Cover image of an article about Active Directory permission management.

Microsoft® Windows is to IT departments like yin is to yang, like whiskey to coke, like grass is to sheep. It’s a symbiosis and the existence of one without the other is almost unimaginable. But being joined at the hip doesn’t automatically make the relationship a healthy one – and the widespread use of MS Windows throughout IT departments around the globe is no exception. There are flaws.

For instance, if you try to manage Active Directory permissionsfile server permissions and NTFS shares using the default Microsoft tool set, chances are you’ll soon be pulling your hair out in frustration. Not only is the process a time-consuming one, it’s also highly prone to errors.

In this article, we are going to discuss what the AGDLP framework means for Active Directory permissions and explore how you can speed up and simplify your Active Directory permission management while, most importantly, keeping everything secure.

Contents (show)

Active Directory Permission Management

Between an increase in ransomware attacks, the looming danger of insider threats and growing regulatory pressure from governments and industry organizations, the demands on cybersecurity are constantly increasing. There are now numerous laws and regulations demanding that businesses keep precise and constant track of who has access to which resources within their company.

The problem with this demand is that Microsoft, the world’s most widely used OS, offers no adequate reporting tool that would allow organizations to produce an overview of access structures. There is simply no way of seeing (and therefore knowing), at a glance, who in your company has access to critical data.

Active Directory Permissions and AGDLP

Microsoft® has developed a concept for managing permissions on file servers called the AGDLP principle. This principle is Microsoft’s recommended approach for implementing role-based access control (RBAC) within a Windows domain. The principle dictates that:

(A) Computer and user accounts should be

(G) members of global groups, which represent business roles.

(DL) These global role groups are members of domain local groups, which are maintained for access control and

(P) have permissions for certain resources.

Let’s say you’re an admin and you want to give a person or global (organizational) group access to a folder. To do this, you have to add this person’s account or the global group to the domain local group instead of giving them permissions for the folder directly.

What Is Role-Based Access Control (RBAC)?

Role-based access control is a cybersecurity concept focused on providing safe and appropriate access to all resources in an organization. RBAC ensures that access rights are assigned according to the principle of least privilege: this principle dictates that users should be granted the minimum number of permissions required for their role, as any unnecessary privileges pose a security risk if an account is compromised or misused (for example, in the case of employee data theft)

Is AGDLP a Good AD Permission Management Concept?

At first glance, the AGDLP principle solves two common problems you will most definitely encounter when you manage permissions on a file server:

(1) When you delete a user, you will not be left with an orphaned SID.

(2) To find out what resources a user has access to, all you have to do as an administrator (in theory) is to check the Active Directory permissions of the user and computer, since (again, in theory) the groups the user was assigned to should provide insight as to what folders they have access to.

Time-Consuming and Prone to Errors

So, in theory, the AGDLP principle is a great concept for Active Directory permission management. However, in practice it’s an entirely different story. The problem is that the AGDLP principle has to be implemented manually by admins. They have to ensure it is applied properly and consistently at all times. In smaller companies with fewer users this is probably doable – if your admin is really committed and meticulous in their approach.

But what about larger companies with hundreds or even thousands of users? How are you going to go about managing all those permissions manually? It’s a daunting task, as you can probably imagine. It’s a) really time-consuming, and b) prone to mistakes. Lots of mistakes.

And, obviously, the risk of errors increases exponentially the more admins you have and the more branches and locations they have to manage. It’s almost impossible to get your admins on the same page and using the same labels when they are scattered all over the place, possibly not even in the same building. It’s chaos.

Unfortunately, Microsoft® has yet to release a state-of-the-art management console that provides a drag-and-drop option for assigning permissions to users.

Active Directory Reporting

Microsoft®’s reporting tools for Active Directory permissions and file server permissions are likewise very limited. Deciphering folder permissions in the AD is technically feasible, but again, very time-consuming. There’s no dashboard that lets you view all permissions in one place. Any information you want or need, you’re going to have to retrieve on your own.

Folder Permission Reporting

To get a folder permission report, you can use a cmdlet in Powershell (learn more about folder permission reporting via Powershell). Another option is the Microsoft tool AccessEnum, which you can use to check the permissions of a user or group on folders or parts of the registry.

The tool not only lists the current permissions, but also tells you which permissions the user was previously denied.

The information provided by AccessEnum is considerably more detailed than the entries in the Access Control List. However, the tool does not provide a substitute for the missing link between the permissions on your file servers and those in Active Directory.

Effective Permission Reporting

While it is possible – albeit time-consuming – to retrieve Active Directory folder permissions, there is simply no way to view the effective permissions a specific user has. The same goes for Active Directory group permissions.

What’s missing here is an instance linking the permissions on file servers to those in Active Directory (or the access control list in the case of NTFS permissions). There’s simply no way to connect the two, let alone provide an overview of how they are linked.

NTFS Permission Reporting

Many admins prefer NTFS permissions over share permissions because NTFS permission settings offer more granular control. Also, NTFS permissions apply both for local access via PC and network access. (Learn more about the difference between NTFS and share permissions).

As practical as NTFS permissions are for managing user access to file servers, reporting on NTFS permissions is difficult. This is because there is no instance connecting the file server to the Active Directory that would, for example, inform the AD when a user has been granted access to a folder on the file server.

No Connection Between AD and File Servers

Since the AD and file server are not connected to one another, users should never be granted direct access to an object on the file server, but only by being added to AD groups.

If a user is given direct access to a folder instead of using group membership, this permission will not be reflected in the Active Directory. If later this user is deleted from the AD, including all group memberships, this will leave behind an orphaned SID on the folder.

How to Set NTFS Permissions Correctly

As an admin, you can save a lot of time and stress by making sure you set NTFS permissions correctly from the get-go. Read our blog post to learn about NTFS permission best practices and the 5 most common mistakes admins make.

AGDLP Microsoft Best Practices

For a detailed guide on how best to treat permissions in Microsoft® environments, download our free best practice white paper and confirm that your organization is applying AGDLP properly.

BUT – if you’re dealing with a very large number of users and/or complex internal access management workflows and processes in your AD and file servers, you might want to think about finding a way to automate those.

[FREE WHITE PAPER] Best Practices for Access Management in Microsoft® Environments

Read our white paper to learn how to best handle access rights in Microsoft® environments.

Go to Download

[FREE WHITE PAPER] Best Practices for Access Management in Microsoft® Environments

Read our white paper to learn how to best handle access rights in Microsoft® environments.

Go to Download

Active Directory Tool: Managing Permissions With tenfold

Our philosophy at tenfold is to keep it simple. That’s why our identity and access management solution makes Active Directory permission management and permission management for file servers extra easy. And the best part: It’s fully automated.

Our product is deeply integrated with Microsoft’s infrastructure and provides both automatic permission management and seamless documentation for compliance purposes, whether on-premises, in the cloud (Microsoft 365) or both!

tenfold Implements AGDLP Principle

One of tenfold’s key features is its Active Directory integration. An intuitive user interface makes it fast and easy to access and manage any AD settings and attributes. As for AGDLP, all it takes to implement the principle is for admins and users to set the desired permission levels and tenfold then automatically takes care of the rest.

Image for an article on Active Directory reporting.

Active Directory Permission Reporting: Easy as Pie

Not only does tenfold enable centralized permission management, it also provide centralized reporting. What this means, essentially, is that you can read out any Active Directory permissions (including group permissions and AD folder permissions) with just one click in the tenfold user interface. The software:

  • extracts the data from file servers and the AD,

  • breaks down nested structures,

  • filters irrelevant information and

  • provides an overview of effective permissions (including historical data, if requested).

Documenting NTFS Permissions

tenfold provides the missing link between file server permissions and the AD structure. With one click, tenfold will give you an overview of Active Directory permissions as well as file server access rights, permissions in Exchange and SharePoint, as well as Microsoft Cloud services.

NTFS Reporting Tool

tenfold‘s change tracking feature documents every change made to users and/or permissions. This means you do not need an additional tool to compile an NTFS permissions report. Instead, all current permissions can be viewed or exported into a clear and concise report.

Increase Efficiency Through Automation

tenfold’s feature palette doesn’t end here though. Not only does it manage your file server and AD permissions – as part of its application integration feature, it allows you to grant permissions automatically across various other systems, including, but not limited to, SAP, Exchange (Online) and Azure AD. They key to success here is that it uses role-based access control across every system.

Role-based access control means that resources and permissions from different target systems are grouped and linked to the respective organizational unit. This connection produces roles (commonly referred to as business roles) that hold certain standard permissions.

This approach to user management saves time and is very secure because it allows tenfold to automatically assign default rights and remove them again when user attributes (e.g., department or location) change. This is commonly referred to as user lifecycle management.

Image for an article on Active Directory reporting.

Guaranteed Compliance

Thanks to tenfold’s deep integration with Microsoft and Active Directory, it is able to document every change made to access rights and permissions across your entire organization. Complete and auditable records like these play an important role in meeting compliance regulations like SOX, the GDPR, HIPAA or ISO 27001.

Why tenfold?

tenfold is the next generation of access management. Our mission is to make user & account management fast, easy and secure for everyone by providing user-friendly solutions to common problems. We want all users, from IT admins to HR, to be able to use tenfold effectively.

Why tenfold?

With its wide range of features and competitive price point, tenfold is the best IAM solution for midmarket organizations.

Here’s why

Why tenfold?

With its wide range of features and competitive price point, tenfold is the best IAM solution for midmarket organizations.

Here’s why