Learned the AGDLP/AGUDLP concept this evening. This sets a "role based" model on top of a "resource based" model for best performance in the following areas: smaller ACLs on resources improves performance, easier management in multi-domain environments, smaller token size. HOWEVER, in a single-domain environment it's OK to assign global groups to resources and put your users directly in those GGs.
Also started learning about how to setup a trust between domains & heard of the Active Directory Migration tool. That's exciting. BTW, an intransitive trust is like only talking to your spouse; while a transtive trust lets you talk to the spouse's family and friends (other trusted domains).