The abbreviation AGDLP refers to Microsoft’s recommended procedure for implementing role-based access control within a Windows domain. In summary, it stipulates that computer and user accounts (A) must be members of global groups (G) that represent business roles. These global role groups are members of domain local groups which are maintained for access control (DL) and have permissions (P) to particular resources. The advantages of AGDLP are:
The advantages of AGDLP are:
- It makes it equally straightforward to implement user and group authorizations (through membership in the domain local group).
- Assuming that the relevant groups for each resource already exist, permissions can easily be changed via the Active Directory console (by adding memberships).
- The risk of leaving behind orphaned user entries (see also: Orphaned SIDs) in ACLs is reduced because all entries in the ACLs refer to groups (domain-local groups used especially for assigning permissions to the respective object).
The greatest disadvantage of AGDLP is that the necessary structures must be created manually in the Active Directory console because there are no standard management tools available to do so. The system is therefore very intensive in terms of labor and expenses and, unfortunately, the entire process is highly prone to errors.
For details, please read our whitepaper “Best Practices for Permission Management in Microsoft Environments”.