nUse global groups to hold accounts as members. Give accounts access by joining them to a global group and then placing that global group into a domain local or universal group or both.
nUse domain local groups to provide access to resources in a specific domain by adding them to the ACLs of those resources.