AGDLP Model - Active Directory Best Practice

What is the AGDLP Model?

The AGDLP model is a best practice approach for managing user permissions in Active Directory. It stands for:

A - Account
G - Global Group
D - Domain Local Group
L - Local Group (on member servers or workstations)
P - Permissions

This model provides a structured and efficient way to manage access control, making it easier to assign and revoke permissions while maintaining security and scalability.

Implementing AGDLP

1. Account (A)

Create individual user accounts for each person who needs access to your network resources.

2. Global Group (G)

Create Global Groups based on job functions or roles (e.g., "Marketing Team", "IT Support"). Add user accounts to these groups.

3. Domain Local Group (D)

Create Domain Local Groups that represent access to specific resources (e.g., "Marketing Folder Access", "Printer Access"). Add Global Groups to these Domain Local Groups.

4. Local Group (L)

On member servers or workstations, create Local Groups that correspond to the required access levels. Add Domain Local Groups to these Local Groups.

5. Permissions (P)

Assign permissions to the Local Groups on the resources they need to access.

Benefits of AGDLP

Simplified Management: Easier to assign and revoke permissions by managing group memberships.
Improved Security: Follows the principle of least privilege by granting only necessary permissions.
Scalability: Easy to add or remove users without directly modifying resource permissions.
Consistency: Provides a standardized approach to permission management across the organization.
Auditing: Simplifies the process of auditing user access to resources.

AGDLP Example

Level	Example
Account	JohnDoe
Global Group	Marketing_Team
Domain Local Group	Marketing_Folder_Access
Local Group	Marketing_Data_Readers
Permissions	Read access to D:\Marketing_Data

In this example, JohnDoe is a member of the Marketing_Team global group. This group is a member of the Marketing_Folder_Access domain local group, which in turn is a member of the Marketing_Data_Readers local group on a file server. The Marketing_Data_Readers group has read permissions on the D:\Marketing_Data folder.

Best Practices for AGDLP Implementation

Use descriptive naming conventions for all groups to easily identify their purpose.
Document your group structure and the resources they have access to.
Regularly audit group memberships and permissions to ensure they remain appropriate.
Use Global Groups for user collections and Domain Local Groups for resource collections.
Avoid nesting Global Groups within other Global Groups to maintain simplicity.