AGDLP

Where is AGDLP used?

The concept of AGDLP is a best practice guide for effectively managing inter domain resource access in a Windows Server domain network environment. AGDLP is applied when planning and implementing the construction of users and groups as well as the setting of NTFS permissions on the resources concerned.

What does AGDLP stand for?

Accounts, Global, Domain Local, Permissions

AGDLP is the acronym used to describe the practice of taking Accounts (A) and placing them into Global Groups (G) often for organizational purposes, such as grouping all sales people together. Then the Global Group is placed inside or nested within the Domain Local Group (DL) which will be used on the NTFS or share Access Control List (ACL) to provide permission. So Accounts go into Global Groups, Global Groups go into Domain Local Groups and the permission is assigned to the Domain Local Group: AGDLP. The main thrust of this technique is to focus a single permission set on a single group at the ACL level (Read only, read/write, etc) and then populate that single group in Active Directory whenever and as often as the assigned permission is needed.

How is AGDLP implemented?

To best explain what AGDLP actually means and how it is used a scenario is required. Imagine you are the Systems Administrator for a company with the following network infrastructure:

There is a root domain called example.local with two sub domains (uk.example.local and us.example.local). A user Alice exists in uk.example.local whilst a sales resource exists in us.example.local. NTFS permissions must be set in order to provide Alice access to the sales folder in the other domain. This must be done in a manageable way.

Following AGDLP you would do the following:

• Create a global group (G) in the domain where the user exists (uk.example.local).
• Add the user account (A) into the global group (G) in its domain (uk.example.local).
• Create a domain local group (DL) in the domain where the resource exists (us.example.local).
• Add the global group (G) from the user domain into the domain local group (DL) in the resource domain (us.example.local).
• Assign NTFS permissions (P) on the resource to the domain local group (DL) in its domain (us.example.local).

This procedure allows the user to have access to the resource whilst allowing for expansion in the following ways.

• Other users from the uk.example.local domain can be given access to the resource by adding them to the global group in that domain.
• Users in the us.example.local domain can be given access to the resource by adding them to the domain local group in that domain.
• Alice's access to the resource can be revoked by removing her from the global group in her domain. This will not affect any other users who have been added to any of the groups.

PLEASE NOTE: The viability of the above expansions is dependent on what other permissions and memberships have been assigned to the groups involved. For the sake of these examples it is assumed that no other memberships or permissions have been granted.

Alternative Acronyms

AGLP

The domain local group in Windows 2000 (and later versions) was originally only called the local group in Windows NT. Therefore, the abbreviation used to be AGLP rather than AGDLP.

AGGDLP

In some cases an extra round of global groups is implemented and in this case the acronym is changed from AGDLP to AGGDLP.

AGUDLP

If universal groups are to be used as well (supported unless in Windows 2000 Mixed Mode which retains support for Windows NT BDCs or Backup Domain Controllers), global groups should be nested within universal groups. In such a case, the acronym is changed from AGDLP to AGUDLP.