What are the security concerns when using AD distribution groups to control access to program features?

I'm relatively new to using AD, and I'm using group memberships to control what features and functions are loaded/visible to a开发者_C百科 given user, both in web and desktop applications.

AD has security groups and distribution groups, and I'm using some of each to get fine-grained discrimination among roles.

What should be my concerns about using distribution groups in this way?

You might consider looking at AzMan (Authorization Manager).

It can be tied to active directory accounts and completely stored within AD. AzMan provides a lot more fine grained control over Roles and even Actions allowed. In short you would code your apps to test if the user is authorized for particular Actions. When creating Roles you would assign one or more actions to that role.

This would allow you to mix and match actions in various roles as necessary without having to change your code base. I've used it extensively and it's pretty good.

The downside to just using regular AD groups is that you might end up with dozens or even hundreds (depending on the complexity of your apps) roles that pollute the AD space.

For example, let's say you want to have a security check before allowing an account to be deleted. In AzMan you would create an AccountDelete action and assign that action to one or more roles like Administrator, Account Administrator, etc.

In AD you would have to create a new group altogether and assign it out. This gets very complicated very quickly.