Looking at your network and the various group types, and then factoring in your specific needs and what you want to accomplish, you might end up feeling as though you're working on a logic puzzle: Claire lives in a blue house, Luisa collects stamps, Sam drives a Toyota, and Ross eats cheese. Which one has red hair?
Nevertheless, as in so many other aspects of network administration, planning is the essential step. The domain mode determines the types of groups available to you. A mixed-mode domain can't support groups with universal scope. Thus, as long as you have Microsoft Windows NT backup domain controllers, you are limited to groups with global and domain local scopes. However, with some thought and the use of nesting, these two types of security groups can suffice for almost all purposes.
In planning your groups, you should determine a naming scheme that is appropriate for your organization. Two factors should be considered:
You'll need to develop a strategy for using the different groups. For example, users with common job responsibilities belong in a global group. Thus, you'd add user accounts for all graphic artists to a global group called Graphic Artists. Other users with common needs would be assigned to other global groups. Then you must identify resources to which users need access and create a domain local group for that resource. If, for example, you have several color printers and plotters that are used by specific departments, you could make a domain local group called Printers&Plotters.
Next you should decide which global groups need access to the resources you've identified. Continuing the example, you'd add the global group Graphic Artists to the domain local group Printers&Plotters, along with other global groups that need access to the printers and plotters. Permission to use the resources in Printers&Plotters would be assigned to the Printers&Plotters domain local group.
Keep in mind that global groups can complicate administration in multiple-domain situations. Global groups from different domains have to have their permissions set individually. Also, assigning users to domain local groups and granting permissions to the group does not give members access to resources outside the domain.
Remember that the nesting rules apply only in native mode. In mixed-mode domains, security groups with global scope can contain only individual accounts, not other groups. Security groups with domain local scope can contain global groups and accounts.
When you're able to use universal groups (that is, when your domain is running in native mode), keep the following guidelines in mind: