AGDLP: Microsoft’s Best Practice for Group Structure
The AGDLP principle, short for “Account, Global, Domain Local, Permission” represents Microsoftโs recommended procedure for implementing role-based access control within Windows domains.
AGDLP stipulates that computer and userย accountsย (A)ย must be members ofย globalย groupsย (G)ย that represent business roles. These global role groups are members ofย domainย localย (DL)ย groups which are maintained for access control and haveย permissions (P)ย for certain resources.
The advantages of AGDLP include:
Implementing user and group permissions (through membership in the domain local group) is equally straightforward.
Assuming that the relevant groups for each resource already exist, permissions can easily be changed via theย Active Directoryย console (by adding memberships).
The risk of leaving behind orphaned user entries (see also:ย Orphaned SIDs) in ACLs is reduced because all entries in the ACLs refer to groups (domain local groups used especially for assigning permissions to the respective object).
When applied consistently, AGDLP boosts both transparency and Active Directory security. The greatest disadvantage of AGDLP is that the necessary structures must be created manually in the Active Directory console because there are no standard management tools available to do this part. Unfortunately, this means the AGDLP process requires a great deal of effort, both in terms of work and money, while still being highly prone to errors.
For more information, please read our white paper Best Practices for Access Management in Microsoft Environments.
Access Governance Best Practices for Microsoft Environments
Everything you need to know about implementing access control best practices in Active Directory, from implementation tips to common mistakes.