A. In general, the best way to assign permissions is by performing the following steps:
- Assign user accounts to global groups within the user's domain.
- Place global groups from any domain into universal groups.
- Place universal groups into domain local groups on the domain controllers (DCs), and place local groups on member servers and workstations.
- Assign permissions to the domain local groups or local groups as necessary to access the network resources.
One advantage of establishing this hierarchy is that universal group memberships are unlikely to change because they contain only global groups. A good way to remember this hierarchy is to use the following mnemonic device:
All Good Users Do Love Permissions
Accounts are placed in global groups, Global groups are placed in universal groups, Universal groups are placed in domain local groups, and Domain Local groups are assigned Permissions.