AD group or Team Foundation Group?

What is the best way, when administrating permissions in TFS?

Option 1: Add users to a AD group, add the group to the project, and set permissions there?

Option 2: Add users to a AD group, add the group to a TFS group (like 开发者_Python百科Contributers), and set permissions there?

I don't know about best, but when I needed to delegate administration of the membership of TFS groups I went the AD group way. I took that approach because I could delegate control of the AD "team members" group to a "team administrators" group (which controlled itself).

This approach also allowed the same AD groups to be used to provider authorisation in SharePoint: a single point of control to multiple resources.

The former was definitely a preference, the latter only possible with the AD approach.

EDIT (to address refined question): Option 2 (assign permissions to TFS groups, add AD groups to TFS groups, assign users to AD groups) has the advantage of letting a TFS group have multiple AD group members (eg. a project with contributors from two organisational groups).

Other than that, there is little practical difference. I would take option 2 because of the additional bit of flexibility it gives, and because I wouldn't need to copy access rights to another group (always error prone).