Hi All;Can you share your best practice about user management in Sharepoint 2007. I`m trying to set user permissions on site and document library level.> Is it ok to use AD Users and Groups directly in sharepoint or is it better to import users and groups into sharepoint from Central Administration ?Thank You, Can Atuf Kansu

Big topic... but in a nutshell Use AD groups where possible - administration in SharePoint is cleaner (and it often pushs the user administration work to someone else!) Use SharePoint groups and add both AD users and AD groups to the SharePoint groups Avoid user by user permissions at all cost (it becomes a support and a security nightmare) > I`m trying to set user permissions on site and document library level.Maybe... For site access, create SharePoint groups at the site level, add users, and add permissions levels For library access, create SharePoint groups at the site level, add users, but don't add permission levels Then break inheritance at the library level, add the group and assign permission levelsMike Smith TechTrainingNotes.blogspot.com

Thanks Again Mike;You cleared my thoughts about this issue also, I`m already using part of your advices, and will be remember others that I haven`t thought before. By the way I have a problem about this topic that I created a seperate thread maybe you can give me your thoughts about it too.> That thread is: http://social.technet.microsoft.com/Forums/en/sharepointadmin/thread/9842c8c7-33c5-4da0-ac55-4bb897fe72e7Thanks,Can Atuf Kansu

Dear Mike, Just read your reply and its a good advice. Although I wanted to further ask the concern that our IT team has. We want to give the access to the business users so that they can add users to their sites, libraries and folders etc. But the IT team is worried that if the business users are able to play with the access rights, they may lock down the IT itself from accessing their site. Is this possible and what would you suggest as a best practice for this? Since the user requirements are very specific, it will be good if they can manage their own access requirements for their libraries and folders otherwise it will be a huge administrative overhead for IT. Regards, Sach

> But the IT team is worried that if the business users are able to play with the access rights, they may lock down the IT itself from accessing their site. The Site Collection Administrator (Site Actions, Site Settings, Site Collection Administrators) can always access and overrule anything a Site Owner (Full Control) can do. The server administrator using Central Administration can at anytime add and remove Site Collection Administrators. So "users" cannot lockout IT. (They can lock themselves out, which can be a bit embarrassing.) Server Administrators using Central Admin have full control over Site Collection Administrators (and Site Collection content if they so choose) Site Collection Administrators have full control over their site collection, all subsites and can override Site Owners Site Owners (Full Control) can add and remove users, including Team Members, and can configure site, list, library, folder and item permissions Team Members (Contribute) have full control (by default) over content Mike Smith TechTrainingNotes.blogspot.com