Documentation forAccess Rights Manager

Set the AD group types for the Group Wizard

In the Change Configuration - Filer server window, select a domain group in the Basic Settings box.

You can access this window in the File server change configuration.

You can select one of the following Active Directory (AD) groups:

You can also create global groups within the account domain.

After you select a model and save the configuration, you cannot change the model.

For more information about using Active Directory (AD) groups, see Understanding Groups located on the Microsoft Learn website located at learn.microsoft.com.

Use local AD groups

A > DL > P

A Account (user account)
DL Domain local group (local AD group)
P Permission

When you select local, ARM creates Active Directory (AD) groups using the local domain group, adds the requires users to the group, and then assigns permissions to the file server resources for this group.

The following table describes the pros and cons for selecting the local group.

Advantages Disadvantages
Users and groups from other domains or forests can be a member of a local AD group and be assigned permissions.

Membership in a local group requires 40 bytes of storage in the Kerberos token. This can cause the maximum permitted Kerberos token size to be exceeded, especially in large environments where users have a large number of group memberships.

Local AD groups are only visible and usable in the corresponding domain.

Use global AD groups

A > G > P

A Account (user account)
G Global group (global AD group)
P Permission

When you select Global, ARM creates the global AD groups, adds the requires users to the group, and assigns permissions to file server resources for this group.

The following table describes the advantages and disadvantages for selecting the global AD group.

Advantages Disadvantages

Membership in a global AD group requires 8 bytes of storage space in the Kerberos token.

This is the most frugal group type. If you are having issues with Kerberos token limits, global may be a good choice.

Only users and groups of the corresponding domain can be members of global AD groups. As a result, this approach is unsuitable for multi-domain environments.

Use universal AD groups

A > U > P

A Account (user account)
U Universal group (universal AD group)
P Permission

When you select Universal, ARM creates the universal AD groups, adds the requires users to the group, and assigns permissions to file server resources for this group.

The following table describes the advantages and disadvantages for selecting the universal AD group.

Advantages Disadvantages
Membership in a universal group requires 8 bytes (foreign domain) or 40 bytes (own domain) of storage in the Kerberos token. A universal group can be a member on foreign domains as long as these belong to the same forest. As a result, it is possible to use a group in multiple domains within the same forest.

Universal AD groups may not have local AD groups as members. Nested grouping (parent/child relationships) are part of this restriction.

Universal groups can not be used across multiple forests. As a result, this approach is unsuitable in multi-forest environments.

Use local and global AD groups

A > G > DL > P

A Account (user account)
G Global group (global AD group)
DL Domain local group (local AD group)
P Permission

Consider all groups created by the group wizard as file server resource groups. Avoid using these groups for other purposes (for example, VPN access).

When you select Universal, ARM creates the universal AD groups and adds the requires users to the group. Next, ARM creates a local group and nests the group. The global group (child) becomes a member of the local group (parent). ARM then gives the local group access rights to the filer server resources.

For example: 

"Sam Sales" (A) -> "g_fs01_share01_sales_md" (G) -> "l_fs01_share01_sales_md" (DL) -> permission (P) "Modify" on the folder "Sales".

Create global groups within the account domain

When you select the checkbox (recommended), the global group is created in all domains that contain members. Only by activating this option can you assign access rights across multiple domains.

When you deselect the checkbox, the global group is created only in the domain where the resources is located. In this configuration, you cannot assign access rights across multiple domains.

The following table describes the advantages and disadvantages for selecting this option.

Advantages Disadvantages
The A-G-DL-P principle ensures a variety of different options and approaches in multi-domain and multi-forest environments. Users require two or more group memberships for their permissions. As a result, this approach may lead to issues with token size.