SSSD has a feature named auto private groups [1], that generates synthetic private groups per user, This permits to follow the same conventions many Linux distributions use to have a group named as the user as their primary group. This avoid having to create groups for each user and to manually set the primary group for them on AD, no need to pollute the AD domain with private groups or removes the need to change users umask on those servers in order to avoid leaking data to the Domain Users group if administrators do not properly set primary groups. [1] https://docs.pagure.org/SSSD.sssd/design_pages/auto_private_groups.html