Sign in with
Sign up | Sign in
Your question
Closed

AGDLP

Last response: in Windows 2000/NT
Share
February 11, 2011 5:33:15 PM

Hello,
How are AGDLP or AGGUDLP used to assign permissions?

More about : agdlp

January 10, 2012 3:48:24 PM

I realize this thread is a year old, but in case anyone else has the same question and stumbles on this thread....

AGDLP concept will reduce the overall maintenance groups require within Active directory, however there will be a higher quantity of groups and takes a little inital planning. This will allow for a very structured way to find who has what type of access to what resource

User Accounts are members of Global groups which are members of Domain Local groups which are assigned at the resource to grant Permission.

Example securing various types of access to a particular NTFS share:
Foldername: Ttemplates" located on fileshare called "Shared" on a server called "fileserver"
* create two Domain Local groups
-- one called: DL NTFS FILESERVER SHARED TEMPLATES MODIFY
-- second one called: DL NTFS FILESERVER SHARED TEMPLATES READ
* change the folder NTFS security settings to include only 4 items
-- Administrators - full access
-- System - full access
-- DL NTFS FILESERVER SHARED TEMPLATES MODIFY - modify access
-- DL NTFS FILESERVER SHARED TEMPLATES READ - read access
* create the necessary business role/title/function named Global Groups
-- one called: G DOCUMENT CONTROL SPECIALISTS
-- second one called: G INTERNAL AUDITING SPECIALISTS
-- third one called: G RESEARCH AND DEVELOPMENT ENGINEERS
-- forth one called: G MARKETING SALES STAFF
* populate the Global groups with the appropriate user accounts relevant to the business
-- one possibility is to delegate access to an Active Directory Organizational Unit containing these Global groups so a member of HR can fill/maintain these memberships accordingly.
* add the Global groups to the appropriate Domain Local groups to grant those role/title/function the necessary access
-- G DOCUMENT CONTROL SPECIALISTS group becomes a member of DL NTFS FILESERVER SHARED TEMPLATES MODIFY group
-- G INTERNAL AUDITING SPECIALISTS group becomes a member of DL NTFS FILESERVER SHARED TEMPLATES READ group
-- G RESEARCH AND DEVELOPMENT ENGINEERS group becomes a member of DL NTFS FILESERVER SHARED TEMPLATES READ group
-- G MARKETING SALES STAFF group becomes a member of DL NTFS FILESERVER SHARED TEMPLATES READ group

* This would allow for a single view within the members list of each Domain Local group of who has what type of access.
* This would allow for the time saving of diving into each security tab of each folder within a file share per file server to figure out who has what type of access as all this information can be derived from the group membership lists
* This concept can apply to any active directory object, including special/specific Active Directory delegation for example:
-- DL ADO MARKETING USERS OU UNLOCK USER ACCOUNT
-- DL ADO FUNCTIONAL GLOBAL GROUPS OU CHANGE MEMBERSHIP
-- DL PRNT PRINTSERVER1 HP4250DN-OFFICE1
-- DL SQL SQLSERVER1 ENGINEERING INSTANCE PROJECTS-DB READ-WRITE
-- DL SQL SQLSERVER1 ENGINEERING INSTANCE PROJECTS-DB OWNER
-- DL CERT CODESIGNING
-- DL CERT USER FILE ENCRYPTION
-- DL WEBAPP SHAREPOINTSERVER1 ADMINISTRATORS
-- DL GPO DISABLE DISABLE OFFLINE FILES POLICY
### This (above) can be applied to a G KIOSK COMPUTERS global group that contains computer account memberships
-- DL GPO DISABLE SCREEN SAVER POLICY

* The U in AGGUDLP comes into play with a multidomain forest where a group of software developers performing the same function in various child domains in a forest that all need access to a resource, like a certificate code signing template
-- CHILDDOMAIN1\G SOFTWARE DEVELOPERS
-- CHILDDOMAIN2\G SOFTWARE DEVELOPERS
-- CHILDDOMAIN3\G SOFTWARE DEVELOPERS
-- FORESTDOMAIN\U SOFTWARE DEVELOPERS (this would contain memberships including all the G SOFTWARE DEVELOPERS from each child domain since universal group can contain members of multiple domains)

* The GG in AGGUDLP are for nested global groups such that Global groups are named specificly and a general common functional group with in the same domain needs to be established
-- G QUALITY MANAGER
-- G ENGINEERING MANAGER
-- G MARKETING MANAGER
-- G HUMAN RESOURCE MANAGER
-- G BUILDING SITE MANAGER
### G MANAGERS can then have all the above manager global groups as members allowing for any resource that all managers need can be granted by adding the G MANAGERS group to any Domain Local group
### G MANAGERS is domain specific group and each child domain G MANAGERS group can be combined into a single U MANAGERS universal group to encompass all managers across then entire forest

Note: with alot of groups associated with a single user account the following microsoft KB article may be relevant:
New resolution for problems with Kerberos authentication when users belong to many groups (MaxTokenSize)
http://support.microsoft.com/kb/327825

"The more you know the more you realize the less you know" - MCB
Score
0
Related resources
!