Set AD group types for the Group Wizard

Specify the model according to which the Group Wizard creates groups.

After you have selected a model and saved the configuration you can not change it. It can be extremely cumbersome to make any changes to the model after it has been saved so please select carefully!

More information regarding the use of AD groups can be found on the following pages and from Microsoft.

 

Use local AD groups

A -> DL -> P

A - account (user account)

DL - domain local group (local AD group)

P - permission

 

  1. ARM creates AD groups with the type local.
  2. ARM adds the required users to this group.
  3. ARM assigns permissions to file server resources for this group.

 

Advantages Disadvantages
Users and groups from other domains or forests can be a member of a local AD group and thereby be assigned permissions.

Membership in a local group requires 40 bytes of storage in the Kerberos token. This can cause the maximum permitted Kerberos token size to be exceeded, especially in large environments where users have a large number of group memberships.

Local AD groups are only visible and usable in the corresponding domain.

 

Use global AD groups

A -> G-> P

A - account (user account)

G - global group (global AD-group)

P - permission

 

  1. ARM creates AD groups of the type global.
  2. ARM adds the required users to this group.
  3. ARM assigns permissions to file server resources for this group.

 

Advantages Disadvantages

Membership in a global AD-group requires only 8 bytes of storage space in the Kerberos token.

This is the most "frugal" group-type, in case you are having issues with Kerberos token limits.

Only users and groups of the corresponding domain can be members of global AD-groups. Therefore, this approach is unsuitable for multi-domain environments.

 

Use universal AD groups

A -> U -> P

A - account (user-account)

U - universal group (universal AD-group)

P - permission

 

  1. ARM creates AD groups with the type universal.
  2. ARM adds the required users to this group.
  3. ARM assigns permissions to file server resources for this group.

 

Advantages Disadvantages
Membership in a universal group requires 8 bytes (foreign domain) or 40 bytes (own domain) of storage in the Kerberos token. A universal group can be a member on foreign domains as long as these belong to the same forest. It is therefore possible to use a group in multiple domains within the same forest.

Universal AD-groups may not have local AD-groups as members. Nested grouping (parent - child relationships) are part of this restriction.

Universal groups can not be used across multiple forests. Therefore this approach is unsuitable in multi-forest environments.

 

Use local and global AD groups

A -> G -> DL -> P

A - account (user-account)

G - global group (global AD-group)

DL - domain local group (local AD-group)

P - permission

 

Consider all groups created by the group wizard as file server resource groups. You should not use these groups for other purposes (for example: VPN access).

 

  1. ARM creates a group of the type global for users.
  2. ARM adds the desired users to the global group.
  3. ARM creates another group of the type local.
  4. ARM nests the group. The global group (child) becomes a member of the local group (parent).
  5. ARM gives the local group access rights to file server resources.

 

Example

"Sam Sales" (A) -> "g_fs01_share01_sales_md" (G) -> "l_fs01_share01_sales_md" (DL) -> permission (P) "Modify" on the folder "Sales".

 

Option enabled (recommended)

The global group is created in every domain that members are located in (this including possibly multiple times). Only by activating this function can you assign access rights across multiple domains.

 

Option disabled

The global group is only created in the domain that the resource is located in. In this scenario it is not possible to assign access rights across multiple domains.

 

Advantages Disadvantages
The A-G-DL-P-principle ensures a variety of different options and approaches in multi-domain and multi-forest environments. Users require two or more group memberships for their permissions. Therefore this approach may lead to issues with token size.