Version: 1.

Date: 23.09.2010

Active Directory
Best Practices Guide – AGDLP Model

Mike Pendzich
Teleperformance Germany
AGDLP Model
Concept
The concept of AGDLP (Accounts, Global, Domain Local, Permissions) is a best practice guide for
effectively managing Windows domain resource access in a Windows Server domain network
environment. AGDLP is applied when planning and implementing the construction of users and
groups as well as the setting of NTFS permissions on the resources concerned.

AGDLP is the acronym used to describe the practice of taking Accounts (A) and placing them into
Global Groups (G) often for organizational purposes, such as grouping all sales people together. Then
the Global Group is placed inside or nested within the Domain Local Group (DL) which will be used on
the NTFS or share Access Control List (ACL) to provide permission. So Accounts go into Global Groups,
Global Groups go into Domain Local Groups and the permission is assigned to the Domain Local
Group: AGDLP. The main thrust of this technique is to focus a single permission set on a single group
at the ACL level (Read only, read/write, etc) and then populate that single group in Active Directory
whenever and as often as the assigned permission is needed.

Scenario
To best way to explain what AGDLP actually means and how it is used a scenario is required. Imagine
you are the systems administrator for a company with the following network infrastructure:

There is a root domain called example.local with two sub-domains (uk.example.local and
us.example.local). A user Alice exists in uk.example.local while a sales resource exists in
us.example.local. NTFS permissions must be set in order to provide Alice access to the sales folder in
the other domain. This must be done in a manageable way.
Implementation
Following AGDLP you would do the following:

• Create a global group (G) in the domain where the user exists (uk.example.local).

• Add the user account (A) into the global group (G) in its domain (uk.example.local).

• Create a domain local group (DL) in the domain where the resource exists (us.example.local).

• Add the global group (G) from the user domain into the domain local group (DL) in the
resource domain (us.example.local).

• Assign NTFS permissions (P) on the resource to the domain local group (DL) in its domain
(us.example.local).

This procedure allows the user to have access to the resource whilst allowing for expansion in the
following ways.

• Other users from the uk.example.local domain can be given access to the resource by adding
them to the global group in that domain.

• Users in the us.example.local domain can be given access to the resource by adding them to
the domain global group in that domain.

• Alice's access to the resource can be revoked by removing her from the global group in her
domain. This will not affect any other users who have been added to any of the groups.