From 4aab95f01e8f18fc0bdb0e4862593c5f47a517cf Mon Sep 17 00:00:00 2001
From: Damien Coles <damien.coles@gmail.com>
Date: Tue, 10 Feb 2026 10:58:21 -0500
Subject: [PATCH] ad workstation isolation

---
 README.md | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 4dc21bc..927e49d 100644
--- a/README.md
+++ b/README.md
@@ -158,7 +158,8 @@ VMs only accept traffic from the Proxmox host (for Ansible) and the Nebula overl
 |-------|---------|
 | `admin` | Full access (your devices) |
 | `infrastructure` | Core services |
-| `ad` | Windows AD domain machines |
+| `ad` | Windows AD core services (DCs, CA) |
+| `workstations` | Domain-joined user machines (can only reach DCs) |
 | `projects` | Application workloads |
 | `games` | Isolated game servers |