If a AD environment contains a large number of nested distribution groups and the users only wish to use security groups for restricting access then a large amount of time can be spent searching Distribution groups for a users membership.

Therefore a Strategy of Security Groups only that uses the retreived groups from tokenGroups should be created.