Logo

AGDLP

AGDLP is a role based strategy that is designed to provide flexible resource management using groups. This video looks at how you can effectively use AGDLP in your company to mange permissions to your resources. Since AGDLP is designed for larger networks, it is generally used in networks that have more than 500 users. AGDLP can be used in multiple domain environments but is generally used in a single domain environment.

<a class="wp-block-button__link"Download PowerPoint
Show lesson content
Advantages of AGDLP
Since AGDLP is a role base strategy for applying permissions, as a user changes their role in an organization, it is easy to change the permissions associated to that user by making them members of the appropriate groups. Since the users are being put into groups at the role level, this means that the administrator does not require knowledge of how the permissions were applied to the resource. Lastly, by looking at the users in the groups, you can quickly determine who has access to which resources in your domain.

AGDLP
ADDLP stands for the following.

A for Accounts.

G for Global Group.

DL for Domain Local Group.

P for Permissions.

The basic way to use AGDLP is as follows:

Accounts go into Global Groups; Global Groups go into Domain Local Groups; Domain Local Groups are than applied to Permissions.

The advantage to using each group is as follows:

Global Groups allow users from the same domain to be members. This means that when using multiple domains, you can be assured that only users and computers and other Global Groups from that domain are members. This means you can force administration to be divided up between domains. If you do not use Global Groups you could never be sure if an administrator from a domain is only adding users from that domain.

Domain Local Groups can only be used in the domain that the group was created in. This helps with auditing. If the group could be used in other domains, you could never be sure that the group had been applied to resources outside your domain.

AGDLP can be used in a single forest, single domain environment and also a multi domain environment. It provides a framework, but the administrator is free to decide themselves how best to implement group strategy given their business environment.

References
“AGDLP” http://en.wikipedia.org/wiki/AGDLP
“Selecting a Resource Authorization Method” http://technet.microsoft.com/en-us/library/f29946d4-007c-475e-9ff0-5e144afbbbfb

Credits

Lesson tags: 70-640-active-directory
Back to: 70-640 Introduction to Active Directory > Maintaining Active Directory Objects

Active Directory is a system which offers centralized control of your computers.

Modules

Active Directory Infrastructure

Lessons

Group Policy

Lessons