I've been using a term called "Security Chain" to help customers, who have new or no IT folks, understand how Windows, Active Directory, and intra-combination thereof relate.
I.E. A local security group exists on the server as an abstraction point and an Active Directory group is a member of this local security group. This membership establishes the security chain that allows security checks to walk up the chain. First the local group, then the AD member group(s), then the members of the AD group(s), etc.
This seems to help them understand how security flows from the resource requested up the chain but I wonder if there is a better way to help them understand that membership is NOT bi-directional. Meaning adding a local group as a member of the AD group is not the same as adding the AD group as a member of the local group.
How could "security chain" be improved?