AGGUDLP AGDLP

[aenagy]

Does anyone know of a Microsoft URL or document that clearly explains
AGGUDLP and AGDLP? I have been trying to wrap my brain around this for
a while and I can only find bits and pieces on AGDLP, but nothing about
AGGUDLP. Is AGGUDLP even documented anywhere?

This link aludes to these concepts, but I was hoping for something more
comprehensive and authoritive.
http://groups.google.com/group/micr...d48dafc?lnk=st&q=aglp&rnum=1#56de1bc78d48dafc

 

[Joe Richards [MVP]]

First off, that post on a light read almost seems to make it sound like
these are rules. At best they are initial guidelines to help people with
no where else to start. I wouldn't even call them best practices.

Overall, I tend to dislike the models. I don't feel they worked that
great in NT4 domains and still aren't that great for AD Domains.

The group nesting thing is something that has been coming back to bite
people when they do massive amounts of nesting and in most of the cases
I have seen, they really aren't needing any nesting.

If you want to overlay a sort of role based model over a resource based
model, then whip out those mechanisms and knock yourself out. However in
many cases, a simple resource based model is all that is needed and more
likely to follow LUA (Least User Access) guidelines.

For an example of both....

I have a share called PRs which is Performance Reviews. In a resource
based ACLing model, you create one or more local or domain local groups
that have permissions to that share, READ/WRITE/DELETE/CHANGE/ADD,
whatever granularity you need. Then you assign users directly to those
groups. You now easily know who has access and what kind of access they
have. It is very granular and no one should have access that they don't
need.

If you overlay a role based model on top of it, you will end up creating
another DLG or a GG for a role, say managers, and then add that group to
the LG or DLG. The person managing the LG or DLG has now lost any
control over who is in that group unless they also manage the role
group. And anyone in that role now has access to that group whether they
need it or not... Say you have a manager level person who actually
doesn't perform PRs as they have no direct reports... Why should that
person have access to those files?

Group permissioning can be done in a mass of different ways. Don't get
stuck on the goofy nesting ideas unless you actually have to use them.
If you do use them, you will often find that too many people have too
much access and you more quickly start talking about token and kerberos
bloat issues.

joe



--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm