When designing security groups, remember the following:
Try to create a global group within each domain for each job description. Create further groupings by nesting the global groups within other global groups. These groupings will minimize the replication time, because only the base global group memberships should change on a regular basis.
Because universal group membership is replicated to all global catalog servers every time a member changes, try to keep the universal group membership static. Instead of creating redundant universal groups, use nesting whenever possible.
Usually, you only need to add global groups to the domain local groups. Placing global groups into a universal group and then adding the universal group to a domain local group is possible. However, creating a universal group solely for this purpose is not recommended, because the security needs of each global group may change.
Use domain local groups instead of global or universal groups, for greater flexibility and less complex administration.
This allows the resource owners to manage access to their resource in the domain local groups, and assistant administrators to manage the membership of global groups. However, only Enterprise Admins can manage the membership of universal groups.