AGDLP reduces account management, permissions management headaches

AGDLP, which stands for Accounts, Global groups, Domain Local groups and Permissions, refers to the practice you use to properly assign permissions to your network resources and utilize groups in such a way that managing those permissions and group memberships is simplified and configured to allow for multiple domain resource access.

Wikipedia defines AGDLP as "a best practice guide for effectively managing inter-domain resource access in a Windows Server domain network environment. AGDLP is applied when planning and implementing the construction of users and groups as well as the setting of NTFS permissions on the resources concerned."

Using AGDLP allows admins to set up their Windows environments so they can greatly reduce problems related to user account management and permissions management headaches. Yet even those who have gone through MCSE training still fail to use this simple strategy when setting up their strategy for groups and permission assignments.

There have been many times I've had to correct my customers' groups/permissions-related issues because they chose to only use individual accounts, or just Domain Local groups or just Global Groups, when assigning permissions to their resources. Then they add a new domain, create a new resource, add a new user or when someone leaves an organization and is replaced, it becomes a serious nightmare when trying to get the permissions setup properly after those changes have been made.

Using AGDLP gives you the following benefits:

In following an AGDLP strategy, you would:

Sometimes it's easier to review this when a

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Windows Systems and Network Management Tools and Techniques Top five Server Core management tips for Windows 2008 Top free tools for Windows server administration A first look at Internet Information Services 7.0 Windows registry hack improves offline file access for mobile users Reducing the size of network backups in Windows Monitor network bandwidth with CyberGauge How to format NTFS: More tricks to improve file system performance Key enhancements to SCCM give admins more control over assets, licensing Archiving information with New-Item in Windows PowerShell Debugging Userenv issues using Windows new event viewer Windows Systems and Network Administration Cutting the cost of Windows identity and access management Using NTFS on a non-Windows OS with NTFS-3G Group Policy Object modeling simplifies network security Implementing simple Network Access Protection for Windows Server 2008 Immediate steps for Windows disaster recovery Tips for Windows domain controller optimization Quick hits: Troubleshooting service account failure, batch job execution Case Study: Troubleshooting Windows service dependency failures Troubleshooting common Windows service failures Reducing the size of network backups in Windows

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

pplying it to a scenario. Say you have a network resource (in this case we'll use a shared folder called General Ledger), which resides in sub.MyDomain.com domain. You want to give permissions to that folder to a user or set of users in the parent domain called MyDomain.com.

More on groups

Domain Local Groups. Domain local security groups are most often used to assign permissions for access to resources. You can assign these permissions only in the same domain where you create the domain local group. Members from any domain may be added to a domain local group. The domain local scope can contain user accounts, universal groups, and global groups from any domain. In addition, the scope can both contain and be a member of domain local groups from the same domain.

Global Group. Global security groups are most often used to organize users who share similar network access requirements. Members can be added only from the domain in which the global group was created. A global group can be used to assign permissions for access to resources in any domain. The global scope can contain user accounts and global groups from the same domain, and can be a member of universal and domain local groups in any domain.

(Note: Windows also has a Universal Group you can use in multiple domain environments, but since it does not apply to AGDLP and is not available in mixed mode environments, I will leave you to research on that one on your own.)

About the author: Tim Fenner (MCSE, MCSA: Messaging, Network+ and A+) is a senior systems administrator who oversees a Microsoft Windows, Exchange and Office environment, as well as an independent consultant who specializes in the design, implementation and management of Windows networks.

More information on this topic:

Rate this Tip To rate tips, you must be a member of SearchWindowsServer.com. Register now to start rating these tips. Log in if you are already a member. Submit a Tip DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.