Advanced Group Policy Management

Saad MardiniIT Support Specialist
CERTIFIED EXPERT
Enjoying the opportunity to work with computers and technology is great, but enjoyment alone doesn’t pay the bills. "
Published:
Updated:
Edited by: Andrew Leniart
AGPM
Microsoft’s Advanced Group Policy Management (AGPM) gives you the ability to manage GPOs much more closely.

AGPM


Microsoft’s Advanced Group Policy Management (AGPM) gives you the ability to manage GPOs much more closely. 


For example, with AGPM, you have to check out a GPO to make edits, which prevents anyone from accidentally making changes while another person is editing. You have the ability to require approval for a proposed change; that’s built-in change management. AGPM also allows you to roll back to a previous version of a GPO if a change you made is causing problems.


AGPM is part of the Microsoft Desktop Optimization Pack (MDOP), which is an add-on to an Enterprise Agreement with SA.  Most firms with Windows Enterprise already have access to MDOP and its components like AGPM.


2016-11-01_14h34_50


How to Set It Up


AGPM is relatively easy to set up.  All you need are two accounts, a server, and clients.


The server doesn’t need to be dedicated to AGPM; you simply need one with the Group Policy Management Console feature installed.  In fact, on Server 2008 R2 or newer, the GPMC and required .NET features will be installed by the AGPM installer if necessary. 


The two accounts are an AGPM Admin account and an AGPM Service account.  You need to grant the service account access to all your existing GPOs prior to setting up AGPM.  This can be done with the following script: GrantPermissionOnAllGPOs.wsf  (This is part of the sample of GPMC scripts in the TechNet Code Gallery: https://gallery.technet.microsoft.com/group-policy-management-17a5f840).


Then all you need to do is set up the Server AGPM software and the Client. The client software can be installed on the same server as the Server software if you want one place to manage it. If you want to manage GPOs from other workstations, the client software requires Windows RSAT to be installed. 


Once you set up the Server software it locks down all existing GPO permissions so that only Domain Admins can right-click and edit GPO Objects from the standard GPMC.  Any other users will have to use the AGPM client to check out and then edit a GPO.


You can further lock it down to prevent Domain Admins from editing outside AGPM by denying the Domain Administrators group the right to edit GPOs explicitly.  This effectively forces everyone to use AGPM so that you can manage and approve changes in a controlled manner.


Based on the ease of implementation and the features AGPM provides, I see more firms implementing it for Group Policy management down the road.


Hope you find this useful.



1
806 Views
Saad MardiniIT Support Specialist
CERTIFIED EXPERT
Enjoying the opportunity to work with computers and technology is great, but enjoyment alone doesn’t pay the bills. "

Comments (0)

Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.

Get access with a 7-day free trial.
You Belong in the World's Smartest IT Community