AGDLP reduces account management, permissions management headaches

AGDLP is a practice that can greatly reduce your administrative headaches related to account management and permissions management.

Anyone who's gone through any MCSE training (at least for Windows 2000 and Windows Server 2003) knows you use the acronym AGDLP when assigning permissions in a Windows environment.

AGDLP, which stands for Accounts, Global groups, Domain Local groups and Permissions, refers to the practice you use to properly assign permissions to your network resources and utilize groups in such a way that managing those permissions and group memberships is simplified and configured to allow for multiple domain resource access.

Wikipedia defines AGDLP as "a best practice guide for effectively managing inter-domain resource access in a Windows Server domain network environment. AGDLP is applied when planning and implementing the construction of users and groups as well as the setting of NTFS permissions on the resources concerned."

Using AGDLP allows admins to set up their Windows environments so they can greatly reduce problems related to user account management and permissions management headaches. Yet even those who have gone through MCSE training still fail to use this simple strategy when setting up their strategy for groups and permission assignments.

There have been many times I've had to correct my customers' groups/permissions-related issues because they chose to only use individual accounts, or just Domain Local groups or just Global Groups, when assigning permissions to their resources. Then they add a new domain, create a new resource, add a new user or when someone leaves an organization and is replaced, it becomes a serious nightmare when trying to get the permissions setup properly after those changes have been made.

Using AGDLP gives you the following benefits:

  • You can assign local resource access to users in other domains
  • A user's access to a resource can be removed, simply by removing their account from the appropriate group.
  • If you set up your permissions properly, when a new user is created, you only need to add them to the appropriate group and their permissions will setup little to no additional work.

In following an AGDLP strategy, you would:

  1. A: Create a user Account(s)
  2. G: Create a global group and add the user account(s) you created in step as members
  3. DL: Create a Domain Local group in the domain that contains the resource you wish to give access to and then add the global group from step 2 as a member of this Domain Local group
  4. P: Assign permissions on the resource using the domain local group created in step 3

Sometimes it's easier to review this when applying it to a scenario. Say you have a network resource (in this case we'll use a shared folder called General Ledger), which resides in domain. You want to give permissions to that folder to a user or set of users in the parent domain called

  1. First, take your user(s) in the domain and add them into a global group called Accountants. Why a global group? Because if the resource exists in a different domain than the user accounts, you will only be able to assign permissions to that resource using a global group.
  2. Create a Domain Local group in the domain called Accounting. Add the Accountants global group as a member. A Domain Local groups allow you to add global groups from other domains, besides other local global groups and user accounts, thus giving non-local accounts access to local resources.
  3. Finally, set up the General Ledger folder so that its permissions allow the Accounting DL group access to the resource.

More on groups

Domain Local Groups. Domain local security groups are most often used to assign permissions for access to resources. You can assign these permissions only in the same domain where you create the domain local group. Members from any domain may be added to a domain local group. The domain local scope can contain user accounts, universal groups, and global groups from any domain. In addition, the scope can both contain and be a member of domain local groups from the same domain.

Global Group. Global security groups are most often used to organize users who share similar network access requirements. Members can be added only from the domain in which the global group was created. A global group can be used to assign permissions for access to resources in any domain. The global scope can contain user accounts and global groups from the same domain, and can be a member of universal and domain local groups in any domain.

(Note: Windows also has a Universal Group you can use in multiple domain environments, but since it does not apply to AGDLP and is not available in mixed mode environments, I will leave you to research on that one on your own.)

About the author: Tim Fenner(MCSE, MCSA: Messaging, Network+ and A+) is a senior systems administrator who oversees a Microsoft Windows, Exchange and Office environment, as well as an independent consultant who specializes in the design, implementation and management of Windows networks.

More information on this topic:


This was first published in May 2007

Dig Deeper on Microsoft Active Directory Scripting



Find more PRO+ content and other member only offers, here.



Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: