Hi Robert,
Proposed Model looks fine.it is a best practice to have Win AD Group as a Subgroup of enterprise Group.
Make sure also implement the Enterprise alias for all the users with ref of below note.
1755220 - Can LDAP or AD groups get deleted by network communcation issues with AD/LDAP?