7 Cool and Useful Things about AD Group Policies
| certifications | microsoft - Michael Hinckley

7 Cool and Useful Things about AD Group Policies

A mentor told me early in my career that every Microsoft-based project is an Active Directory project. He was right. Every migration or upgrade seems to have a sticky AD glitch. That's across products and delivery models — Exchange, SharePoint, on premise, in the cloud.

You'll never get rid of the stickiest Active Directory issues, but there are a few common ways to use Office 365 Groups to mitigate many headaches. This post will give you a quick, yet clear overview of Office 365 Groups  and walk you through real world applications to highlight just how useful it can be to you.

Overview of Office 365 Groups

Office 365 Groups is a powerful feature that allows teams to create the tools needed without having to go ask IT. It's the foundational membership service that creates workspaces and allows people both inside and outside your organization access to a collection of collaboration resources.

Here is a list of just some of the tools you get access to when creating a (Private or Public) Group.

  • A shared Outlook inbox
  • A shared calendar
  • A SharePoint document library
  • A Planner
  • A OneNote notebook
  • Power BI
  • Yammer (if you create it in Yammer)
  • A Team (if you create it in Teams)

When creating a Group, you can add additional users into three main permission levels and roles: owner, member, and guest. Permissions can be confusing, so we put together this table to best highlight the capabilities of each.

Office 365 Group Permission LevelsOwnerMemberGuest
Create a groupXX
Join a groupXXX
Delete a groupX
Add/remove group membersX
Access group siteXX
Start/reply to a conversationXXX
Delete conversations from shared inboxX
Manage meetingsXX
View/modify group calendarXX
View/edit group filesXXX
Access group OneNote notebookXXX
Change group settingsX
Rename the groupX
Update the group description or pictureX

Sounds good right? It sounds even better when you look at the specifications. Office 365 Groups really offers some sizable advantages.

Group limitsValue
Owners per group100
Groups a user can create250
Groups an admin can createUp to default tenant limit of 500K
Number of membersMore than 1,000, though only 1,000 can access the Group conversations concurrently.
Number of Groups a user can be a member of1,000
File storage1 Terabyte + 10 GB per subscribed user + any additional storage purchased. You can purchase an unlimited amount of additional storage.
Group Mailbox size50 GB

It is not an App. Not a solution. A Group in Office 365 is a shared collection of users and permissions to other Office 365 apps like Teams, Exchange, and SharePoint.

That is a lot of features, space, size, tools, and permission administration given to non-IT admin staff. You must be asking yourself, "Doesn't this fly in the face of traditional IT solution provisioning?" And you would be right to think that, but let us examine in closer detail why this is a good thing.

Why is This a Game Changer?

When using Office 365 Groups, you no longer need to manage permissions for each individual solution. Group members automatically get the permissions they need to use all the tools available to the group.

Previously the items in the table above were only granted by IT or created in a rogue manner. The rogue IT, or shadow IT, has long been a real pain point for IT administration. Typically, a user (or set of users) would run into a roadblock for a solution and had to go outside to find the solution. The next thing you know intellectual property and client interaction happen off the ranch. One of the reasons this occurred was because gaining access always meant creating or configuring users and groups in Active Directory.

Even back on the ranch, you could still have problems such as too many SharePoint site collections being created without thought or planning. This has always caused storage nightmares, as well as permission quagmires.

Why the Big Change and Why is it Good?

In an on-premise world one big thing you always must account for is for storage space. How much will our network and servers be able to handle? How much backup do we need to account for? The list of questions can go on for a while. In the cloud, Microsoft gives organizations so much storage space that most admins really should not have to worry about space limitations.

Search and Office Graph

This does not get as much press as some other end users solutions,  but make no mistake Office Graph is basically why you can find stuff in Microsoft products. Microsoft Graph accesses relationships, documents, contacts, and preferences, then makes them contextually relevant to a user.

Simply put: Microsoft Search can find anything quickly. This ready-to-use service replaces the many hours it used to take to fine-tune search functionality in SharePoint. And that does not even cover the costs of having to buy, install and configure servers. Yes, that's servers, plural, just for search.

Strain on IT

Typically, IT departments do not have a SharePoint team unless the organization is large, so for most IT teams SharePoint site provisioning and access is an added pain. Because Office 365 is in the cloud, has so much space, and people can find things easily, you can see why letting users have so much creation access makes sense. Plus, they can do it all within the ranch and not via outside rogue solutions.

How Do You Best Use Groups?

To be able to answer that you will need to know how your team wants to communicate. Are they a group that prefers email and works best in Exchange? Are they a chatty bunch that prefers IM feeds? Or do they want to go straight to files?

Let us look at a few scenarios to give you a better feel of what and how to use Groups. While there is some replication at a high level, it all comes down to how, and in what tool, your user base works best.


An Account Management Team would make perfect sense for an Exchange-based Group. Many times, more than one person helps run an account, so being able to respond to all client inquiries is a priority. Having a dedicated email inbox and client calendar would help a team greatly, because no one would need to set up their own inboxes with a series of subfolders that could perhaps house confusing duplicates of messages and files. Files can be stored on the default SharePoint site the Group automatically gets or they can be routed to other sites for specialty teams to handle.

Quick Tip

Make sure to include the Group email in the cc field. Users are going to move in and out of their personal and the Group Email boxes. Keeping messages cc'd will help items and people in order. People may leave a group or the company — and by cc'ing everything can be found.


Continuing from our Account Management team example, let's say that the team needs to pass on specific forms, files, and documents to another team in the back office and handles the processing of such items. This back-office team deals with scores if not hundreds of files a day. Their work processes do not include any interaction with clients, so all files hit a document library and are tagged with the proper metadata. That metadata then runs logic on workflows that help the team complete and track work. When ready, files are routed back to the Account Management team via an automated email where they then pass on to the client or stay archived in SharePoint.

Quick Tip

This back-office team runs on metadata, tagging and versioning so SharePoint would be the way to go. While you can surface files in document libraries available in Exchange Groups and Teams, the extra data driven thrust makes SharePoint the "go-to" option. Adding Member users who do the work and Guest (Account Management team) who view the work is seamless and easy. No IT intervention needed.


Our Account Management and back-office teams are so efficient that one of the largest accounts is happy to increase workloads and open new opportunities to increase their business. Now they will need to engage the consulting team. New processes and automations need to be discussed before new solutions can be put into practice. This aspect needs to be run as a project.

Given the nature of projects and the use of contractors it is decided that Teams will be the app of choice. Most of the project team is remote and needs to collaborate on proposals and files. Microsoft Teams option provides them all with a quick and easy space to conduct their work and keep in touch via persistent chat and audio/video calls. Even if some members are contractors, the ability to keep this Group private and open to non-full-time users can still be created and set up by a non-IT Owner efficiently.

Quick Tip

If your users are not Exchange-bound, prefer IM, want audio, and video calls and do not need extra features like metadata, Teams will be the fastest and most efficient option.

Wrapping Up

As you can see setting up a Group is an easy task and can create many safe opportunities for an organization to maximize communication and collaboration without having to do time consuming planning sessions or having to wait for IT to execute.

More and more organizations need to be efficient, yet secure when offering solutions to users. With few configurations, Groups can quickly let you effectively manage users and access like it has never been able to do so before.



Ultimate Systems Administration Cert Guide

A 158-page guide to every Microsoft, VMware, Citrix, AWS, Google, and Linux certification, and how they fit into your career.

I have read and understood the privacy policy, and am able to consent to it.