Documentation forAccess Rights Manager

Set AD group types for the Group Wizard

Specify the model according to which the Group Wizard creates groups.

After you have selected a model and saved the configuration you can not change it. It can be extremely cumbersome to make any changes to the model after it has been saved so please select carefully!

More information regarding the use of AD groups can be found on the following pages and in the article Understanding Groups (© 2020 Microsoft, https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd861330(v=ws.11), obtained an January 30, 2020).

 

Use local AD groups

A -> DL -> P

A - account (user account)

DL - domain local group (local AD group)

P - permission

 

  1. Access Rights Manager creates AD groups with the type local.
  2. Access Rights Manager adds the required users to this group.
  3. Access Rights Manager assigns permissions to file server resources for this group.

 

Advantages Disadvantages
Users and groups from other domains or forests can be a member of a local AD group and thereby be assigned permissions.

Membership in a local group requires 40 bytes of storage in the Kerberos token. This can cause the maximum permitted Kerberos token size to be exceeded, especially in large environments where users have a large number of group memberships.

Local AD groups are only visible and usable in the corresponding domain.

 

Use global AD groups

A -> G-> P

A - account (user account)

G - global group (global AD-group)

P - permission

 

  1. Access Rights Manager creates AD groups of the type global.
  2. Access Rights Manager adds the required users to this group.
  3. Access Rights Manager assigns permissions to file server resources for this group.

 

Advantages Disadvantages

Membership in a global AD-group requires only 8 bytes of storage space in the Kerberos token.

This is the most "frugal" group-type, in case you are having issues with Kerberos token limits.

Only users and groups of the corresponding domain can be members of global AD-groups. Therefore, this approach is unsuitable for multi-domain environments.

 

Use universal AD groups

A -> U -> P

A - account (user-account)

U - universal group (universal AD-group)

P - permission

 

  1. Access Rights Manager creates AD groups with the type universal.
  2. Access Rights Manager adds the required users to this group.
  3. Access Rights Manager assigns permissions to file server resources for this group.

 

Advantages Disadvantages
Membership in a universal group requires 8 bytes (foreign domain) or 40 bytes (own domain) of storage in the Kerberos token. A universal group can be a member on foreign domains as long as these belong to the same forest. It is therefore possible to use a group in multiple domains within the same forest.

Universal AD-groups may not have local AD-groups as members. Nested grouping (parent - child relationships) are part of this restriction.

Universal groups can not be used across multiple forests. Therefore this approach is unsuitable in multi-forest environments.

 

Use local and global AD groups

A -> G -> DL -> P

A - account (user-account)

G - global group (global AD-group)

DL - domain local group (local AD-group)

P - permission

 

Consider all groups created by the group wizard as file server resource groups. You should not use these groups for other purposes (for example: VPN access).

 

  1. Access Rights Manager creates a group of the type global for users.
  2. Access Rights Manager adds the desired users to the global group.
  3. Access Rights Manager creates another group of the type local.
  4. Access Rights Manager nests the group. The global group (child) becomes a member of the local group (parent).
  5. Access Rights Manager gives the local group access rights to file server resources.

 

Example

"Sam Sales" (A) -> "g_fs01_share01_sales_md" (G) -> "l_fs01_share01_sales_md" (DL) -> permission (P) "Modify" on the folder "Sales".

 

Option enabled (recommended)

The global group is created in every domain that members are located in (this including possibly multiple times). Only by activating this function can you assign access rights across multiple domains.

 

Option disabled

The global group is only created in the domain that the resource is located in. In this scenario it is not possible to assign access rights across multiple domains.

 

Advantages Disadvantages
The A-G-DL-P-principle ensures a variety of different options and approaches in multi-domain and multi-forest environments. Users require two or more group memberships for their permissions. Therefore this approach may lead to issues with token size.