Hi Michael
I don't think there is wrong or right way. I'm currently in testing stages of our new ACS roll out.
What I have done is to create 3 NDG and set them up as follows
Location - COntinent - COuntry - Town - Office location
Device Type - Type of device - Vendor name
Department - department who manages the device
I can then use these in my policies to allow read only access based on device type and location. I can also use the department ndg to allow admin access to devices if its managed by a different team other than ours.
This seems to work ok based on the bit of testing I have done so far.
Cheers
Jay