Skip to main content

Assigning Permissions - AGDLP


It seems I have been mildly distracted away from the title of this blog site.  It does say AD Admin, but I seem to have been taken away by file system stuff.  I have to say, it has all been worthwhile, but it’s probably time I got back to the real heart of what I do.

There are probably a million permission assigning advice pages, but I thought I would put another one out there after referring to AGDLP in my last post.

So, what is this all about – AGDLP.  Well, it is something I learned in my MCSE 2003 studies and has become ingrained into my ideals since.  As a contractor, I get to move job often.  This enables me to forge opinions on how to configure things in a domain, and more importantly how NOT to configure things.

AGDLP is definitely on the to do list…for anyone in any size domain or forest, as it follows some very basic principals.  I will explain these whilst I go through what AGDPL stands for.


A is for account.  It is the security principal that you log in with.  It is the service account that runs a scheduled task on a server.  It is the computer object in AD.


G is for Global Group. Basic principal number 1 is represent your user base by a group wherever you can.  If 1 person in sales needs access to a drive, then most likely the others should have access too.


DL is for Domain Local Group.  In the same way that a group represents users, so should a group represent resources.  All access is given to the domain local group, ensuring that junior administrators don’t need to play with the ACL on a drive etc, they only have to add an object (Global Group) to a Domain Local Group.


P is for Permission.  As mentioned in DL, permissions are assigned to the DL so that the ACL on an object is as simple as possible.


So, lets walk though an example of this.

John is part of the sales group and the sales people have just been given a huge new server with loads of storage for brochure PDFs.  John is working with the IT team to get everything set up for access for the whole team.

It has been decided that the Global Group “Sales – All Staff” (of which John is a member) is the best representation of the users that need access to the new drive.

A new file share has been created on the Server and a Domain local group called “Sales Brochures – Modify” has been created and assigned Read and Modify NTFS permissions to the file system and has also been given Read and Change Share permissions.

Whilst there, the IT guys created a “Sales Brochures – Read” Domain Local group and gave the group read to both NTFS and Share permissions.

So the A-G-DL-P looks like this :

Account (A)
Global Group (G)
Domain Local (DL)
Permissions (P)
Sales – All Staff
Sales Brochures – Modify
Change on share
Modify on NTFS

Sales Brochures – Read
Read on share
Read on NTFS

There isn’t yet an A and G for the read only group, but it is very simple to add anyone read access now.

For those who are interested in what the difference is between a domain local and a global group (something that confused me for a long time) I’ll cover that off in the next blog post.

It’s a very simple process, but is often ignored.  I urge administrators of security anywhere to follow this!




  1. Hello Adam,

    Sorry for posting here, but I didn't find a better place to ask a question. I have reviewed all your blog posts and your AADSites PowerShell Management Pack but didn't find the solution for the problem I need to solve.

    I need to programmatically grant permission to a user and computer to an Active Directory site. Manually it's easy to do via "Active Directory Sites and Services".

    I have browsed the entire Internet and didn't find a right way to do that... I don't know if it's possible via PowerShell? Or do I need to use WMI to achieve it?

    Any suggestion on how to solve it will be appreciated.

    Kind regards
    Michal Sporek

    1. There are specific .net classes to deal with AD permissions which should work with sites too. They are after all just objects like users or computers, just of a different type. I have some functions around this, i will try to publish them in due course to see if it helps.




Post a Comment

Popular posts from this blog

PowerShell 3 behavioural change

It's taken me way too long to get into PowerShell 3, I guess opportunity hasn't shown it's self until now and so, here, my V3 journey begins.

I was asked to debug a script that would run fine in PS v2 and not in v3.  The issue was a that a variable length was being checked and was failing in v3.  This is why...

In v2 if a variable is undefined, this test returns false

PS C:\windows\system32> $var.length -eq 0

In v3 the same test returns true....

PS C:\windows\system32> $var.length -eq 0

Not a biggie, but as in this case, a script has broken so something to consider!



Enable Powershell Remoting (WinRM) via Group Policy

I have been doing some testing on enabling WinRM via group policy, being that WinRM is the service that Powershell v2 sets up it remoting capabilities. Here are the GPO settings that you need to configure WinRM ....

set the winrm service to auto start

Computer Configuration \ Policies \ Windows Settings \ Security Settings \ System Services

Windows Remote Management (WS-Management)  set Startup Mode to Automatic

start the service

incorporated in to the above - you may need a restart.

create a winrm listener

Computer Configuration / Policies / Administrative Templates / Windows Components / Windows Remote Management (WinRM) / WinRM Service / Allow automatic configuration of listeners

IPv4 filter: *

* is listen on all addresses, or if you only want a particular IP address to respond use an iprange eg - don't forget that this IP range has to be valid for all hosts that fall in the scope of the GPO you are creating.  You can use -, - …

compare-object in Powershell - comparing mulitple values

I'm starting to use compare-object more and more, and one thing I noticed, is that you can compare 2 objects based on multiple attributes. here is how it is constructed...
Compare-Object -ReferenceObject $object1 -DifferenceObject $object2 -Property a,b,c,d,eIf a,b,c and d are the same, but e is different, compare object will return a difference. In the following example, I use "-eq $null" as a check because by default compare-object returns $null if the objects are the same.
#create an array of objects to check against

$collection = @()
foreach ($entry in ("aaaaa","bbbbb","ccccc","ddddd")){
   $store = "" | select "a","b","c","d","e"
   $store.a = $entry*1
   $store.b = $entry*2
   $store.c = $entry*3
   $store.d = $entry*4
   $store.e = $entry*5
   $collection += $store

#create an object similar to those in the array
$object = "" | select "a","b…