I’ve been checking out Microsoft Desktop and Optimization Pack a little bit lately. There are some fantastic tools in here such as:
- Microsoft Application Virtualization (formerly known as SoftGrid)
- Microsoft Asset Inventory Service
- Microsoft Advanced Group Policy Management
- Microsoft Diagnostics and Recovery Toolset
- Microsoft System Center Desktop Error Monitoring
In this article, we will focus on one of these new technologies, Advanced Group Policy Management (AGPM). Just hearing the name of the product, you may think… what’s so Advanced about it? What more does it give us? Well, let’s go over some of the “sales” type of talk on what benefits you get from it. For each topic below, we’ll dive into the GUI and show how the AGPM client provides these capabilities.
Benefits of AGPM
Granular Administrative Control
Robust Delegation Model
Role-based Administration
Change Request Approval
Reduced Risk of Widespread Failures
Offline Editing of GPOs
Difference reporting and audit logging
Recovery of a deleted GPO
Repair of Live GPOs
Enable effective Group Policy change management
Creation of GPO Template Libraries
Subscription to policy change e-mail notifications
Version tracking, history capture, and quick rollback of deployed changes
Working with Delegation
There are two parts to AGPM; the client and the server. For our lab and demonstration, the Server and Client were installed on the same machine. AGPM 3.0 is installable on Windows Server 2008. After installing both the Server and the Client, we utilize the Group Policy Management tool located in Administrative Tools. When we installed the Server piece, we specified a service account which would be the “Administrator” account for AGPM. Because this is a test lab, I used the Administrator account which is not best practice in a production environment.
When we open Group Policy Management, we can see we have a Change Control section. This is the section that allows us to work with the AGPM features.
Clicking on the Domain Delegation Tab will display the Administrator account since that is the service account we specified during installation.
I have a username eshudnow which is only a part of the Domain Users group. I want to delegate GPO responsibilities to this individual. Just below where you see the Administrator text above, there is an Add button. Clicking on this Add button, I specified eshudnow which presented me with the following options for delegation which are pretty self explanatory.
Now when taking a look at the above delegation features, it is important to note that these delegation options are for non-production GPOs. For production GPOs, you will want to take a look at the production GPO tab. Essentially, when a GPO from the AGPM archive are deployed to production, any permissions on a GPO other than Read and Apply are removed and the permissions from the Production Delegated are used instead.
Note: SYSTEM and ENTERPRISE DOMAIN CONTROLLERS do not need to be removed.
Taking Control of Production GPOs
So how do we actually take control of a GPO so these delegation settings take affect and actually utilize the features AGPM offers? Let’s go back to the Contents tab.
We can see that these two GPOs are in an Uncontrolled State. So how can we control these GPOs? Right-Click on a GPO and choose Control.
We will be able to comment on our reasoning to control the GPO and then the process of controlling this specific GPO will commence.
Controlled GPO Management
Now one thing to keep in mind that when you edit a GPO in AGPM, it is not being modified in production. You have the ability to check out a GPO so that you and only you can modify a GPO. You will then check in that GPO and then that GPO can be deployed from the AGPM archive into production. This allows you to modify GPOs without being worried it will be rolled out to production immediately. This allows for an easy rollback.
As we can see, the Edit is greyed out. This means we have to Check Out the GPO so we can edit it. Once we finish editing or GPO, we Check it In. This allows someone with the Delegated Authority to approve a GPO and then Deploy it.
So what happens if we modify the GPO in the archive and then decide that we don’t like what we did and just want to scrap the entire archived GPO? Choose the Import from Production option. This will copy the production GPO down to our archive and replace the current archived GPO.
Creating a Template
What if we have an existing spreadsheet with standard policies? Well, forget that spreadsheet… Let’s just create a new Controlled GPO and turn it into a template. Actually, let’s go ahead and do this. Let’s create a GPO called Template and modify a couple options. Right-Click in the empty white space and choose New Controlled GPO.
We’ll create our new template, template. Original eh? I’d advise creating this as a Live GPO. It’s always better to create it offline and choose the Deploy option talked about earlier. Better safe than sorry I always say. We can see that we can base this off another template. This is the whole reason why we are creating the template. So future GPOs can be based off of this GPO we are creating and then converting into a template.
Once we checked our our GPO, edited it, made our changes, checked in, we will be able to convert our GPO into a template.
To verify that this GPO was converted into a template, we can view it in our Templates tab.
GPO Settings
The nice thing with the Group Policy Management Console (GPMC) is it provides a nice way to view your existing settings and would only show the settings that have been modified.
The way to do this in in AGPM is by viewing the Settings of the GPO and choosing HTML Report. You can also view the GPO Links to when you Deploy to production.
GPO Differences and Disaster Recovery
One great feature is the ability to view the differences between modified GPOs and be able to revert to the GPO that you feel most comfortable. The way to do this is by viewing the Differences and viewing a Report.
You can see that you can compare one version of Default Domain Policy Vs another.
If you decide that you want a previous GPO to be deployed to production instead, you can open the History.
This will provide you with a lot of History information.
From here, you can right-click on a previous GPO and choose to Deploy to production.
E-mail Notification
Let’s say you break out the delegation roles across different users. You have a specific person with Editor privileges and they finish editing a GPO and check it in. You can set up an e-mail notification to your approvers to notify them to review and approve the change. To do this, click on the Domain Delegation tab and configure the notification settings.
There are a couple things to note about the settings above. First of all, the e-mails are not sent encrypted. You can change this through some registry modifications to use SSL encryption. For information on how to do this, click here.
Another thing to note about the above settings, is that you can specify an SMTP server and authenticate against it. If you don’t authenticate, you will have to allow relaying on your SMTP server specifically and only for the IP address of the AGPM Server (so you’re not a wide open relay). If you authenticate, you shouldn’t have to allow any type of relaying on your SMTP server. If you are running Exchange (and you should, but of course I would say that as I am an Exchange guy!), and you want to allow relaying for whatever reason, you can follow my article here.
Conclusion
AGPM is definitely an interesting product. After reading about its capabilities, I was intrigued to play and learn the product. It’s definitely an easy tool to get a hang of and is a very effective tool. I’d recommend it to anybody who wants more control over their Group Policy Management infrastructure. For more information, I’d recommend heading over to the Technet Library for AGPM 3.0 here.
Leave a Reply