Microsoft provides tools to manage object ACLs and implement solid access control. A secure information system depends on a secure strategy. Best practices for access control center on solid planning and implementing a manageable approach to both subjects and objects. There are many schools of thought related to access control. One particular strategy provides clarity and security. The AGULP approach provides a method for managing any number of users predictably. AGULP may appear overly complex for smaller environments, but it really shines when there are many users in a network. AGULP is an acronym that stands for:

• Accounts

• Global groups

• Universal groups

• Local groups

• Permissions

The idea behind AGULP is to systematically nest individual user accounts in groups to make securing objects more general. The first step is to create separate user accounts for each user. Creating separate accounts for each user’s role adds an extra step of security. In this case, you may have more than one account. User accounts are then added to global groups, according to their shared attributes. These attributes can be geographical or functional, such as manufacturing or human resources. Global groups would then be added to universal groups, or groups that are defined for users in any domain in Active Directory. Global groups and universal groups are then added to local groups on computers that contain resources you want to secure. This strategy avoids the need to add individual users to local groups. Finally, the permissions for secured resources, or objects, are defined for local groups. The AGULP strategy allows you to reduce the number of ACLs for each resource. Regardless of the strategy you decide to use, avoid defining ACLs for individuals. Group-based ACLs are easier and more efficient to maintain.