Risks with single AGPM Server (Group Policy / Serv 2008) ?


I'm moving forward with a change request on implementing AGPM in our 2008 Domain.  Although it's not perfect, it's definately a step in the right direction in regards to Group Policy management.

So, over the course of a week, I've gotten pretty much up to speed on using the new MMC additions on AGPM.  It sounds like in our org, that we're going to be able to use a single licensed VM for the AGPM server installation, and not be able to have any redundancy in the equation.

For a disaster scenario, I'm wondering what would happen if the AGPM server exploded?  - And there was no way in bringing it back to life, or we need to create an emergency style group policy in a pinch on a remote DC somewhere?

For the second scenario, I understand that as long as you have rights to create policies, that the AGPM server would then just move those into the "uncontrolled' portion, but my primary worries are definately the first scenario on the "controled" policies.  Should the server die a horrible death, what happens to the polices that are managed by AGPM?

Is there a backout way to return to the way things are currently running, where Group Policy is pretty much a free-for-all as long as the rights are there?

Any information that anybody has on this topic, if anybody has had the opportunity to play with the new Group Policy stuff from MS, your ideas would be very appreciated here.
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Joseph MoodyBlogger and wearer of all hats.Commented:
We just finished implementing AGPM. You will probably want to use the Group Policy Script pack to reset all GPO permissions to the default. The setGPOpermissions script is super easy and helpful!

Anyways, you will want to set your production delegation so that domain admins and enterprise admins still have edit/delete/modify under change control

Then make sure that under the delegation tab in group policy objects, domain admins and group policy creator owners are still listed.

To test the AGPM server going offline, simply right click on group policy objects. If you are logged in as a domain admin/enterprise admin, you should still be able to create a new GPO. All other GP admins (who probably should not be domain admins) should not be able to create a new GPO in the Group Policy Objects container.

You also may want to check out a few of the AGPM related posts on technet (about best security practices) and automatedoutofajob.blogspot.com

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
usslindstromAuthor Commented:
Thank you for the insite on AGPM.  - Much aprpeciated!

I'm giong to be running through a few disaster scenarios with tested "controlled GP objects" then shutting the server down, etc.

It's nice to see your take on the subject.  Thanks.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.