Advanced Group Policy Object Management 4.0


Why do you need Advanced Group Policy Management (AGPM)? If you are a midsize or large organization with several group policy administrator in multiple sites, everybody is playing their part in group policy administration but does not have a proper control in terms of who does what than you are in real mess in production environment. In this scenario, AGPM helps role based GPO management such as who can review, edit, approve and deploy Group Policy objects. AGPM also plays an integral part of change control practice in your organization. AGPM can improve GPO deployment and provide better management in IT department. You can use AGPM to track each version of each GPO and history, just as application developers use version control to track source code. AGPM can be found in Microsoft Desktop Optimization Pack (MDOP). A generic GPO deployment process using AGPM are as follows.

  

image

AGPM is combined with server component (the AGPM Service) and a client component (the AGPM snap-in). you have to install Microsoft Advanced Group Policy Management – Server on a system that has access to the policies that you want to manage. you can install the Microsoft Advanced Group Policy Management in a domain controller. An AGPM Client is installed  on any system from which Group Policy administrators will review, edit, and deploy GPOs. AGPM provides advanced change control features that can help you manage the lifecycle of GPOs.  The following is a Change Control view of AGPM.

31

The following steps are necessary to change and deploy a GPO:

Check out the GPO from the archive.

32

Edit the GPO as necessary.

33

Check in the GPO to the archive.

33

Deploy the GPO to production.

32

A controlled GPO can not be changed by any GPO Administrator anytime without prior approval. AGPM keeps a history of changes for each GPO, as shown in screenshot.

34

You can deploy any version of a GPO to production, so you can quickly roll back a GPO to an earlier version if necessary. AGPM can also compare different versions of a GPO, showing added, changed, or deleted settings. Therefore, you can easily review changes before approving and deploying them to the production environment. In addition, a complete history of each GPO enables you to audit not only changes but also all activities related to that GPO.

35

Role-Based Delegation: Group Policy already provides a rich delegation model that allows you to delegate administration to regional and task-oriented administrators. AGPM provides a role-based delegation model that adds a review and approval step to the workflow, as shown below delegation model.

30

Role View Compare Edit Create Approve Deploy
Reviewer × × × ×
Editor × ×
Approver

Cross-Forest Management: AGPM 4.0 also introduces cross-forest management. You can use the following process to copy a controlled GPO from a domain in one forest to a domain in a second forest:

Export the GPO from domain A in the first forest to a CAB file, by using AGPM. Import the GPO into the archive in domain B in the second forest, by using AGPM.

36

When you import the GPO into the second forest, you can import it as a new controlled GPO. You can also import it to replace the settings of an existing GPO that is checked out of the archive.

Install AGPM Server: Computers on which you want to install AGPM must meet the following requirements and you must be domain admin to create AGPM roles. If you have AGPM 3.0 installed, you do not have to upgrade the operating system before you upgrade to AGPM 4.0.  AGPM Server Requirements are as follows.

  • GPMC Features for Windows Server 2008 R2 or Windows Server 2008
  • Remote Server Administration Tools for Windows 7
  • WCF Activation; Non-HTTP Activation
  • Windows Process Activation Service
  • Process Model
  • .NET 3.5 SP1 Environment
  • Configuration APIs

you can install AGPM Server on the member server or domain controller that will run the AGPM Service, and you configure the archive. All AGPM operations are managed through this Windows service and are executed with the service’s credentials. The archive managed by an AGPM Server can be hosted on that server or on another server in the same forest. Log on with an account that is a member of the Domain Admins group. Start the Microsoft Desktop Optimization Pack CD and follow the instructions on screen to select Advanced Group Policy Management – Server.

1

23

In the Welcome dialog box>click Next>accept the terms and then click Next.

4

In the Application Path dialog box, select a location in which to install AGPM Server. The computer on which AGPM Server is installed will host the AGPM Service and manage the archive. Click Next.

567

This account must be a member of the either the Domain Admins group or, for a least-privilege configuration, the following groups in each domain managed by the AGPM Server: Group Policy Creator Owners and Backup Operators

8

In the AGPM Service Account dialog box, select a service account under which the AGPM Service will run and then click Next.

9

In the Port Configuration dialog box, type a port on which the AGPM Service should listen. Do not clear the Add port exception to firewall check box unless you manually configure port exceptions or use rules to configure port exceptions. Click Next.

1011121314

Click Install, and then click Finish to exit the Setup Wizard.

Important! Do not change settings for the AGPM Service through Administrative Tools and Services in the operating system. Doing this can prevent the AGPM Service from starting.

Install AGPM Client: AGPM Client 4.0 requires Windows Server 2008 R2, Windows Server 2008, Windows 7 and the GPMC from RSAT. Both 32-bit and 64-bit versions are supported. AGPM Client can be installed on a computer that is running AGPM Server. AGPM clients requirements are as follows.

Before you begin this scenario, create four user accounts for AGPM Administrator (Full Control), Approver, Editor, and Reviewer. These accounts must be able to send and receive e-mail messages. Assign Link GPOs permission to the accounts that have the AGPM Administrator, Approver and Editor roles.

Each Group Policy administrator—anyone who creates, edits, deploys, reviews, or deletes GPOs—must have AGPM Client installed on computers that they use to manage GPOs. For this scenario, you install AGPM Client on at least one computer. You do not need to install AGPM Client on the computers of end users who do not perform Group Policy administration. Start the Microsoft Desktop Optimization Pack CD and follow the instructions on screen to select Advanced Group Policy Management – Client.

15

In the Welcome dialog box, click Next>accept the terms and then click Next>select a location in which to install AGPM Client. Click Next.

1617

In the AGPM Server dialog box, type the DNS name or IP address for the AGPM Server and the port to which you want to connect. The default port for the AGPM Service is 4600. Do not clear the Allow Microsoft Management Console through the firewall check box unless you manually configure port exceptions or use rules to configure port exceptions. Click Next.

1819

In the Languages dialog box, select one or more display languages to install for AGPM Client.

202122

Click Install>click Finish to exit the Setup Wizard.

To configure an AGPM Server connection for all GPO administrators

On a computer on which you have installed AGPM Client, log on with the user account that you selected as the Archive Owner. Click Start>point to Administrative Tools>click Group Policy Management to open the GPMC.

In the details pane, double-click AGPM: Specify default AGPM Server (all domains). In the Properties window, select Enabled and type the DNS name or IP address and port (example, MicrosoftGURU.com.au:4600) for the server hosting the archive. Click OK>Click close the Group Policy Management Editor window.

24

Configure e-mail notification: As an AGPM Administrator (Full Control), you can designate the e-mail addresses of Approvers and AGPM Administrators to whom an e-mail message that contains a request is sent when an Editor tries to create, deploy, or delete a GPO. In the details pane, click the Domain Delegation tab> Type following From e-mail address field>type the e-mail address for the user account to which you intend to assign the Approver role>type a valid SMTP mail server. In the User name and Password fields, type the credentials of a user who has access to the SMTP service. Click Apply.

37

 To delegate access to all GPOs throughout a domain: On the Domain Delegation tab>click the Add button>select the user account from Domain>Select GPO Role as Editor>click OK. Repeat the process for Reviewer and Approver Role.

232425

26272829

Create a GPO: In an environment that has multiple Group Policy administrators, those with the Editor role can request that new GPOs be created. However, that request must be approved by someone with the Approver role.

On a computer on which you have installed AGPM Client, log on with a user account that is assigned the Editor role in AGPM. In the Group Policy Management Console tree>click Change Control>Click managed GPOs. Right-click the Change Control node>click New Controlled GPO.

38

Click Submit. The new GPO is displayed on the Pending tab.

To approve the pending request to create a GPO

On a computer on which you have installed AGPM Client, log on with a user account that has the role of Approver in AGPM. Open the e-mail inbox for the account, and notice that you have received an e-mail message from the AGPM alias with the Editor’s request to create a GPO.

In the Group Policy Management Console tree>click Change Control>Click manage GPOs. On the Contents tab>click the Pending tab to display the pending GPOs. Right-click on Pending GPO>click Approve. Click Yes to confirm approval and move the GPO to the Controlled tab.

39

40

Edit a GPO: You can use GPOs to configure computer or user settings and deploy them to many computers or users. In this step, you use an account that has the Editor role to check out a GPO from the archive, edit the GPO offline, check the edited GPO into the archive, and request deployment of the GPO to the production environment. For this scenario, you configure a setting in the GPO to require that the password be at least eight characters long.

On a computer on which you have installed AGPM Client, log on with a user account that has the role of Editor in AGPM. In the Group Policy Management Console>click Change Control>manage GPOs. On the Contents tab in the details pane>click the Controlled tab to display the controlled GPOs. Right-click Managed GPOs>click Check Out>Type a comment > click OK. click Close.

To request the deployment of the GPO to the production environment, On the Controlled tab, the state of the GPO is identified as Checked In>right-click managed GPO>click Deploy.

Because this account is not an Approver or AGPM Administrator, you must submit a request for deployment. To receive a copy of the request, type your e-mail address in the Cc field. Type a comment to be displayed in the history of the GPO, and then click Submit.

When the AGPM Progress window indicates that overall progress is complete, click Close. MyGPO is displayed on the list of GPOs on the Pending tab.

Review and deploy a GPO: In this step, you act as an Approver, creating reports and analyzing the settings and changes to settings in the GPO to determine whether you should approve them. After you evaluate the GPO, you deploy it to the production environment and link the GPO to a domain or an organizational unit (OU). The GPO takes effect when Group Policy is refreshed for computers in that domain or OU.

On a computer on which you have installed AGPM Client, log on with a user account that is assigned the role of Approver in AGPM. Any Group Policy administrator with the Reviewer role, which is included in all of the other roles, can review the settings in a GPO.

Open the e-mail inbox for the account and notice that you have received an e-mail message from the AGPM alias with an Editor’s request to deploy a GPO. In the Group Policy Management Console tree, click Change Control in the forest and domain in which you want to manage GPOs.

On the Contents tab in the details pane>click the Pending tab>Double-click a single managed GPO to display its history. Review the settings in the most recent version of GPO.

To deploy the GPO to the production environment

On the Pending tab, right-click a single managed GPO and then click Approve.

Type a comment to include in the history of the GPO>Click Yes. When the AGPM Progress window indicates that overall progress is complete, click Close.

To link the GPO to a domain or organizational unit

In the GPMC, right-click either the domain or an organizational unit (OU) to which you want to apply the GPO that you configured, and then click Link an Existing GPO. In the Select GPO dialog box>click selected GPO>click OK.

Use a template to create a GPO: In this step, you use an account that has the Editor role to create and use a template. That template is a static version of a GPO for use as a starting point for creating new GPOs. Although you cannot edit a template, you can create a new GPO based on a template. Templates are useful for quickly creating multiple GPOs that include many of the same policy settings.

On a computer on which you have installed AGPM Client, log on with a user account that is assigned the role of Editor in AGPM. In the Group Policy Management Console tree>click Change Control>Click manage GPOs.

On the Contents tab in the details pane>click the Controlled tab>Right-click on a single GPO>click Save as Template to create a template incorporating all settings currently in GPO.

Type a name of Template and a comment, then click OK>click Close. To request that a new GPO be created and managed through AGPM. Click the Controlled tab>Right-click the Change Control node>click New Controlled GPO.

In the New Controlled GPO dialog box, type your e-mail address in the Cc field. Type a name of GPO as the name for the new GPO. Type a comment for the new GPO.

Click Create live so that the new GPO will be deployed to the production environment immediately upon approval.

For From GPO template>select Template>Click Submit>click Close. The new GPO is displayed on the Pending tab.

To check the GPO out from the archive for editing

On a computer on which you have installed AGPM Client, log on with a user account that is assigned the role of Editor in AGPM. Right-click GPO>click Check Out>Type a comment to be displayed in the history of the GPO while it is checked out>click OK>click Close. On the Controlled tab, the state of the GPO is identified as Checked Out.

To edit the GPO offline and configure the account lockout duration

On the Controlled tab>right-click GPO>click Edit to open the Group Policy Management Editor window and change an offline copy of the GPO. For this scenario, configure the minimum password length:

Under Computer Configuration>double-click Policies>Click Windows Settings>Click Security Settings>Click Account Policies>Click Account Lockout Policy.

In the details pane, double-click Account lockout duration. In the properties window, check Define this policy setting, set the duration to 30 minutes, and then click OK.

Close the Group Policy Management Editor window.

To compare a GPO to another GPO and to a template

To compare Test GPO1 and Test GPO2, On the Controlled tab, click Test GPO1>Press CTRL and click Test GPO2. Right-click Test GPO2, point to Differences, and then click HTML Report.

To delete a GPO

On a computer on which you have installed AGPM Client, log on with a user account that is assigned the role of Approver. In the Group Policy Management Console tree, click Change Control in the forest and domain in which you want to manage GPOs.

On the Contents tab>click the Controlled tab to display the controlled GPOs>Right-click GPO, and then click Delete. Click Delete GPO from archive and production to delete both the version in the archive and the deployed version of the GPO in the production environment. Type a comment to be displayed in the audit trail for the GPO>click OK>click Close.

To restore a deleted GPO

On the Contents tab>click the Recycle Bin tab to display deleted GPOs>Right-click GPO>click Restore.

Type a comment to be displayed in the history of the GPO>click OK> click Close.

Important! Restoring a GPO to the archive does not automatically redeploy it to the production environment.

To roll back to an earlier version of a GPO

On the Contents tab>click the Controlled tab>Double-click MyGPO to display its history>Right-click the version to be deployed>click Deploy>click Yes>click Close.

Last but not least PowerShell commands are very handy to work with GPO on the fly. Before you can use PowerShell command you have to install Active Directory Web Services in any Domain Controller in your AD infrastructure. Download PowerShell v2 and install on a utility server or windows 7 admin PC. Open PowerShell Window as an Administrator and type following commands. 

get-command –module grouppolicy

get-command –module grouppolicy | get-help

List of PowerShell Command for GPO and their functionality: 

Backup-GPO                  Backs GPO 

Copy-GPO                      Copies a GPO.

Get-GPInheritance       Retrieves GPO inheritance 

Get-GPO                        Gets one GPO or all GPOs 

Get-GPOReport           Generates a report in either XML or HTML

Get-GPPermissions     Gets the permission level for security principals

Get-GPPrefRegistryValue               Retrieves one or more registry preference

Get-GPRegistryValue                      Retrieves one or more registry-based policy settings

Get-GPResultantSetOfPolicy         Outputs the Resultant Set of Policy (RSoP) information

Get-GPStarterGPO                         Gets one Starter GPO or all Starter GPOs in a domain.

Import-GPO              Imports the Group Policy settings from a backed-up GPO

New-GPLink              Links a GPO to a site, domain, or OU.

New-GPO                   Creates a new GPO.

New-GPStarterGPO Creates a new Starter GPO.

Remove-GPLink        Removes a GPO link from a site, domain, or OU.

Remove-GPO             Deletes a GPO.

Remove-GPPrefRegistryValue Removes one or more registry preference items

Remove-GPRegistryValue Removes one or more registry-based policy settings

Rename-GPO             Assigns a new display name to a GPO.

Restore-GPO             Restores one GPO or all GPOs in a domain from

Set-GPInheritance    Blocks or unblocks inheritance for a specified domain or OU.

Set-GPLink                Sets the properties of the specified GPO link.

Set-GPPermissions    Grants a level of permissions to a security principal

Set-GPPrefRegistryValue Configures a registry preference item

Set-GPRegistryValue  Configures one or more registry-based policy settings

Relevant References:

Active Directory Best Practice

Download Advanced Group Policy from TechNet

Finally! Copy and merge GPOs! PowerShell saves the day!

Microsoft® Desktop Optimization Pack (MDOP)

 

 

Choosing Which Version of AGPM to Install

Active Directory Web Services

 

 

 

 

 

About Raihan Al-Beruni

My Name is Raihan Al-Beruni. I am working as an Infrastructure Architect in Data Center Technologies in Perth, Western Australia. I have been working on Microsoft technologies for more than 15 years. Other than Microsoft technologies I also work on Citrix validated solution and VMware data center virtualization technologies. I have a Masters degree in E-Commerce. I am certified in Microsoft, VMware, ITIL and EMC. My core focus is on cloud technologies. In my blog I share my knowledge and experience to enrich information technology community as a whole. I hope my contribution through this blog will help someone who wants more information on data center technologies.
This entry was posted in Identity and Access Management and tagged , , , , , , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s