A company is standardizing how it grants file-share permissions on Windows Server 2022 hosts. The systems administrator decides to follow Microsoft's AGDLP model to simplify future audits. A global security group named ENG_Designers already contains every engineer who should read the share \FS01\DesignDocs. Which action should the administrator take next before applying NTFS permissions to the folder?
Nest ENG_Designers inside a universal security group and assign the NTFS Read permission to that universal group on the folder.
Assign the NTFS Read permission directly to the ENG_Designers global group on the folder and document the change for auditors.
Create a domain-local security group such as FS01_DesignDocs_R, add ENG_Designers to it, and then assign Read permission to the domain-local group on the folder.
Add each member of ENG_Designers to the local Administrators group on FS01 so they inherit access to the folder.
The AGDLP (Accounts → Global groups → Domain Local groups → Permissions) strategy keeps user accounts and resource permissions in separate layers. After placing accounts in a Global group (ENG_Designers), the correct next step is to create a Domain Local group that represents the specific resource (for example, FS01_DesignDocs_R). The global group is added as a member of this domain-local group, and only the domain-local group is given the NTFS Read permission on the share.
Using a universal group is unnecessary in a single-domain design and adds replication overhead. Granting permissions directly to the global group (or to individual user or local Administrator accounts) breaks the AGDLP model and makes future administration and audits more difficult.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is the AGDLP model and why is it used?
Open an interactive chat with Bash
What are the key differences between Global and Domain Local groups?
Open an interactive chat with Bash
Why should Universal groups not be used in the AGDLP model for a single-domain environment?