Managing users and computers within a Windows enterprise network consists of a large portion of a domain administrators/helpdesk technician’s day-to-day job role. Groups within Active Directory provide a single point of management for users or computers; this eases the burden of managing identities more effectively.
Two types of group membership are available within Active Directory when creating a group, these are Security Groups which assign permissions on the access control lists of files, folders or other resources. The second type of group is a distribution group that is used for sending emails to groups of users.
Nesting groups is an important consideration when planning to implement groups, nesting groups is the process of adding groups to other groups to aide in management of identities. A concept exists for the way in which to nest groups within one another, this was formerly known as AGDLP (accounts, global, domain local, permissions) and is now known as IGDLA: -
Nesting Best Practices
IGDLA - Nesting groups within a single domain
Identities (computers or users) get added into Global groups (which are usually defined as a business role), global groups get added into a Domain Local groups (which can house more membership types), domain local groups are then added to the Access control list of a file, folder or other resource.
IGUDLA - Nesting groups within a multi forest domain
Nesting groups within a multi domain forest follows the same strategy as nesting for a single domain. There is however one difference which is the inclusion of a Universal group. Universal groups fit between a global and domain local group.
Tip – Global groups can contain Users, Computers and other global groups. No other group types from a sub domain or trusted domain can be added to this.