The abbreviation AGDLP stands for “Account, Global, Domain Local, Permission” and represents Microsoft’s recommended procedure for implementing role-based access control within Windows domains. It stipulates that computer and user accounts (A) must be members of global groups (G) that represent business roles. These global role groups are members of domain local (DL) groups which are maintained for access control and have permissions (P) for certain resources.
The advantages of AGDLP include:
- Implementing user and group permissions (through membership in the domain local group) is equally straightforward.
- Assuming that the relevant groups for each resource already exist, permissions can easily be changed via the Active Directory console (by adding memberships).
- The risk of leaving behind orphaned user entries (see also: Orphaned SIDs) in ACLs is reduced because all entries in the ACLs refer to groups (domain local groups used especially for assigning permissions to the respective object).
The greatest disadvantage of AGDLP is that the necessary structures must be created manually in the Active Directory console because there are no standard management tools available to do this part. Unfortunately, this means the AGDLP process requires a great deal of effort, both in terms of work and money, while still being highly prone to errors.
For more information, please read our white paper Best Practices for Access Management in Microsoft Environments.