Using local and global AD groups

<< Inhaltsverzeichnis anzeigen >>

Navigation:  Start > Install & Config > Change configuration > File server (FS) change configuration > Manage global settings for FS changes > Basic settings > Set AD group types for the Group Wizard >

Using local and global AD groups

A -> G -> DL -> P

A - account (user-account)

G - global group (global AD-group)

DL - domain local group (local AD-group)

P - permission

 

Consider all groups created by the group wizard as file server resource groups. You should not use these groups for other purposes (for example: VPN access).

 

8.0 EN using local and global groups 01

 

1.8MAN creates a group of the type global for users.

2.8MAN adds the desired users to the global group.

3.8MAN creates another group of the type local.

4.8MAN nests the group. The global group (child) becomes a member of the local group (parent).

5.8MAN gives the local group access rights to file server resources.

 

Example

"Sam Sales" (A) -> "g_fs01_share01_sales_md" (G) -> "l_fs01_share01_sales_md" (DL) -> permission (P) "Modify" on the folder "Sales".




8.0 EN using local and global groups 02

 

Option enabled (recommended)

The global group is created in every domain that members are located in (this including possibly multiple times). Only by activating this function can you assign access rights across multiple domains.

 

Option disabled

The global group is only created in the domain that the resource is located in. In this scenario it is not possible to assign access rights across multiple domains.

 

 

Advantages

 

Disadvantages

The A-G-DL-P-principle ensures a variety of different options and approaches in multi-domain and multi-forest environments.

 

Users require two or more group memberships for their permissions. Therefore this approach may lead to issues with token size.