Advanced Group Policy Management In this article we will demonstrates advanced techniques for Group Policy management that use the Group Policy Management Console (GPMC) and Microsoft Advanced Group Policy Management (AGPM). AGPM increases the capabilities of the GPMC, providing:
Standard roles for delegating permissions to manage Group Policy objects (GPOs) to multiple Group Policy administrators, in addition to the ability to delegate access to GPOs in the production environment. An archive to enable Group Policy administrators to create and modify GPOs offline before the GPOs is deployed into a production. The ability to roll back to any earlier version of a GPO in the archive and to limit the number of versions stored in the archive. Check-in and check-out capability for GPOs to make sure that Group Policy administrators do not unintentionally overwrite each other's work. The ability to search for GPOs with specific attributes and to filter the list of GPOs displayed E-mail Notification to the approver to review and approve for deployment of GPO Very Simple way to Backup and Restore of GPO objects.
to demonstrate how Group Policy can be managed in an environment thru AGPM I created below 4 user account in my active directory server. USER ACCOUNT agpmadmin
agpmeditor agpmapprover agpmreviewer
AGMP Role Full Control, AGPM server and client installation Editor Approver Reviewer
Member Of Domain Admin
Email address
[email protected]
Domain Users Domain Users Domain Users
[email protected] [email protected] [email protected]
You can also assign these four roles to group account instead of user account. For this lab demonstration I have used these four accounts. These accounts must be able to send and receive e-mail messages. Also we have to assign Link GPOs permission to the accounts that have the AGPM Administrator, Approver, and (optionally) Editor Roles. To assign Link GPO permission, do following:
Open Delegation of Control Wizard , and click Next
Add user account which we want to delegate control. In this lab the account which we need to add is agpmadmin, agpmapprover, agpmeditor ,as shown below:
Check the box Manage Group Policy links and click next and Finish closing the wizard box.
Steps for installing and configuring AGPM Step 1: Install AGPM Server Now we are going to install AGPM server on our Domain Controller for this lab, DC01.abhi.local. You can install AGPM server on any member server also. AGPM server installation will automatically installed Group Policy Management Console (GPMC) on server if its not present. For this lab demonstration I am going to use account agpmadmin to install the AGPM server and client on domain controller. To install AGPM server, perform following steps on domain controller:
Log into server with account abhi\agpmadmin. Start the Microsoft Desktop Optimization Pack CD and follow the instructions on screen to select Advanced Group Policy Management – Server. In the Welcome dialog box click Next.
In the Application Path dialog box, select a location in which to install AGPM Server. The computer on which AGPM Server is installed will host the AGPM Service and manage the archive. Click Next In the Archive Path dialog box, enter a location for the archive path.
In the AGPM Service Account dialog box, enter a service account under which the AGPM Service will run and then click next
In the Archive Owner dialog box, enter an account or group to which you assign the AGPM Administrator (Full Control) role. In this demo the account is abhi\agpmadmin.
In the Port Configuration dialog box, type a port on which the AGPM Service should listen. By Default it will take port number 4600. (Do not clear the Add port exception to firewall check box unless you manually configure port exceptions or use rules to configure port exceptions.)
In the Languages dialog box, select one or more display languages to install for AGPM Server. 11. Click Install, and then click Finish to exit the Setup Wizard.
So we have finished the AGPM server installation. Each Group Policy administrator—anyone who creates, edits, deploys, reviews, or deletes GPOs—must have AGPM Client installed on computers that they use to manage GPOs. For this lab demo, we will be installing AGPM Client on the same domain controller. To install AGPM client, I logged into domain controller with account abhi\agpmadmin. Perform following steps to install AGPM client.
Step 2: Install AGPM Client Logged as abhi\agpmadmin
Start the Microsoft Desktop Optimization Pack CD and follow the instructions on screen to select Advanced Group Policy Management - Client. In the Application Path dialog box, select a location in which to install AGPM Client. Click Next. In the AGPM Server dialog box, type the DNS name or IP address for the AGPM Server and the port to which you want to connect. The default port for the AGPM Service is 4600. Click Next.
(Do not clear the Allow Microsoft Management Console through the firewall check box unless you manually configure port exceptions or use rules to configure port exceptions)
Follow the screen and click Next to finish the AGPM Client Installation.
Once AGPM server and client installation finished, we need to configure an AGPM server connection. In the following steps now we will be configuring an AGPM Server connection and ensure that all Group Policy administrators connect to the same AGPM Server.
Step 3: Configure an AGPM Server connection To configure an AGPM server connection, perform following steps:
On a computer on which we have installed AGPM Client, in this demo its domain controller DC01.abhi.local, Open Group Policy Management Console (GPMC.msc). Expand Forest abhi.local. Expand Domain and select domain abhi.local. Right click the selected domain and click Create a GPO in this domain, and Link it here.
In the Group Policy Management Editor window, double-click User Configuration, Policies, Administrative Templates, Windows Components, and AGPM . Double-click AGPM: Specify default AGPM Server (all domains). In the Properties window, select Enabled and type the DNS name or IP address and port. For this lab demo it is DC01.abhi.local:4600.
So now we have finished the AGPM server connection configuration. Now it’s time to configure E-mail notification. In this, we designate the e-mail addresses of Approvers and AGPM Administrators to whom an e-mail message that contains a request is sent when an Editor tries to create, deploy, or delete a GPO.
Step 4: Configure e-mail notification To configure email notification, perform following steps:
Open GPMC.msc, select change control, and in the details pane click Domain Delegation. Enter the field from e-mail address and to email-address. Enter the settings of your SMTP server, as shown in below figure:
Please make sure In the From e-mail address field, you typed the e-mail address for AGPM from which notifications should be sent. And In the To e-mail address field, you typed the email address for the user account to which you intend to assign the Approver role
Step 5: Delegate access As an AGPM Administrator (Full Control), we can delegate domain-level access to GPOs, assigning roles to the account of each Group Policy administrator. To delegate access, perform following:
On the Domain Delegation tab, click the Add button, select the user account of the Group Policy administrator to serve as Approver, and then click OK. In the Add Group or User dialog box, select the Approver role to assign that role to the account, and then click OK. For this lab demo, our approver account name is AGPMapprover, and I have assigned Approver role to this account using above steps and as shown in below figure.
Using same above steps I have delegate different roles to all four accounts which I created for this lab demo. As shown in below figure , I have delegate the different roles to different account.
Ok, so we have finished all necessary configuration and role based access delegation. It’s time now for managing GPO. Now we will see and demonstrate how to create GPO, edit ,review and deploy gpo, and finally delete and restore a GPO object.
Steps for managing GPOs Step 1: Create a GPO To request that a new GPO be created and managed through AGPM Logged as editor account – abhi\agpmeditor
Open Group Policy Management Console (gpmc.msc), on computer where we install AGPM client. Right click Change Control and then click New Controlled GPO.
In the New Controlled GPO dialog box: To receive a copy of the request, type your email address in the Cc field. Type the name of GPO. For this demonstration in this case the name of this GPO is MyLabGPO Type a comment for the new GPO. Click Create in archive and production so that the new GPO will be deployed to the production environment immediately upon approval. Click Submit. When the AGPM Progress window indicates that overall progress is complete, click Close. The new GPO is displayed on the Pending tab.
Now we have submitted the request to create a GPO. It’s pending for the approval from GPO approver. We will now see how to approve the pending request to create a GPO. To approve the pending request to create a GPO Logged as approver- abhi\agpmapprover
On a computer on which we have installed AGPM Client, log on with a user account that has
role of Approver in AGPM. And Open the e-mail inbox for the account, and here we have received an e-mail message from the AGPM alias with the Editor's request to create a GPO.
the
In the Group Policy Management Console tree, click Change and On the Contents tab, click the Pending tab to display the pending GPOs, as shown in below figure
Right-click MyLabGPO, and then click Approve
Click Yes to confirm approval and type the comment and move the GPO to the Controlled tab
Step 2: Edit a GPO Logged as editor- abhi\agpmeditor
Now GPO pending request has been approve from approver to create GPO. So it’s time to edit GPO and to configure settings. To do so perform following:
On the Contents tab in the details pane, click the Controlled tab to display the controlled GPOs and Right-click MyLabGPO, and then click Check Out
When the AGPM Progress window indicates that overall progress is complete, click Close. On the Controlled tab, the state of the GPO is identified as Checked Out , as shown in below figure:
To edit the GPO offline and configure the settings On the Controlled tab, right-click MyLabGPO, and then click Edit to open the Group Policy Management Editor window and change an offline copy of the GPO .
For this lab demo I configured this GPO for desktop wallpaper settings for all users in sales OU, as shown in below figure:
To check the GPO into the archive
On the Controlled tab, right-click MyLabGPO and then click Check In .
Type a comment, and then click OK.
To request the deployment of the GPO to the production environment
On the Controlled tab, right-click MyLabGPO and then click Deploy
Because this account is not an Approver or AGPM Administrator, you must submit a request for deployment. To receive a copy of the request, type your e-mail address in the Cc field. Type a comment to be displayed in the history of the GPO, and then click Submit.
When the AGPM Progress window indicates that overall progress is complete, click Close. MyLabGPO is displayed on the list of GPOs on the Pending tab , as shown in below figure
Step 3: Review and deploy a GPO To review settings in the GPO
Now we will be creating reports and analyzing the settings and changes to settings in the GPO to determine whether approver should approve them. After evaluate the GPO, we can deploy it to the production environment and link the GPO to a domain or an organizational unit (OU). The GPO takes effect when Group Policy is refreshed for computers in that domain or OU. To do so, perform following steps:
On a computer on which we have installed AGPM Client, log on with a user account that is assigned the role of Approver in AGPM. Any Group Policy administrator with the Reviewer role, which is included in all of the other roles, can review the settings in a GPO. Open the e-mail inbox for the account and notice that we have received an e-mail message from the AGPMadmin with an Editor's request to deploy a GPO , as shown in below figure
On the Contents tab in the details pane, click the Pending tab . Double-click MyLabGPO to display its history
In the History window, right-click the GPO version with the most recent time stamp, click Settings, and then click HTML Report to display a summary of the GPO's settings
The HTML report will be shown as below figure. Result which is highlighted in green and preceded by [+], This indicates that the setting is configured only in the latter version of the GPO.
To deploy the GPO to the production environment
On the Pending tab, right-click MyLabGPO and then click Approve
Type a comment to include in the history of the GPO
To link the GPO to a domain or organizational unit
In the GPMC, right-click either the domain or an organizational unit (OU) to which you want to apply the GPO that you configured, and then click Link an Existing GPO. For this lab demo I linked GPO at sales OU, as shown below:
In the Select GPO dialog box, click MyLabGPO, and then click OK.
So we have finished the GPO settings and configuration at production environment. We have edited our GPO in offline mode and received approve to deploy and linked it to desired OU.
Step 5: Delete and restore a GPO Logged as approver- abhi\agpmapprover
Now we will see the demo on how we can restore a delete GPO. To demonstrate this, first I delete the GPO which we have created in this lab MyLabGPO. Following is the steps how you can delete any existing GPO from AGMP:
On the Contents tab, click the Controlled tab to display the controlled GPOs. Right-click MyLabGPO, and then click Delete. Click Delete GPO from archive and production to delete both the version in the archive and the deployed version of the GPO in the production environment
When the AGPM Progress window indicates that overall progress is complete, click Close. The GPO is removed from the Controlled tab and is displayed on the Recycle Bin tab, where it can be restored or destroyed , as shown below:
To restore a deleted GPO
On the Contents tab, click the Recycle Bin tab to display deleted GPOs. Right-click , and then click Restore
When the AGPM Progress window indicates that overall progress is complete, click Close. The GPO is removed from the Recycle Bin tab and is displayed on the Controlled tab, as shown in below figure
Please note that Restoring a GPO to the archive does not automatically redeploy it to the production environment. To return the GPO to the production environment
To roll back to an earlier version of a GPO
On the Contents tab, click the Controlled tab to display the controlled GPOs. Double click GPO to display its History. Right-click the version to be deployed, click Deploy, and then click Yes
To verify that the version that was redeployed is the version intended, examine a difference report for the two versions. In the History window for the GPO, select the two versions, rightclick them, point to Difference, and then click either HTML Report or XML Report . This article described AGPM 4.0 and the benefits it can bring to our environment, how it works, and how to install it. Also we learned see how to take control of existing GPOs in our environment and how to create, edit and deploy controlled GPOs to production
