps!
DECISION TREE FOR GROUP TYPES:
1 - If the group will contain more than 50 users:
If yes, an AD group is required.
2 - If the group needs to be leveraged across multiple Site Collections:
If yes, an AD group is required.
3 - If the group will be provisioned onto objects that have audit implications:
If yes, an AD group is required.
4 - If the group will be provisioned onto multiple objects within the same Site Collection:
If yes, a SharePoint group is required.
5 - If membership to the group requires approval by the Site Collection administrator (sensitive assignments):
If yes, a SharePoint group is required.
6 - Else, adding users to the objects individually is acceptable…
RATIONALE OF EACH STAGE
STAGE 1) If the group will contain more than 50 users, then AD Group
The milestone of 50 users is nothing set in stone, but it is important to remember that as group membership increases, so does maintenance. If you have a site collection administrator managing SharePoint groups with hundreds or thousands of users therein, that will undoubtedly consume large amounts of their time. It is a better practice to offload that maintenance onto an IT help desk of some sort, whose specialty is such activities and can commit to SLAs, etc.
STAGE 2) If the group needs to be leveraged across multiple site collections, then AD group
SharePoint groups never span a single site collection. Therefore, if a group of users needs to be given permissions within multiple site collections, SharePoint groups will not be an option. Rather, an AD group is required.
STAGE 3) If the group will be provisioned onto objects that have audit implications, then AD group
When dealing with SOX or HIPPA information, it is best to stick with AD groups because there are more third party reporting appliances that can be leveraged during an audit.
STAGE 4) If the group will be provisioned onto multiple objects within the same site collection, then SharePoint group
You never want to recreate the wheel. Why manage the same set of users in 10 different places? It is better to create a SharePoint group, even if it only has 5 users in it.
STAGE 5) If membership to a group requires approval
Built right into SharePoint, you can setup requests for group membership which can be approved or denied. If you have sensitive content in your site collection, you may want to leverage these approval capabilities because if people adds users individually to content, there is no notification or approval process that you can tap into.
STAGE 6) Else, adding users to the objects individually is acceptable…
If stages 1-5 come back as "No", there's no reason to not simply add the users individually without adding them to a group first.
Phil