Use universal AD groups

A -> U -> P

A - account (user-account)

U - universal group (universal AD-group)

P - permission


8.0 EN using universal AD groups 01


1.8MAN creates AD groups with the type universal.

2.8MAN adds the required users to this group.

3.8MAN assigns permissions to file server resources for this group.






Membership in a universal group requires 8 bytes (foreign domain) or 40 bytes (own domain) of storage in the Kerberos token. A universal group can be a member on foreign domains as long as these belong to the same forest. It is therefore possible to use a group in multiple domains within the same forest.


Universal AD-groups may not have local AD-groups as members. Nested grouping (parent - child relationships) are part of this restriction.

Universal groups can not be used across multiple forests. Therefore this approach is unsuitable in multi-forest environments.