To install click the Add extension button. That's it.

The source code for the WIKI 2 extension is being checked by specialists of the Mozilla Foundation, Google, and Apple. You could also do it yourself at any point in time.

How to transfigure the Wikipedia

Would you like Wikipedia to always look as professional and up-to-date? We have created a browser extension. It will enhance any encyclopedic page you visit with the magic of the WIKI 2 technology.

Try it — you can delete it anytime.

Install in 5 seconds
4,5
Kelly Slayton
Congratulations on this excellent venture… what a great idea!
Alexander Grigorievskiy
I use WIKI 2 every day and almost forgot how the original Wikipedia looks like.
Live Statistics
English Articles
Improved in 24 Hours
Added in 24 Hours
Languages
Recent
Show all languages
What we do. Every page goes through several hundred of perfecting techniques; in live mode. Quite the same Wikipedia. Just better.
Great Wikipedia has got greater.
.
Leo
Newton
Brights
Milds

AGDLP

From Wikipedia, the free encyclopedia

AGDLP (an abbreviation of "account, global, domain local, permission") briefly summarizes Microsoft's recommendations for implementing role-based access controls (RBAC) using nested groups in a native-mode Active Directory (AD) domain: User and computer accounts are members of global groups that represent business roles, which are members of domain local groups that describe resource permissions or user rights assignments. AGUDLP (for "account, global, universal, domain local, permission") and AGLP (for "account, global, local, permission") summarize similar RBAC implementation schemes in Active Directory forests and in Windows NT domains, respectively.

YouTube Encyclopedic

  • 1/3
    Views:
    64 657
    3 450
    582
  • MCITP 70-640: Group Strategy AGDLP
  • AGDLP (IGDLA) Sharing Stratigy in Windows Server - Step-by-step (English)
  • AGDLP and AGUDLP

Transcription

Welcome to IT Free Training’s next free video. In this video I will look at the group strategy AGDLP. AGDLP is a role based strategy which when used in your organization can simplify day to day administration. Role based means that permissions are granted based on what role or roles the user has in the organization. Since it is a role based strategy, it does not require the administrator to have knowledge of how permissions have been assigned to the resources that are being controlled. This allows access for a user to be easily changed, for example, if they change jobs in the organization. Also, AGDLP provides easy auditing. If you want to know who has access to what, you simply need to look at who is a member of the group that provides that access. AGDLP is a strategy that is generally used in medium sized networks. Microsoft defines this as a network with greater than 500 users. This strategy is also mainly used in a single domain single forest environment, although it could be used throughout the forest. If you have a larger environment, the next video discusses another strategy that is often used in multiple domain environments. Both of the strategies are designed for large networks. If you are looking after a small network it may be better to keep things simple. As we will see in this video, the extra complexity this strategy adds to your network also adds additional flexibility. It is up to you to decide if your network is big enough and complex enough for the extra work to provide any real advantages. When looking at these group strategies they appear overly complicated at first and often difficult to understand. As I go through each part I will explain the reasoning behind the groups used. It is important to remember that different groups have different scopes, different availability and different membership requirements. For these reasons, group strategies like AGDLP which take advantage of each of the different groups’ characteristics. AGDLP works like this: accounts go into global groups which go into domain local groups which get applied to permissions. Seems overly complex, doesn’t it? Let’s start with the resource we want to allow access to and work our way back and see why each group is used. First you have the resource, in this case, let’s say a colour printer. You want to control who can use the color printer since color printing is expensive and you want to limit its use. Following this group strategy you would create a domain local group and apply it to the printer. Remember that domain local groups are only available in the domain that they are created in. In this strategy the domain local group is used to provide access to the resource. In this case I will call the group ColorPrintingAllowed. The advantage of using a domain local group for permissions like this is that you can be assured that the group will not be used in another domain. Why is this important? If your company decides to audit who has access to what, you can look inside the ColorPrintingAllowed group to determine who is able to print to the color printers in your domain. If the group was available for use in another domain by other administrators, you would not know what resources this group was used on and even if the group was used at all. In a moment this will make a lot more sense. The next group is the global group. A global group is created and put into the domain local group. In this case I will call the group SalesUsers. I could also create another group called MarketingUsers and put this group in the domain local group ColorPrintingAllowed. Remember that global groups only allow users, computers and other global groups to be put in them that come from the domain that the global group was created in. This may seem like a limitation but let’s consider what we have done when the permissions for the color printers are audited. We can now say with confidence that only sales and marketing users from this company have access to the color printers. Why? Because the global group contains only users from the domain they are created in so we know by design another user from another domain could not be put into this group. We also know that the domain local group scope is limited to only this domain and thus can only be used on resources in this domain. We can say with confidence that the domain local group has not been used in another domain. This is important because when audited you want to be able to say with confidence who has access to what. Some of you may be thinking, “In a single domain single forest, could I not just use other group types? For example, could I not just use all the same type of groups? Using only domain local groups would work; however, you could never be sure that only users from your domain are being put into the domain local group. Today you may have one domain and one forest so you can say this, but tomorrow another domain may be added either to the forest or as an external domain and you will not be able to say this with confidence unless you check the membership of each group. The next point is could you use only use global groups. This is possible as well, but this would limit access to the resource to only members from that domain. At present you may only have the one domain, but if another domain is added later this will limit you. Also remember that global groups only allow other global groups from the same domain to be used as members in that group. That is, if you were using domain local group or universal group in that domain, you could not use these groups to grant access to the resource. In order to get global groups to work, you would need to use only global groups. To put it simply, if you use only global groups, you could only use global groups and you could not provide access to users outside your domain. The next question is could you use universal groups? The answer is yes you could. Universal groups are replicated to all global catalog servers in the forest. This means that as soon as you use a universal group you require access to a global catalog server. If all your domain controllers are global catalog servers this won’t present a problem. If all your domain controllers are not global catalog servers, in order to work out group membership, a global catalog server needs to be contacted and if the global catalog server is over a WAN link this will slow everything down. You can see that if you use the wrong groups in a single domain single forest environment Active Directory is fairly forgiving. Let’s look at what happens when I add an extra domain in the mix and use AGDLP. If you wanted to provide access to a user or group from another domain the only place this could be added would be the domain local group. Following the strategy let’s say that the sales global group from the High Costing Training domain is added to the domain local group that controls color printing access. When it comes time to audit who has access to color printing, we now know that sales and marketing from this domain and also the sales staff from high cost training domain are able to use the color printers. You can see that AGDLP can be used in a single domain and multiple domain environment to control access. Access can be quickly changed and audited. Let’s review what was covered in this video. AGDLP is a group strategy that can be used in your organization to simplify group administration. It is a role based authorization strategy so permissions are assigned to users based on their role in the organization. Using role based authorization makes it simple to change permissions when a user requires different permissions. Using AGDLP, accounts are placed into global groups. Global groups allow membership only from users and computers in that domain and other global groups in that domain. This means that when the group is used in your organization you can say with confidence that only users from your domain are in that group. Global groups are placed into domain local groups. Domain local groups can only be used in the domain that they were created in. Thus you can say with confidence that the group is only being used to provide access to resources in that domain. Domain local group also allows users, computers, global groups and universal groups to be added from other domains. This allows easy auditing of the group. If you want to know who has access to a particular resource, look at the members of the domain local group and this will tell you. Lastly the domain local group is assigned to the resource. For example if you had a public share, you could create two groups called Public_Share_Read and Public_Share_Modify. If you were now asked who had access to the public share, you look inside these groups and can say which groups have access. If the sales group was in the read only group and needed modify access, you could simply move the sales group from the read group to the modify group. Notice that using this approach does not require the administrator to have any knowledge of which servers the public shares are located on. In the next video I will look at another group strategy called AGUDLP. If you have not guessed already, this is the same strategy but uses universal groups as well. This strategy is used in a multi-domain environment. Using universal groups gives you some additional flexibility and features that are not available using AGDLP. As always, thanks for watching.

Details

Role based access controls (RBAC) simplify routine account management operations and facilitate security audits.[1] System administrators do not assign permissions directly to individual user accounts. Instead, individuals acquire access through their roles within an organization, which eliminates the need to edit a potentially large (and frequently changing) number of resource permissions and user rights assignments when creating, modifying, or deleting user accounts. Unlike traditional access control lists, permissions in RBAC describe meaningful operations within a particular application or system instead of the underlying low-level data object access methods. Storing roles and permissions in a centralized database or directory service simplifies the process of ascertaining and controlling role memberships and role permissions.[2] Auditors can analyze permissions assignments from a single location without having to understand the resource-specific implementation details of a particular access control.

RBAC in a single AD domain

Microsoft's implementation of RBAC leverages the different security group scopes featured in Active Directory:[3][4]

Global security groups
Domain security groups with global scope represent business roles or job functions within the domain. These groups may contain accounts and other global groups from the same domain, and they can be used by resources in any domain in the forest. They can be changed frequently without causing global catalog replication.
Domain local security groups
Domain security groups with domain local scope describe the low-level permissions or user rights to which they are assigned. These groups can only be used by systems in the same domain. Domain local groups may contain accounts, global groups, and universal groups from any domain, as well as domain local groups from the same domain.

Global groups that represent business roles should contain only user or computer accounts. Likewise, domain local groups that describe resource permissions or user rights should contain only global groups that represent business roles. Accounts or business roles should never be granted permissions or rights directly, as this complicates subsequent rights analysis.

RBAC in AD forests

In multi-domain environments, the different domains within an AD forest may only be connected by WAN links or VPN connections, so special domain controllers called global catalog servers cache certain directory object classes and attribute types in order to reduce costly or slow inter-domain directory lookups.[5] Objects cached by the global catalog servers include universal groups but not global groups, making membership look-ups of universal groups much faster than similar queries of global groups. However, any change to a universal group triggers (potentially expensive) global catalog replication, and changes to universal groups require forest-wide security rights inappropriate in most large enterprises. These two limitations prevent universal security groups from completely replacing global security groups as the sole representatives of an enterprise's business roles. Instead, RBAC implementations in these environments use universal security groups to represent roles across the enterprise while retaining domain-specific global security groups, as illustrated by the abbreviation AGUDLP.

RBAC in non-AD domains

Domains in Windows NT 4.0 and earlier only have global (domain-level) and local (non-domain) groups and do not support group nesting at the domain level.[6] The abbreviation AGLP refers to these limitations as applied to RBAC implementations in older domains: Global groups represent business roles, while local groups (created on the domain member servers themselves) represent permissions or user rights.

Example

Given a shared folder, \\nyc-ex-svr-01\groups\bizdev; a business development group within the organization's marketing department, represented in Active Directory as the (existing) global security group "Business Development Team Member"; and a requirement that the entire group have read/write access to the shared folder, an administrator following AGDLP might implement the access control as follows:

  1. Create a new domain local security group in Active Directory named "Modify permission on \\nyc-ex-svr-01\groups\bizdev".
  2. Grant that domain local group the NTFS "Modify" permission set (read, write, execute/modify, delete) on the "bizdev" folder. (Note that NTFS permissions are different from share permissions.)
  3. Make the global group "Business Development Team Member" a member of the domain local group "Change permission on \\nyc-ex-svr-01\groups\bizdev".

To highlight the advantages of RBAC using this example, if the Business Development Team required additional permissions on the "bizdev" folder, a system administrator would only need to edit a single access control entry (ACE) instead of, in the worst case, editing as many ACEs as there are users with access to the folder.

References

  1. ^ Ferraiolo, D.F.; Kuhn, D.R. (October 1992). "Role Based Access Control" (PDF). 15th National Computer Security Conference. pp. 554–563.
  2. ^ Sandhu, R.; Coyne, E.J.; Feinstein, H.L.; Youman, C.E. (August 1996). "Role-Based Access Control Models" (PDF). IEEE Computer. 29 (2): 38–47. CiteSeerX 10.1.1.50.7649. doi:10.1109/2.485845. S2CID 1958270.
  3. ^ Microsoft Corporation (2007-03-16). "Group Scopes: Active Directory". Microsoft Technet. Archived from the original on 14 March 2009. Retrieved 2009-04-28.
  4. ^ Melber, Derek (2006-05-18). "How to Nest Users and Groups for Permissions". WindowsSecurity.com. Retrieved 2009-04-28.
  5. ^ Microsoft Corporation (2005-01-21). "Understanding the Global Catalog: Active Directory". Microsoft Technet. Retrieved 2005-10-21.
  6. ^ Stanek, William R. "Understanding User and Group Accounts". Microsoft Technet. Archived from the original on 27 April 2009. Retrieved 2009-04-28.
This page was last edited on 23 July 2023, at 00:51
Basis of this page is in Wikipedia. Text is available under the CC BY-SA 3.0 Unported License. Non-text media are available under their specified licenses. Wikipedia® is a registered trademark of the Wikimedia Foundation, Inc. WIKI 2 is an independent company and has no affiliation with Wikimedia Foundation.
Contact WIKI 2
Introduction
Terms of Service
Privacy Policy