I am an AD admin and our company is implementing our first usage of SharePoint. For some reason they are using SharePoint 2010. I don't know the reasoning behind this, but that is what they are doing.
The SharePoint team is wanting to leverage AD groups for the site permissions, rather than SharePoint groups. This is fine by me, but I have some concerns about the number of AD security groups that are going to be created for our sites. We have roughly 1200 sites that are going to be created (we know this rough number at setup as we are migrating away from another platform). Of course there will be additional SharePoint sites that are created as we move along in operation as well.
We have a consultant team in that is recommending that we create 3 AD groups for each SharePoint site. SharePoint-SiteX-Owner, SharePoint-SiteX-Contributor, and SharePoint-SiteX-Read. Then you either add AD users or groups to one of these 3 groups depending on what access/control is required.
My concern is that this could potentially increase an AD users group membership by 200-300 in some cases. AD has hard limits on security token size (1024 groups and 12kb token size in most cases), and adding 200-300 groups will severely affect some users token size.
My question is: is creating 3 AD groups for each site considered "best practice"?
A follow-up question is: could you get around some of these sizing problems by giving "Domain Users" read access as the default for most SharePoint sites? In other words, have only 2 groups (contributor and owner) for most sites.