Last comment/question for the night...
It appears that group types are available to all subsites, regardless of where they were initially created, but groups only show up in the subsite that created them. So it appears that for users that need to be able to access both subsites, and belong to groups that can see private data, they'll have to be added to both subsites *and* added to both groups. Although this works, it's not quite what the client had in mind.
Does it sound like I am understanding this correctly? Is there any documentation that explains this stuff? I've read what I could find but it's the original aD docs and not very helpful.
