Set AD group types for the Group Wizard
After you have selected a model and saved the configuration you can not change it. It can be extremely cumbersome to make any changes to the model after it has been saved so please select carefully!
More information regarding the use of AD groups can be found on the following pages and in the article Understanding Groups (© 2020 Microsoft, https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd861330(v=ws.11), obtained an January 30, 2020).
Use local AD groups
A -> DL -> P
A - account (user account)
DL - domain local group (local AD group)
P - permission
Advantages | Disadvantages |
---|---|
Users and groups from other domains or forests can be a member of a local AD group and thereby be assigned permissions. |
Membership in a local group requires 40 bytes of storage in the Kerberos token. This can cause the maximum permitted Kerberos token size to be exceeded, especially in large environments where users have a large number of group memberships. Local AD groups are only visible and usable in the corresponding domain. |
Use global AD groups
A -> G-> P
A - account (user account)
G - global group (global AD-group)
P - permission
Advantages | Disadvantages |
---|---|
Membership in a global AD-group requires only 8 bytes of storage space in the Kerberos token. This is the most "frugal" group-type, in case you are having issues with Kerberos token limits. |
Only users and groups of the corresponding domain can be members of global AD-groups. Therefore, this approach is unsuitable for multi-domain environments. |
Use universal AD groups
A -> U -> P
A - account (user-account)
U - universal group (universal AD-group)
P - permission
Advantages | Disadvantages |
---|---|
Membership in a universal group requires 8 bytes (foreign domain) or 40 bytes (own domain) of storage in the Kerberos token. A universal group can be a member on foreign domains as long as these belong to the same forest. It is therefore possible to use a group in multiple domains within the same forest. |
Universal AD-groups may not have local AD-groups as members. Nested grouping (parent - child relationships) are part of this restriction. Universal groups can not be used across multiple forests. Therefore this approach is unsuitable in multi-forest environments. |
Use local and global AD groups
A -> G -> DL -> P
A - account (user-account)
G - global group (global AD-group)
DL - domain local group (local AD-group)
P - permission
Consider all groups created by the group wizard as file server resource groups. You should not use these groups for other purposes (for example: VPN access).
Example
"Sam Sales" (A) -> "g_fs01_share01_sales_md" (G) -> "l_fs01_share01_sales_md" (DL) -> permission (P) "Modify" on the folder "Sales".
Advantages | Disadvantages |
---|---|
The A-G-DL-P-principle ensures a variety of different options and approaches in multi-domain and multi-forest environments. | Users require two or more group memberships for their permissions. Therefore this approach may lead to issues with token size. |