migRaven generates all groups for the permissions in the file system in the Active Directory on request. Below is a brief guide/recommendation for making the right choice.
These three types are available:
- domain local groups,
- universal groups and
- global groups.
Choosing the right group type depends on whether you work with one or more domains and what group type your user groups have. The groups available for selection differ in terms of which groups they can contain, whether they can contain groups from other domains and how many bytes a group occupies in the logon token.
Only one domain
With only one domain, global or universal groups make sense, both occupy only 8 bytes in the Kerberos token and can accommodate global groups, the common type for user groups. Global groups can only accommodate global groups. If you want to opt for this, please check if all your user groups are global. Universal groups have the advantage of being able to accommodate universal groups as well as global ones, and also subdomains of both. The main disadvantage of domain local groups is that they occupy 40 bytes in the login token.
Multiple domains in a forest
When working with multiple domains in a forest, global groups are not appropriate as permission groups because they can not accommodate groups from other domains. Here, domain local and universal groups can be used. Universal groups from other domains occupy 40 bytes in the Kerberos token, local groups always occupy 40 bytes. A disadvantage of the universal groups could be that they replicate themselves in the global catalog of the forest and thus increase the load.
Integration of external trusting forests or domains
When working with external relying domains, only domain local groups can be used as permission groups. Universal groups can include members from all domains of the forest, but not from external trusting domains.
Group nesting group: Here you can see which user group types can be nested in which authorization group types. It is easy to see what impact the use of subdomains and foreign trusted forests has on the selection of the appropriate group type for the permission groups.