Use global AD groups

A -> G -> P

A - account (user account)

G - global group (global AD-group)

P - permission


1.8MAN creates AD groups of the type global.

2.8MAN adds the required users to this group.

3.8MAN assigns permissions to file server resources for this group.






Membership in a global AD-group requires 8 bytes of storage space in the Kerberos token.

This is the most "frugal" group-type, in case you are having issues with Kerberos token limits.


Only users and groups of the assigned domain can be members of global AD-groups. Therefore this approach is unsuitable for multi-domain environments.