AGDLP: Microsoft’s Best Practice for Group Structure
The AGDLP principle, short for “Account, Global, Domain Local, Permission” represents Microsoft’s recommended procedure for implementing role-based access control within Windows domains.
AGDLP stipulates that computer and user accounts (A) must be members of global groups (G) that represent business roles. These global role groups are members of domain local (DL) groups which are maintained for access control and have permissions (P) for certain resources.
The advantages of AGDLP include:
Implementing user and group permissions (through membership in the domain local group) is equally straightforward.
Assuming that the relevant groups for each resource already exist, permissions can easily be changed via the Active Directory console (by adding memberships).
The risk of leaving behind orphaned user entries (see also: Orphaned SIDs) in ACLs is reduced because all entries in the ACLs refer to groups (domain local groups used especially for assigning permissions to the respective object).
When applied consistently, AGDLP boosts both transparency and Active Directory security. The greatest disadvantage of AGDLP is that the necessary structures must be created manually in the Active Directory console because there are no standard management tools available to do this part. Unfortunately, this means the AGDLP process requires a great deal of effort, both in terms of work and money, while still being highly prone to errors.
For more information, please read our white paper Best Practices for Access Management in Microsoft Environments.
Best Practices for Access Management In Microsoft® Environments
Our in-depth guide explains how to manage access securely and efficiently from a technical and organizational standpoint, including tips for implementation, reporting and auditing.