Questions about AGDLP implementation

I am a little confused about the AGDLP implementation process. Here's my setup:

I have an OU named sales with 10 users accounts. I place the the user accounts into a global group (called sales_accounts), then I place that group into a domain local group (called sales_permissions), then I go to to my shared folder called sales. Then I click the permissions button on the shared tab and add the sales_permissions group to the shared permissions.

Is my setup correct?

Find more posts tagged with

SAVE $250 on Your Microsoft Boot Camp — Use Code "EXAM26"

Exclusively for TechExams members for Infosec Boot Camps starting before April 30, 2026

View Microsoft Boot Camps

Comments

RobertKaucher

The Shadow wrote: »

I am a little confused about the AGDLP implementation process. Here's my setup:

I have an OU named sales with 10 users accounts. I place the the user accounts into a global group (called sales_accounts), then I place that group into a domain local group (called sales_permissions), then I go to to my shared folder called sales. Then I click the permissions button on the shared tab and add the sales_permissions group to the shared permissions.

Is my setup correct?

Yes, but you would also grand NTFS permissions to the domain local group as well.

Do you understand why AGLP is a best practice?

The Shadow

Thanks Robert for helping me out. I added the NTFS permissions to the domain local group. Yes, I understand the why its best to use the AGLP. Given my setup, if I didn't use the AGLP, I would have to give the user accounts direct access to the shard folder (and any other resources), verses placing the use accounts into a group and giving the group access to the resources.

Super99

Here's what helped me.

http://www.laboratoire-microsoft.org/articles/win/groupes/images/agudlp.jpg