Hey @MichaelS ,
Are you thinking of IGDLA and IGUDLA?
These are acronyms for Microsoft's recommended group strategy.
Identities are any security principle, like user accounts, computer accounts, etc. Identities are added to Global groups.
G Global groups
Global groups allow us to gather up security principles that have the same access requirements. Rather than assign permissions to individual identities, we put them in a global group, and assign the access once. Global groups are added to either Universal groups or Domain local groups.
U Universal groups (In a multi domain environment, in a single domain skip U)
Global groups cannot contain members from other domains. So in a multi-domain environment, we might have sales users in each domain. Each domain might have a global group names "Sales Users". Both of these global groups can be added to a universal group, maybe called "All Sales Users". allowing us to only assign the access once, even when users are from multiple domains. Universal groups are added to Domain local groups.
DL Domain local groups
Domain local groups are used to assign access. They are added to the DACL on resources. For example, we might have a DL group named "Reports-Read", and another named "Reports-FullControl" Each group would be assigned the appropriate permission on the reports folder. Global groups (in a single domain environment) or Universal groups (in a multi-domain environment) are added to domain local groups, and permissions are assigned to domain local groups.
Access is the permission being assigned. It is assigned to domain local groups.