Using Active Directory Groups with Reporting Services

  • Article

I have received several questions from customers, the latest in a conference call today, wondering how Reporting Services works with Active Directory groups

The question goes along the lines - How do I configure Reporting Services to use Active Directory groups?, or Do I need to write a custom security extension to use Active Directory groups with Reporting Services?

There are two kinds of groups in Active Directory:

1) Security Groups

2) Distribution Groups

In both cases you should be able to use these groups out of the box, so long as your computer is a member of the Domain or a Trusted Domain of the Active Directory server in question. So by default you should have to do exactly nothing to get this to work.  

Here comes the fine print :-).

Security Groups:

Reporting Services uses Windows Security by default. If your computer is a member of the Domain or a Trusted Domain of the Active Directory server in question, then you do not need to do anything. 

This is true across the Reporting Services product - it applies equally to namespace security (folders, reports, resources, shared data sources), server security (server level policies/role assignments), or Model Item security (entities, attributes, roles, folders, etc.).

The reasons for needing to use Custom Authentication also known as a security extension are usually:

1) You want to expose Reporting Services on the Internet, where your users are not Domain users, and you do not want to add them as local users on the Windows computer.

2) You have a 3rd party security solution (e.g. single sign-on) that you want Reporting Services to be part of.

3) You have an existing application that has it's own implementation of users/groups and you want to use Reporting Services seamlessly with that application's security context.

So to summarize - using Active Directory to secure things in RS is supported out of the box, so long as the Reporting Services computer is in the Domain or a Trusted Domain of the Active Directory your groups exist in.

Distribution Groups

Distribution groups are aliases to which you can send email/notifications. Reporting Services allows you to specify distribution group names when creating e-mail. The resolution of to which actual recipients the messages should be sent is left to the mail server. For example, Exchange auto resolves the group names. Distribution groups cannot be used to secure items, and security groups cannot be used as destinations for e-mail. The rule of thumb is that if you can send e-mail to a distribution group from your desktop, so can the Report Server (probably ;-).

Take care, and best luck.