We have a strict sync process between AD and SAS metadata which works very well. If there is a risk it probably will come from a lack of discipline because manual updates can interfere with the ones coming from AD. That may yield errors and problems resulting from an incomplete sync. We just don't do manual updates; any new user or group membership change will go through an audited and monitored approval process. And that's it. So this is taken fro IT to the business, where we feel it belongs. We see or experience no downside.
In fact, if you take the trouble of adding Kerberos authentication to the mix, you can setup a authentication and authorization process that runs itself and extends beyond the metadata to the filesystems and back-end database management systems (we extend it to the Teradata realm). Users, admins and security officers will benefit equally. No more password resets or locked out users. And very clear reporting. In short, highly recommended.
If you want syncing managed from SAS Management Console have a look at the Metadatcoda plug-ins. They have done wonders in this field.
Regards,
- Jan.