This video looks at role based Strategy for Active Directory called AGUDLP. AGUDLP can be used in multiple domain environments to provide distributed control between different domain administrators while still being able to provide access to resources at the forest level.
What AGUDLP standards for
G Global Groups
U Universal Groups
DL Domain Local Groups
Advantages of AGUDLP
Allows administration to be divided up between different administrators in the forest. Administrators can have control at the forest level or control can be separated at the domain or resources level.
Since AGUDLP is a role base strategy, when a user changes their role, for example promoted or transferred, access can quickly and easily be changed.
AGUDLP also allows easy auditing. By looking in the group it can quickly be determined who has access to which resources.
Why each group is used
Global groups only contain users, computers, and other global groups from the same domain. Using a global group allows the administrator to divide up control between different domains. For example, if you wanted a sales group that had all sales users from all domains in the forest, you would first create a global group for the sales users in each domain. This allows the domain administrators in each domain to be responsible for keeping this group up to date.
Universal groups allow users, computers, global groups and other universal groups to be members. Because of this, they can have the global groups from all the other domains to be members of this group. For example, a universal group could have as members the sales group from all the other domains. Universal groups are available forest wide and thus are replicated using the global catalog server. For this reason, you will want to reduce replication as much as possible in the forest. Replication will only occur when membership of the universal group has changed. Since the universal group contains global groups, the membership of the global groups can change without affecting the membership of the universal group. The only time the universal group would need to be replicated is when a global group is added or removed from the universal group.
Domain Local Group
The domain local group is applied to the resources as a permission. Domain local groups can only be used in the domain that they were created in. By using domain local groups, a local domain administrator can simply add the domain local group to the resources and configure the appropriate permissions. This administrator may not have access to change the membership of the other groups, which means that they do not have control over which users go into the group. This does not affect their ability to use the group on local resources. This means that by using a domain local group, the scope of the group can be limited to use for that domain only and also be delegated out to other administrators. At this level, it is easy to add or remove the universal group to any domain local group as required, making changing access very quick and flexible.