Looking for more info on group mapping

We're migrating to a new multi tenant domain.  Presently we use a domain group for IBM MQ Series access.  Concern has been that we don't want the single group that can live in a unified multi-tentant environment to allow users that don't have legitimate need access to mq admin function.  Accordingly, while reading in the 5.0.7 SAS admin guide, I came upon group substitution, and also found some info messages displayed when I displayed status of one of our hosts that made me think SAS might already have some straight accomodations that will work.  Accordingly the questions below are something I'm wondering about.  

- When I did a 'vastool status' two messages were displayed that spoke of FAILURE: 608 PAM ... not configured for QAS with <ibmmq><account> and <ibmmq><auth> in them.  This leads me to think there may be some accommadtion for MQ built into the product.  I've not found my way to any documentation on your web site or searching with Google.  Please comment / point me in the right direction. 

- I came upon a group-override.sample file in one of your config directories that leads me to believe that may be an additional option, but documentation on or about p 81 of the guide is very scant.  I believe we could map for examle DOMAIN\Tenant1MQAdmins:mqm:14141414: in the group-override file and that would equate Tenant1MQAdmins group to localGroup(mqm) with GID(14141414) and not alter membership of the group.  I also infer that we could override membership but am unclear on whether that would be done by ID or UID.  Further, I have the question of what would happen to mapping of the domain group(mqm) under this scenario.  Does the mapping in the file prevent any usage fo the domain group mqm?  I also note pages prior to that discuss controlling what groups can be used through what looks like power shell commands that must be a part of the tooling that gets installed on an AD server.  I'm not an AD or powershell guru, so I"m unclear on that.  Do I understand that correctly?  Is there more detail on what the scope of those commands is?  are they across the whole AD domain, or are they just applicable to one host at a time?