I know that microsoft recommends AGDLP for User/Group assignment, but what is the real world advantage to Domain Local?
Why not create just Global Groups and assign them to resources?
Let's say a person from the Executive team gets demoted to the sales team. Now here comes the tediousness. You have to go to every single Executives printer and remove them. Now you have to go to every single sales printer and add them. This requires you to make 20 modifications. Very inefficient in terms to Total Cost of Ownership (TCO).
Now let's say we use the AGDLP method.
Instead, we take all 10 sales printers and add them to a Sales domain local group, 10 marketing printers and add them to a marketing domain local group, and all 10 executive printers and add them to a executives domain local group.
Sorry, I didn't mean adding a printer to a domain local group. I meant adding a domain local group to the ACL of a specific printer.
And to just put it short, you'll use domain local groups for permission management, and you'll use global groups for user management. If you want a specific global group to have permissions to an object, you can just nest them into that domain local group and now that global group has access to those objects. If you use a domain local group, you can add groups from other domains whereas if you assigned permissions to a global group, you can't nest global groups from other domain's into the global group for permission access. If you used domain local groups for permissions, you can nest global groups from other domains into that domain local group for permission access.