Download - AGPM 4 SP1 Deployment Guide
-
Deployment Guide
Published February 2013
-
Microsoft Advanced Group Policy Management v4.0 SP1 Deployment Guide
Page | 2
Important Notice
Copyright
The information contained in this document represents the current view of Microsoft Corporation on the
issues discussed as of the date of publication. Because Microsoft must respond to changing market
conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot
guarantee the accuracy of any information presented after the date of publication.
This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS,
IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT.
Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights
under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval
system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or
otherwise), or for any purpose, without the express written permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property
rights covering subject matter in this document. Except as expressly provided in any written license
agreement from Microsoft, the furnishing of this document does not give you any license to these patents,
trademarks, copyrights, or other intellectual property.
Unless otherwise noted, the companies, organizations, products, domain names, email addresses, logos,
people, places, and events depicted in examples herein are fictitious. No association with any real
company, organization, product, domain name, email address, logo, person, place, or event is intended
or should be inferred.
2013 Microsoft Corporation. All rights reserved.
Microsoft, Active Directory, ActiveX, Excel, SoftGrid, SQL Server, Windows, Windows PowerShell, and
Windows Vista are trademarks of the Microsoft group of companies.
All other trademarks are property of their respective owners.
-
Microsoft Advanced Group Policy Management v4.0 SP1 Deployment Guide
Page | 3
Table of Contents
IMPORTANT NOTICE .............................................................................................................................................. 2
COPYRIGHT.................................................................................................................................................................... 2
INTRODUCTION TO THE DEPLOYMENT GUIDE ....................................................................................................... 5
AUDIENCE FOR THIS GUIDE ............................................................................................................................................... 5
PRODUCT DOCUMENTATION ................................................................................................................................. 5
OVERVIEW OF MICROSOFT AGPM ......................................................................................................................... 6
Microsoft AGPM Server Requirements .................................................................................................................. 6
Microsoft AGPM Client Requirements ................................................................................................................... 7
Mixed Environments .............................................................................................................................................. 8
Microsoft AGPM User Account Requirements ....................................................................................................... 9
PLANNING AGPM DEPLOYMENT .......................................................................................................................... 11
CENTRALIZED CONFIGURATION ........................................................................................................................................ 11
DECENTRALIZED CONFIGURATION .................................................................................................................................... 13
MANAGE GROUP POLICY IN EXTRANETS ............................................................................................................................ 15
COLLECT NECESSARY INFORMATION ABOUT THE EXISTING AD DS INFRASTRUCTURE AND GPOS ................................................. 16
DETERMINE THE NUMBER OF AGPM SERVERS REQUIRED .................................................................................................... 16
DETERMINE THE NUMBER OF AGPM CLIENTS REQUIRED ..................................................................................................... 17
DETERMINE THE E-MAIL INFRASTRUCTURE REQUIREMENTS ................................................................................................... 17
DETERMINE THE AGPM ARCHIVE LOCATION AND STORAGE REQUIREMENTS ........................................................................... 17
INSTALLING AND CONFIGURING AGPM 4.0 SP1 ................................................................................................... 19
STEPS FOR INSTALLING AGPM 4.0 SP1............................................................................................................................ 19
Step 1: Install AGPM Server ............................................................................................................................. 19
Step 2: Install AGPM Client .............................................................................................................................. 21
Step 3: Configure an AGPM Server Connection ............................................................................................... 22
Step 4: Configure Email Notification ................................................................................................................ 23
Step 5: Delegate Access ................................................................................................................................... 24
-
Microsoft Advanced Group Policy Management v4.0 SP1 Deployment Guide
Page | 4
Step 6: Secure AGPM ....................................................................................................................................... 25
Assign the Appropriate Security Roles to Group Policy Administrators: .............................................................. 26
Secure the AGPM Service Account: ...................................................................................................................... 30
Secure the AGPM Archive: ................................................................................................................................... 30
Securing Communication Between the AGPM Clients and the AGPM Servers: ................................................... 31
Hardening of Computers Running AGPM Server: ................................................................................................ 33
Configuring AGPM-only Group Policy Management: .......................................................................................... 34
STEPS FOR MANAGING GPOS ......................................................................................................................................... 36
Step 1: Create a GPO:....................................................................................................................................... 36
Step 2: Edit a GPO: ........................................................................................................................................... 37
Step 3: Review and Deploy a GPO: ................................................................................................................... 39
Step 4: Use a Template to Create a GPO: ........................................................................................................ 40
Step 5: Delete and Restore a GPO: ................................................................................................................... 41
SUMMARY ........................................................................................................................................................... 45
-
Microsoft Advanced Group Policy Management v4.0 SP1 Deployment Guide
Page | 5
Introduction to the Deployment Guide
This deployment guide is designed to help you evaluate and set up Microsoft Advanced Group Policy
Management (AGPM). This guide provides details of the steps necessary to install and configure AGPM
components, including AGPM Server and AGPM Client components, configuring an AGPM Server
connection, configuring notifications, delegating access, and securing AGPM.
Audience for This Guide
This guide was written for Microsoft Windows Group Policy administrators. As an information technology
(IT) professional, you should have sufficient knowledge and experience to accomplish the following tasks:
Set up operating systems and install applications.
Add computers to domains.
Set up and work comfortably with Active Directory Domain Services and Microsoft Domain
Name System (DNS).
Have a working knowledge of Active Directory Group Policies
Product Documentation
Additional documentation for AGPM is available from TechNet at:
http://technet.microsoft.com/library/dd420466.aspx.
-
Microsoft Advanced Group Policy Management v4.0 SP1 Deployment Guide
Page | 6
Overview of Microsoft AGPM
AGPM increases the capabilities of the Group Policy Management Console (GPMC) by providing the
following benefits:
An archive to enable Group Policy administrators to create and modify Group Policy objects (GPOs)
offline before deploying them to a production environment.
The ability to roll back to any previous version of a GPO in the archive and to limit the number of
versions stored in the archive.
Check-in/check-out capability for GPOs to ensure that Group Policy administrators do not
inadvertently overwrite each other's work.
Manage Group Policies across different domain forests, allowing the ability to copy GPOs from one
domain forest to another.
GPO tracking is easier with the new Search and Filter capabilities. Allows the ability to search for
GPOs that were last changed by a specific administrator, on a particular date, or other criteria.
Standard roles for delegating permissions to manage GPOs to multiple Group Policy administrators,
as well as the ability to delegate access to GPOs in the production environment.
Note: For a table of the standard permissions that can be assigned to Group Policy administrators, and
the rights associated with each role, please see the Securing AGPM section later in this guide.
To help this process flow as smoothly as possible, we recommend that you read this guide carefully
before installing the Microsoft AGPM Console.
Microsoft AGPM Server Requirements
AGPM Server 4.0 Service Pack 1 (SP1) requires Windows Server 2012, Windows Server 2008 R2,
Windows Server 2008, Windows 8, Windows 7, or Windows Vista with SP1, and the Group Policy
Management Console from the Remote Server Administration Tools (RSAT) installed. Both 32-bit and 64-
bit versions are supported.
Before you install the AGPM Server, you must be a member of the Domain Admins group, and the
following Windows features must be preset, unless otherwise noted:
GPMC
-
Microsoft Advanced Group Policy Management v4.0 SP1 Deployment Guide
Page | 7
Windows Server 2012, Windows Server 2008 R2, or Windows Server 2008: The GPMC is
automatically installed by AGPM if not already present.
Windows 8: You must install the GPMC from RSAT before you install AGPM. For more
information, see Remote Server Administration Tools for Windows 8
(http://www.microsoft.com/en-us/download/details.aspx?id=28972).
Windows 7: You must install the GPMC from RSAT before you install AGPM. For more
information, see Remote Server Administration Tools for Windows 7
(http://go.microsoft.com/fwlink/?LinkID=131280).
Windows Vista with SP1: You must install the GPMC from RSAT before you install AGPM.
For more information, see Remote Server Administration Tools for Windows Vista with
Service Pack 1 (http://go.microsoft.com/fwlink/?LinkID=116179).
.NET Framework 3.5
The following Windows features are required by AGPM Server and will be automatically installed if not
present:
WCF Activation: Non-HTTP Activation
Windows Process Activation Service
Process Model
.NET Environment
Configuration APIs
Microsoft AGPM Client Requirements
AGPM Client refers to any computer that will be managing GPOs using AGPM. AGPM Client 4.0 SP1
requires Windows Server 2012, Windows Server 2008 R2, Windows Server 2008, Windows 8,
Windows 7, or Windows Vista SP1 and the GPMC from RSAT installed. Both the 32-bit and the 64-bit
versions are supported. AGPM Client can be installed on a computer running AGPM Server.
Note: While you must use one of the operating systems list above you can manage clients on any
version of Windows from Windows XP forward.
-
Microsoft Advanced Group Policy Management v4.0 SP1 Deployment Guide
Page | 8
The following Windows features are required by AGPM Client and will be automatically installed by AGPM
if not present:
GPMC
Windows Server 2012, Windows Server 2008 R2, or Windows Server 2008: The GPMC is
automatically installed by AGPM if not already present.
Windows 8: You must install the GPMC from RSAT before you install AGPM. For more
information, see Remote Server Administration Tools for Windows 8
(http://www.microsoft.com/en-us/download/details.aspx?id=28972).
Windows 7: You must install the GPMC from RSAT before you install AGPM. For more
information, see Remote Server Administration Tools for Windows 7
(http://go.microsoft.com/fwlink/?LinkID=131280).
Windows Vista with SP1: You must install the GPMC from RSAT before you install AGPM.
For more information, see Remote Server Administration Tools for Windows Vista with
Service Pack 1 (http://go.microsoft.com/fwlink/?LinkID=116179).
.NET Framework 3.0
Windows Server 2012, Windows Server 2008 R2, Windows 8, or Windows 7: If the .NET
Framework 3.0 or later version is not present, the .NET Framework 3.5 is automatically
installed by AGPM.
Windows Server 2008 or Windows Vista SP1: If the .NET Framework 3.0 or later version is
not present, the .NET Framework 3.0 is automatically installed by AGPM.
Mixed Environments
Many companies today operate in a mixed environment; that is, the computer running the AGPM Server
and the computer running the AGPM Client may be running different operating systems. In the following
table, the AGPM Server is the computer that is running the AGPM service. The AGPM Client is the
computer that has the AGPM Console installed for managing GPOs. In a mixed environment that includes
newer and older operating systems, there are some limitations to functionality, as indicated in the
following table:
NOTE: This table refers to compatibility with the AGPM Client used for administrating AGPM. AGPM 4.0
SP1 can manage GPOs on Windows XP, Windows Vista, Windows 7, Windows 8, and Windows Server
versions.
-
Microsoft Advanced Group Policy Management v4.0 SP1 Deployment Guide
Page | 9
AGPM Server Operating
System
AGPM Client Operating
System
Status of AGPM Support
Windows Server 2012 or
Windows 8
Windows Server 2012 or
Windows 8
Supported
Windows Server 2008 R2
or Windows 7
Windows Server 2008 R2
or Windows 7
Supported, but cannot edit policy settings or
preference items that exist only in Windows
Server 2012 or Windows 8
Windows Server 2012,
Windows Server 2008
R2, Windows 8, or
Windows 7
Windows Server 2008 or
Windows Vista SP1
Supported, but cannot edit policy settings or
preference items that exist only in Windows
Server 2012, Windows Server 2008 R2,
Windows 8, or Windows 7
Windows Server 2008 or
Windows Vista SP1
Windows Server 2012,
Windows Server 2008 R2,
Windows 8, or Windows 7
Unsupported
Windows Server 2008 or
Windows Vista SP1
Windows Server 2008 or
Windows Vista SP1
Supported, but cannot report or edit policy
settings or preference items that exist only in
Windows Server 2012, Windows Server 2008
R2, Windows 8 or Windows 7
Microsoft AGPM User Account Requirements
With AGPM, you can assign roles to different users, or groups of users, delegating permissions for
viewing, creating, and approving GPOs. The following bullet points and flow chart offer a high-level
summary of the assigned roles:
Using an account that is a member of the Domain Admins group, install AGPM Server and assign
the AGPM Administrator role to an account or group.
Using accounts to which you will assign AGPM roles, install AGPM Client.
Using an account with the AGPM Administrator role, configure AGPM and delegate access to
GPOs by assigning roles to other accounts.
-
Microsoft Advanced Group Policy Management v4.0 SP1 Deployment Guide
Page | 10
Using an account with the Editor role, request the creation of a GPO, which you then approve
using an account with the Approver role. With the Editor account, check the GPO out of the
archive, edit the GPO, check the GPO into the archive, and request deployment.
Using an account with the Approver role, review the GPO and deploy it to your production
environment.
Using an account with the Editor role, create a GPO template and use it as a starting point to
create a new GPO.
Using an account with the Approver role, delete and restore a GPO.
Figure 1: AGPM 4.0 SP1 Roles and their functions
-
Microsoft Advanced Group Policy Management v4.0 SP1 Deployment Guide
Page | 11
Planning AGPM Deployment
AGPM can be deployed to serve the needs of any size organization, any network infrastructure, and any
security model. This planning guide presents common deployment configurations. Even though these
scenarios are presented as discrete units, your implementation of AGPM may consist of a combination of
these scenarios. For example, you might have data centers that use one configuration but branch offices
that use a different one.
Note: The level of management centralization in AGPM can be influenced by your corporate structure and
network performance issues between domains. The number of GPOs that AGPM manages is typically not a
factor in the level of management centralization.
Centralized Configuration
The centralized configuration assumes a single computer running AGPM Server and one or more client
computers running the AGPM Client. Figure 2 provides an example of the centralized configuration, in
which one AGPM Server is serving multiple domains.
-
Microsoft Advanced Group Policy Management v4.0 SP1 Deployment Guide
Page | 12
Figure 2. Example of the centralized configuration
Select the centralized configuration when:
The Active Directory Domain Services (AD DS) infrastructure includes a single forest.
Availability and scalability do not require more than one computer running AGPM Server.
Note: One AGPM Server can support large workloads and is sufficient for most scenarios if the other
centralized configuration selection criteria are met. You are unlikely to need more than one AGPM Server
to meet scaling requirements.
High-speed and reliable network connectivity exists between domains, the AGPM Server, and the
AGPM Clients.
-
Microsoft Advanced Group Policy Management v4.0 SP1 Deployment Guide
Page | 13
Decentralized Configuration
The decentralized configuration assumes that more than one computer is running AGPM Server. Figure 3
provides an example of the decentralized configuration, in which some AGPM Servers are serving
multiple domains while other AGPM Servers each serve only one domain, respectively.
Note: Ensure that each domain is served by only one AGPM Server. Do not allow multiple AGPM Servers to
serve the same domain.
-
Microsoft Advanced Group Policy Management v4.0 SP1 Deployment Guide
Page | 14
Figure 3. Example of the decentralized configuration
Select the decentralized configuration when:
The AD DS infrastructure includes multiple forests.
-
Microsoft Advanced Group Policy Management v4.0 SP1 Deployment Guide
Page | 15
Note: An AGPM Server can only serve multiple domains within a forest. An AGPM Server cannot serve
multiple domains in different forests.
Availability and scalability require more than one computer running AGPM Server.
Note: One AGPM Server can support large workloads and is sufficient for most scenarios if the other
centralized configuration selection criteria are met. You are unlikely to need more than one AGPM Server
to meet scaling requirements.
The network connectivity between sites is slow or erratic, which requires an AGPM Server to be
placed in each site.
Manage Group Policy in Extranets
Most organizations have extranets as a part of their network infrastructure. These extranets are also
known as perimeter networks or demilitarized zones (DMZs). In some extranets, organizations deploy an
AD DS forest dedicated to managing the identities and computers in the extranet. These domains also
have the same Group Policy management issues.
These extranet forests are intentionally isolated from the private forests in the intranet for security
reasons. Because the extranet forests are isolated, you must deploy at least one AGPM Server and
AGPM Client to manage the Group Policy settings in the extranet forest.
You deploy AGPM Server on at least one member server or domain controller in the extranet. You deploy
the AGPM Client on the computers that are currently used to manage the extranet forest, which can be in
the extranet or within the intranet.
If you deploy the AGPM Client on a computer in the intranet, you must enable intermediary firewall ports
for AGPM. By default, the AGPM Server and AGPM Client communicate by using TCP port 4600. You
must enable TCP port 4600 on any intermediary firewalls between the AGPM Server and AGPM Client.
The firewall rule should allow the traffic to originate in the internal network to the AGPM Server, and then
allow the AGPM Server to reply to the return port based on a stateful rule.
Note: If you change the default TCP port that AGPM communications use during the installation process,
enable that TCP port instead of the default TCP port 4600.
-
Microsoft Advanced Group Policy Management v4.0 SP1 Deployment Guide
Page | 16
Collect Necessary Information About the Existing AD DS Infrastructure and
GPOs
As the first step in planning your AGPM deployment, collect all the pertinent information about your
existing AD DS infrastructure and the GPOs. In some instances, this information already exists as a part
of your documentation. If the information does not exist, gather this information for the planning process.
The required information is listed in Table 1.
Table 1. Information to Collect About the Existing AD DS Infrastructure and GPOs
Information collected: Helps you determine the:
Number of AD DS forests. Number of AGPM Servers.
Whether network connectivity issues exist between some
domains.
Number of AGPM Servers.
Level of centralization of administration. Number of AGPM Servers.
GPOs in each domain. Number of GPOs to manage using AGPM.
IT pros who:
Manage access to GPOs.
Edit GPOs.
Approve GPO creation, deployment, and deletion.
Require read-only access to information about GPOs.
AGPM roles to be assigned to each user and
who requires AGPM Client.
Determine the Number of AGPM Servers Required
In the single-server scenario, only one AGPM Server is deployed, which means the one AGPM Server
manages the GPOs for all the domains in a single forest. In the multiple-server scenario, you deploy two
or more computers running AGPM Server in your environment.
You can deploy AGPM Server on a member server or a domain controller. Installing AGPM Server installs
the AGPM Service on the computer. For information on the AGPM Server installation requirements, see
Microsoft AGPM Server Requirements.
In the multiple-server scenario, deploy a separate AGPM Server for:
Each forest in your AD DS infrastructure.
Each site that is isolated by network connectivity issues.
Each site that your organizations structure requires to be managed separately.
-
Microsoft Advanced Group Policy Management v4.0 SP1 Deployment Guide
Page | 17
Note: At this step in the planning process, you are concerned only with the number of AGPM Servers
required to support your environment. Deploying additional AGPM Servers for availability and scalability is
discussed later in this guide.
Determine the Number of AGPM Clients Required
In either the single-server or multiple-server scenario, you deploy one or more AGPM Clients. Deploy the
AGPM Client on every computer used to administer GPOs. For information on the AGPM Client
installation requirements, see Microsoft AGPM Client Requirements.
Determine the E-mail Infrastructure Requirements
During configuration of the AGPM Server connection, you should specify the fully qualified domain name
(FQDN) of a computer running SMTP. This computer can be the SMTP service running on the same
computer as Microsoft Exchange Server, or it can be an SMTP relay that forwards e-mail messages to
your messaging infrastructure.
Additional e-mail infrastructure planning considerations exist:
If the SMTP servers restrict message relaying to a specific list of computers or IP addresses, you
must add each AGPM Server to the list of approved computers or IP addresses.
If there are intervening firewalls between the AGPM Servers and the SMTP servers, you may need to
modify the firewall rules to allow SMTP traffic from the AGPM Servers.
Determine the AGPM Archive Location and Storage Requirements
AGPM stores the current and previous versions of GPOs in the AGPM archive. The default path for the
AGPM archive is %ProgramData%\Microsoft\AGPM on the AGPM Server. Beneath this folder is a
subfolder for each GPO stored in the archive.
You can configure the AGPM Service to store the archive in a different path, even on another computer.
For example, you may want to store the archive on a volume that is located on a Storage Area Network
(SAN) logical unit (LUN) or on a local disk that has greater capacity than the system disk. To calculate the
storage requirements for the AGPM archive, use the following calculation:
Storage_Requrements=Avg_GPO_Size * Num_GPO * Num_Ver
-
Microsoft Advanced Group Policy Management v4.0 SP1 Deployment Guide
Page | 18
Table 2 lists the variables in the equation listed above and provides a brief description of each. Perform
this calculation for each AGPM Server in your plan.
Table 2. Variables for Calculating AGPM Archive Storage Requirements
Variable Description
Avg_GPO_Size The average size of the GPOs in your environment; for most GPOs, you can use a value
of 64 kilobytes (KB).
Num_GPO The number of GPOs in your current production environment that this AGPM Server will
manage.
Num_Ver The number of GPO versions retained in the archive; you can configure the maximum
number of versions to retain in the archive (by default, AGPM retains all GPO versions).
For most modern computers, the storage requirements for the AGPM archive are negligible. However,
you can reduce the storage requirements by limiting the number of GPO versions retained. You can
specify a range of 0999 versions. If you specify a value of 0, only the current GPO version is retained in
the archive. Although each organization will vary, retaining the last 10 versions in the AGPM archive is a
recommended initial configuration value. Then, you can adjust the number of versions retained in the
archive based on your experience in your organization. For more information on how to limit the number
of GPO versions stored, see Limit the GPO Versions Stored in Microsoft Advanced Group Policy
Management Help.
-
Microsoft Advanced Group Policy Management v4.0 SP1 Deployment Guide
Page | 19
Installing and Configuring AGPM 4.0 SP1
Before you install AGPM 4.0 SP1, create four user accounts: AGPM Administrator (granted Full Control to
AGPM), AGPM Approver, AGPM Editor, and AGPM Reviewer. Ensure these accounts have the
appropriate rights and capabilities to send email messages. You also must assign the Link GPOs
permission to the accounts created, which will be used as AGPM Administrator, Approver, and
(optionally) AGPM Editor roles.
Note: Link GPOs permission is assigned to members of Domain Administrators and Enterprise
Administrators by default. To assign Link GPOs permission to additional users or groups (such as
accounts with the roles of AGPM Administrator or Approver), from GPMC select the domain and then
click the Delegation tab, select Link GPOs, click Add, and select users or groups to which to assign the
permission.
Steps for Installing AGPM 4.0 SP1
You must complete the following steps to install and configure AGPM 4.0 SP1
Step 1: Install AGPM Server
Step 2: Install AGPM Client
Step 3: Configure an AGPM Server connection
Step 4: Configure email notification
Step 5: Delegate Access
Step 6: Secure AGPM
Step 1: Install AGPM Server
AGPM Server 4.0 SP1 can be installed on either a Domain Controller or a Member Server, although
installing on a domain controller is not recommended. The server that you install the AGPM Server on will
run the AGPM Service, and will be used to configure the AGPM archive. All AGPM operations are
managed through this Windows service and are executed using the services credentials. The AGPM
-
Microsoft Advanced Group Policy Management v4.0 SP1 Deployment Guide
Page | 20
archive can be hosted on this server, or any other server within the same Active Directory Domain
Services forest.
To install the AGPM Server on the computer that will host the AGPM Service:
1. Logon to the server with an account that is a member of the Domain Admins group.
2. Insert the Microsoft Desktop Optimization Pack (MDOP) CD in the CD-ROM drive of the server. If
autoplay is enabled, the CD will start automatically. Otherwise, browse to the CD using File Explorer
or Windows Explorer, open the Launcher directory, and then launch Launcher.hta.
3. On the Microsoft Desktop Optimization Pack for Software Assurance splash screen, select Microsoft
Advanced Group Policy Management.
4. On the Microsoft Advanced Group Policy Management page, select the appropriate server to
install by selecting Install Server (32-bit) or Install Server (64-bit). The installation wizard will
launch.
5. On the Welcome to the Setup Wizard for Microsoft Advanced Group Policy Management Server
screen, click Next.
6. On the Microsoft Software License Terms page, read the license, and then click I accept the
license terms and then click Next.
7. On the Application Path page, accept the default location to install AGPM Server, or type a custom
location and then click Next.
8. On the Archive Path page, accept the default location to place the AGPM archive directory, or type a
custom path and then click Next.
9. On the AGPM Service Account page, type the username and password of the domain account
which will be used as the AGPM Service account and then click Next. Note that if you are in a single
Active Directory Domain Services domain, or will only be managing GPOs in a single domain, and are
installing AGPM Server on a domain controller, you can use the Local System Account as the AGPM
Service account.
10. On the Archive Owner page, type the user account which will be assigned the AGPM Administrator
(Full Control) role and then click Next. Once assigned, the AGPM Administrator can then delegate
roles to other GPO administrators.
11. On the Port Configuration page, accept the default port on which the AGPM Service should listen,
or type in a custom port and then click Next. You should not clear the Add port exception to firewall
checkbox unless you plan to manually configure the port exceptions.
-
Microsoft Advanced Group Policy Management v4.0 SP1 Deployment Guide
Page | 21
12. On the Languages page, select the appropriate display languages for your organization to install
AGPM Server and then click Next.
13. On the Ready to Install Microsoft Advanced Group Policy Management Server page, click the
Details button to see which prerequisite Windows features are required for AGPM Server and then in
the Details box click OK. Note that if the required Windows features are not already present, they will
be installed by AGPM Server installation. Click Install.
14. On the Completed the Microsoft Advanced Group Policy Management Server Setup Wizard page,
click Finish.
Caution: Do not modify settings for the AGPM Service through Administrative Tools and Services in the
operating system. Doing so can prevent the AGPM Service from starting. For information on how to
modify settings for the service, see Help for Advanced Group Policy Management.
Step 2: Install AGPM Client
Each Group Policy administrator, that is anyone who will create, edit, review, deploy or delete GPOs,
must have the AGPM Client installed on his workstation that is used for managing GPOs. AGPM Client
does not need to be installed on end-user workstations, if those users do not administer GPOs.
To install AGPM Client on the computer that will be used to administer GPOs:
1. Logon to the computer with an account that is a member of the local Administrators group.
2. Insert the Microsoft Desktop Optimization Pack (MDOP) DVD in the DVD-ROM drive of the server.
If autoplay is enabled, the CD will start automatically. Otherwise, browse to the CD using File
Explorer or Windows Explorer, open the Launcher directory, and then launch Launcher.hta.
3. On the Microsoft Desktop Optimization Pack for Software Assurance splash screen, select Microsoft
Advanced Group Policy Management.
4. On the Microsoft Advanced Group Policy Management page, select the appropriate client to
install by selecting Install Client (32-bit) or Install Client (64-bit). The installation wizard will launch.
5. On the Welcome to the Setup Wizard for Microsoft Advanced Group Policy Management Client
screen, click Next.
6. On the Microsoft Software License Terms page, read the license, and then click I accept the
license terms and then click Next.
-
Microsoft Advanced Group Policy Management v4.0 SP1 Deployment Guide
Page | 22
7. On the Application Path page, accept the default location to install AGPM Client, or type a custom
location and then click Next.
8. On the AGPM Server page, type the DNS Name or IP Address of the AGPM Server and the port
configured when installing the AGPM Server, and then click Next. You should not clear the Allow
Microsoft Management Console through the firewall unless you plan to manually configure the
firewall exceptions.
9. On the Languages page, select the appropriate display languages for your organization to install
AGPM Client and then click Next.
10. On the Ready to Install Microsoft Advanced Group Policy Management Client page, click the
Details button to see which prerequisite Windows features are required for AGPM Server and then in
the Details box click OK. Note that if the required Windows features are not already present, they will
be installed by AGPM Client installation. Click Install.
11. On the Completed the Microsoft Advanced Group Policy Management Client Setup Wizard page,
click Finish.
Step 3: Configure an AGPM Server Connection
AGPM stores all versions of each controlled Group Policy Object, which is all GPOs for which AGPM
provides change control, in a central archive, so that all Group Policy administrators can view or modify
GPOs offline without immediately impacting the deployed version of each GPO. The AGPM Server
connection ensures that all Group Policy Administrators connect to the same AGPM Server. For
information about configuring multiple AGPM Servers, see Help for Advanced Group Policy Management.
To configure an AGPM Server connection for all Group Policy Administrators:
1. Logon to the computer with the AGPM Client as the user assigned the AGPM Administrator (Full
Control) role. This is the user designated as the Archive owner during the installation of AGPM
Server.
2. Click Start, point to Administrative Tools, and then click Group Policy Management. This will
open GPMC.
3. Expand the Console Tree until you can click the Group Policy Objects container.
4. Right-click any GPO which is applied to all Group Policy Administrators, for example the Default
Domain Policy, and then click Edit.
5. In the Group Policy Management Editor window, expand User Configuration, Policies, Administrative
Templates, Windows Components, and then click AGPM.
-
Microsoft Advanced Group Policy Management v4.0 SP1 Deployment Guide
Page | 23
6. In the Details pane, double-click AGPM: Specify default AGPM Server (all domains).
7. In the AGPM: Specify default AGPM Server (all domains) Properties window, select Enabled and
type the fully-qualified-domain-name (FQDN) and port of the server hosting the AGPM Archive, for
example AGPMServer.contoso.com:4600, and then click OK.
8. Close the Group Policy Management Editor window.
Note: At the next Group Policy refresh, typically 90 minutes on client computers, this policy setting will
take effect. Depending on your Active Directory Domain Services design, it could be several hours for
the policy setting to take effect on all computers.
Step 4: Configure Email Notification
When an Editor or a Reviewer attempts to create, deploy, or delete a GPO, a request for this action is
sent to a designated email address (or addresses) so that an Approver can evaluate the request and
either implement or deny the action. An AGPM Administrator (Full Control) can designate the email
address (or addresses) of Approvers and AGPM Administrators, and configure the alias from which the
emails are sent.
To configure email notification for AGPM:
1. Logon to the computer with the AGPM Client as the user assigned the AGPM Administrator (Full
Control) role. This is the user designated as the Archive owner during the installation of AGPM
Server.
2. Click Start, point to Administrative Tools, and then click Group Policy Management. This will
open GPMC.
3. Expand the Console Tree until you can click the Change Control container.
4. In the Details pane, click the Domain Delegation tab.
5. In the From email address field, type the email alias for AGPM from which notifications should be
sent.
6. In the To email address field, type the email address (or addresses, separated by commas) of the
Approvers who should receive the request for approval. The email address can be that of a user or a
distribution list.
7. In the SMTP server field, type the FQDN of a valid SMTP Server.
-
Microsoft Advanced Group Policy Management v4.0 SP1 Deployment Guide
Page | 24
8. In the User name and Password fields, type the credentials of a user with access to the SMTP
service and then click Apply.
Note: By default, email messages sent as a result of actions in Advanced Group Policy Management
are not encrypted. However, you can configure email security for AGPM using registry settings to
specify whether to use Secure Sockets Layer (SSL) encryption and which SMTP port to use. For more
information, go to the Secure AGPM section later in this guide.
Step 5: Delegate Access
Set up delegation for your environment so that Group Policy Administrators have the appropriate access
to, and control over, GPOs in the archive. There are baseline permissions you can apply to make
operations more efficient. You can grant permissions in any manner that meets the needs of your
organization.
Before you delegate permissions to manage GPOs, here are some points to consider:
By default, you must be an AGPM Administrator (Full Control) to perform this procedure. Specifically,
you must have Modify Security permission for the domain.
To delegate read access to Group Policy Administrators who use AGPM, you must grant List
Contents as well as Read Settings permissions. This enables the Group Policy Administrators the
ability to view GPOs on the Contents tab of AGPM. Other permissions must be explicitly delegated.
Editors must be granted Read permission for the deployed copy of a GPO to make full use of Group
Policy Software Installation.
Membership of the Group Policy Creator Owners group should be restricted, so that members do
not circumvent AGPM management access to GPOs.
To delegate access to all GPOs throughout the domain:
1. Logon to the computer with the AGPM Client as the user assigned the AGPM Administrator (Full
Control) role. This is the user designated as the Archive owner during the installation of AGPM
Server.
2. Click Start, point to Administrative Tools, and then click Group Policy Management. This will
open GPMC.
3. Expand the Console Tree until you can click the Change Control container.
-
Microsoft Advanced Group Policy Management v4.0 SP1 Deployment Guide
Page | 25
4. On the Domain Delegation tab, click the Add button.
5. In the Select User, Computer, or Group dialog box, select the user account of the Group Policy
Administrator to which you wish to assign the Approver role, and then click OK.
6. In the Add Group or User box, in the Role drop-down list, select Approver. This will assign the
Approver role to this user or group account. The Approver role includes the Reviewer role.
7. In the Select User, Computer, or Group dialog box, select the user account of the Group Policy
Administrator to which you wish to assign the Editor role, and then click OK.
8. In the Add Group or User box, in the Role drop-down list, select Editor. This will assign the Editor
role to this user or group account. The Editor role includes the Reviewer role.
9. In the Select User, Computer, or Group dialog box, select the user account of the Group Policy
administrator to which you wish to assign the Reviewer role, and then click OK.
10. In the Add Group or User box, in the Role drop-down list, select Reviewer. This will assign the
Reviewer role to this user or group account.
Step 6: Secure AGPM
As you plan the configuration of your AGPM deployment, include the appropriate security decisions that
will ensure AGPM stays secure. These decisions include:
Assigning the appropriate security roles to Group Policy Administrators (those users in your
organization whose responsibilities include Group Policy management and administration).
Securing the service account used by the AGPM service running on each AGPM server.
Securing the AGPM archive.
Securing communication between the AGPM clients and the AGPM servers.
Hardening of computers running AGPM Server.
Configuring AGPM only Group Policy Management.
As discussed earlier in this guide, email notifications sent because of actions in AGPM are not encrypted,
and are sent through SMTP port 25. However, you can configure email security for AGPM by using the
Windows registry, and modifying settings to specify whether to use SSL encryption, and which SMTP port
to use. By encrypting AGPM email notifications, you can better protect those emails that could reveal
sensitive information about your organizations security. Encrypting email is recommended when the
email is being relayed through remote servers, and may be required by some compliance regulations.
-
Microsoft Advanced Group Policy Management v4.0 SP1 Deployment Guide
Page | 26
Caution: Incorrectly editing the Windows Registry may severely damage your system. Before making
any changes to the Windows Registry, make a backup copy of the Windows registry, and back up any
data on the computer.
Assign the Appropriate Security Roles to Group Policy Administrators:
AGPM provides comprehensive, easy-to-use, role-based delegation. It includes domain-level permissions
that allow you to provide access to all GPOs throughout a domain, and GPO-level delegation that allows
you to configure access to specific GPOs. The following table lists the roles in AGPM, with a brief
description of each role:
Role Description
AGPM Administrator (Full
Control)
The role has full control of the AGPM environment. An AGPM
Administrator can assign any role to other Group Policy
Administrators, including assigning the AGPM Administrator role.
By default, the Archive owner, specified during AGPM server
installation, is assigned this role.
Approver This role approves changes to the GPOs by users who have been
assigned the Editor role. This role also has the ability to deploy the
GPOs to the production environment.
Editor This role modifies the GPOs. Any modifications made by Group
Policy Administrators assigned this role must be approved and
deployed by the Group Policy Administrator assigned the Approver
role.
Reviewer This role views the GPOs, and reviews the settings in reports. All
other roles include this role.
As a best practice, create Security Groups in Active Directory Directory Services and assign the AGPM
roles to the groups. Then add Group Policy Administrators into the appropriate Security Groups. This will
-
Microsoft Advanced Group Policy Management v4.0 SP1 Deployment Guide
Page | 27
reduce the complexity of AGPM administration. Additional recommendations when planning the security
roles include:
Use the principle of least privilege: When planning which AGPM roles or permissions to assign to
users or groups, assign the lowest permissions set possible required to perform an AGPM task.
Limit the numbers of users assigned the AGPM Administrator (Full Control) role: This highly-
privileged role should only be assigned to a few users.
Perform regular security audits of AGPM roles: Auditing the roles and the group membership of
the groups assigned the roles, ensures that only authorized users are assigned the roles. These roles
and permissions should be tightly controlled.
The following table lists the permissions assigned:
Permission Description
Full Control Includes all other permissions
Create GPO Create GPOs in the domain (this is a domain-wide group)
List Contents Lists the GPOs in the domain
Read Settings Read the GPO settings within a specific GPO
Edit Settings Modify the GPO settings within a specific GPO
Delete GPO Delete a specific GPO
Modify Security Delegate domain-level access, access to a specific GPO, and
access to the production environment
Deploy GPO Deploy a GPO from the AGPM archive into the production
environment
Create Template Create an AGPM template
Modify Options Configure AGPM email notification and limit the GPO versions
stored in the archive
-
Microsoft Advanced Group Policy Management v4.0 SP1 Deployment Guide
Page | 28
The following table lists the AGPM Roles, and the permissions assigned to these roles:
Role Includes these AGPM Permissions
AGPM Administrator (Full
Control)
List Contents
Read Settings
Edit Settings
Create GPO
Deploy GPO
Delete GPO
Modify Options
Modify Security
Create Template
Approver List Contents
Read Settings
Create GPO
Deploy GPO
Delete GPO
Editor List Contents
Read Settings
Edit Settings
Create Template
Reviewer List Contents
-
Microsoft Advanced Group Policy Management v4.0 SP1 Deployment Guide
Page | 29
Read Settings
AGPM roles and permissions can be assigned at a domain-level or to individual GPOs. AGPM roles and
permissions assigned at the domain-level are automatically inherited by all GPOs in the domain. AGPM
roles or permissions assigned to individual GPOs override domain-level GPOs.
To assign domain-level roles and permissions:
1. Logon to the computer with the AGPM Client as the user assigned the AGPM Administrator (Full
Control) role. This is the user designated as the Archive owner during the installation of AGPM
Server.
2. Click Start, point to Administrative Tools, and then click Group Policy Management. This will
open GPMC.
3. Expand the Console Tree until you can click the Change Control container.
4. Click the Domain Delegation tab and then click Add.
5. In the Select User, Computer, or Group dialog box, enter the user or group to which you wish to
assign an AGPM role, click Check Names and then click OK.
6. In the Add Group or User box, click the Role drop-down arrow to select the appropriate role, and
then click OK.
To assign GPO-level roles and permissions:
1. Logon to the computer with the AGPM Client as the user assigned the AGPM Administrator (Full
Control) role. This is the user designated as the Archive owner during the installation of AGPM
Server.
2. Click Start, point to Administrative Tools, and then click Group Policy Management. This will
open GPMC.
3. Expand the Console Tree until you can click the Change Control container.
4. Click the Contents tab, and then select the GPO that you wish to assign the GPO-level permission,
and then click Add.
5. In the Select User, Computer, or Group dialog box, enter the user or group to which you wish to
assign an AGPM role, click Check Names and then click OK.
6. In the Add Group or User box, click the Role drop-down arrow to select the appropriate role, and
then click OK.
-
Microsoft Advanced Group Policy Management v4.0 SP1 Deployment Guide
Page | 30
Secure the AGPM Service Account:
The AGPM service runs on any computer on which the AGPM Server is installed. During the installation
process, you must provide an account to be used as the AGPM Service account. The minimum set of
permissions required by the account specified as the AGPM service account include:
Membership in the Group Policy Creator Owners group in each domain that is managed by AGPM.
Membership in the Backup Operators group in each domain that is managed by AGPM.
Full Control permission on the AGPM Server archive folder. This permission is automatically granted
if the archive folder resides on the same local hard drive as the AGPM Server. Otherwise, the
permission must be manually assigned.
Full Control permission on the local system Temp folder typically %windir%\temp.
Full Control permission on any existing GPOs that will be managed by AGPM.
Additional recommendations on this account include:
Use strong passwords, increasing the length and complexity of the password.
Users should never interactively log on using the AGPM Service account. This account should be
restricted to only log on as a service. This right can be restricted by using Group Policy by configuring
the following setting: Computer Configuration\policies\Windows Settings\Security
Settings\Local Policies\User Rights Assignments\Logon as a service, and Computer
Configuration\policies\Windows Settings\Security Settings\Local Policies\User Rights
Assignments\Deny log on locally.
Use fine-grained password policies if your domain is at Windows Server 2008 domain function level.
For more information on fine-grained password policies, see http://technet.microsoft.com/en-
us/library/cc770394.aspx.
Secure the AGPM Archive:
By default, the AGPM Archive folder is stored on a local hard disk of the AGPM Server. However, this can
be stored on any computer other than the AGPM Server. The default installation of AGPM Server allows
file system access to the AGPM Service account, SYSTEM, and the local Administrators group on the
AGPM Server. The AGPM console allows you to control access to the archive. By default, AGPM
Administrators (Full Control) is the only role that has full control to the archive.
Recommendations to secure the AGPM archive include:
-
Microsoft Advanced Group Policy Management v4.0 SP1 Deployment Guide
Page | 31
Limit the number of users in the local Administrators group on the AGPM Server.
Periodically audit the permissions of the archive and remove unauthorized permissions.
Securing Communication Between the AGPM Clients and the AGPM Servers:
The AGPM Server communicates with AGPM Clients, Active Directory Domain Services domain
controllers, Domain Name System (DNS) Servers, and the SMTP Server that delivers email notifications.
To help prevent unauthorized users from viewing the communication, encrypt all communications among
the AGPM Server, AGPM Clients, domain controllers, DNS servers, and the SMPT server.
Encrypt AGPM communication by using:
Internet Protocol Security (IPSec): IPSec encrypts all traffic and is transparent to higher-level
protocols.
Secure SMTP: Secure SMTP only requires a certificate for the encryption, which can come from
your organizations public key infrastructure (PKI) or from a public certificate company.
Configure email security for AGPM: By default, email messages sent as a result of actions in
Advanced Group Policy Management are not encrypted. However, you can configure email security
for AGPM using registry settings to specify whether to use SSL encryption and which SMTP port to
use.
o To configure email security for AGPM by using Group Policy Preferences:
1. Logon to the computer with the AGPM Client as the user assigned the AGPM Administrator (Full
Control) role. This is the user designated as the Archive owner during the installation of AGPM
Server.
2. Click Start, point to Administrative Tools, and then click Group Policy Management. This will
open GPMC.
3. Expand the Console Tree until you can click the Group Policy Objects container.
4. Edit a GPO which is applied to all AGPM Servers for which you wish to configure email security, or
create a new GPO which will be applied to all AGPM Servers for which you wish to configure email
security.
5. In the Group Policy Management Editor window, expand to Computer Configuration, Preferences,
Windows Settings, Registry.
6. In the Console Tree, right-click Registry, point to New and then click Collection Item. Name the
New Collection Item AGPM Email Security.
7. In the Console tree, right-click AGPM Email Security, point to New and then click Registry Item.
-
Microsoft Advanced Group Policy Management v4.0 SP1 Deployment Guide
Page | 32
8. In the New Registry Properties box, fill in the properties using the values in the following table and
then click OK.
Field Value
Action Update
Hive HKEY_LOCAL_MACHINE
Key Path SOFTWARE\Microsoft\AGPM
Value Name EncryptSmtp
Value Type REG_DWORD
Value Data 1 (to use SSL) or 0 (to send email without
encryption)
Base Decimal
9. In the Console tree, right-click AGPM Email Security, point to New and then click Registry Item.
10. In the New Registry Properties box, fill in the properties using the values in the following table and
then click OK.
Field Value
Action Update
Hive HKEY_LOCAL_MACHINE
Key Path SOFTWARE\Microsoft\AGPM
Value Name SmtpPort
Value Type REG_DWORD
Value Data 587 (to use SSL) or 25 (to send e-mail
without encryption)
-
Microsoft Advanced Group Policy Management v4.0 SP1 Deployment Guide
Page | 33
Base Decimal
11. Close the Group Policy Management Editor window.
Hardening of Computers Running AGPM Server:
The default installation of AGPM Server installs AGPM Server in as secure a configuration as possible.
The following table describes the security footprint for the AGPM Server:
Installation Change Description
Services Service Name: AGPM Service
Display Name: AGPM Service
Path to Executable: %programfiles%\Microsoft\AGPM\Server\AGPM.exe
Startup: Automatic (Delayed Start)
Logon as: Account specified during installation
Windows Firewall The AGPM Server installation creates an inbound Windows Firewall rule with the following configuration:
Name: AGPM Service
Action: Allow the connection
Protocol type: TCP
Local Port: 4600
Remote Port: All ports
Local IP Address: Any
Remote IP Address: Any
File System The AGPM Server installation process creates folders and files on the local file system. The default installation folder for AGPM is %ProgramFiles%\Microsoft\AGPM. There is a subfolder beneath the AGPM folder for the AGPM Client and the AGPM Server, each with several files. By default, AGPM Administrator is granted rights to this folder during installation, but the AGPM Console can be used to grant and remove permissions.
-
Microsoft Advanced Group Policy Management v4.0 SP1 Deployment Guide
Page | 34
Other recommendations for hardening the AGPM Server and the AGPM Archive computer (if different)
include:
Dedicate a computer to AGPM Server: This will help reduce the attack surface of the AGPM
Server. Installing additional roles, services, and applications on this server, which are not required by
AGPM, increases the attack surface of the computer. If the AGPM Archive is stored on a different
computer than the AGPM Server, consider dedicating that computer to only storing the AGPM
Archive.
Physically secure the AGPM Server: If unauthorized users have physical access to the server,
they may execute several attacks against the AGPM Server. Some recommended actions to perform
to physically secure the AGPM Server include:
o Place the computer in a locked (or lockable) server rack.
o Place the computer in a secured data center, or a locked computer closet or wiring closet,
depending on your organizations size and layout.
o Disable the DVD or CD-ROM drive in the computer to prevent installation of unauthorized
software.
o Disable USB ports to prevent connection of removable devices.
Enable Windows BitLockertm Drive Encryption: Encrypting local hard disks on the AGPM Server
and AGPM Archive computer prevents unauthorized access to AGPM information in the event that a
hard disk or the entire computer is stolen. Windows BitLocker Drive Encryption keys are necessary to
start the computer and access the information on the local hard disk.
Configuring AGPM-only Group Policy Management:
After implementing AGPM in the environment, steps should be taken to restrict Group Policy
management to only AGPM. This will prevent administrators from utilizing the GPMC to create new or
edit existing GPOs. GPMC is a pre-requisite to AGPM, so once AGPM is installed Group Policy
administration can be handled with either GPMC or AGPM. Because of the lack of change control, and
the inability to service GPOs offline, Group Policy administrators should only use AGPM for Group Policy
creation, management, and administration. The following tasks can be completed to ensure that AGPM
is the only option for Group Policy Management:
1. Restrict GPO creation to AGPM
2. Restrict GPO management to AGPM
-
Microsoft Advanced Group Policy Management v4.0 SP1 Deployment Guide
Page | 35
Restrict GPO Creation to AGPM
Restricting GPOs to only AGPM requires modifying the existing Active Directory permissions that give
administrators that capability. Administrators can use GPMC to select the Group Policy Objects node,
click on the Delegation tab, and modify the permissions to eliminate creation of GPOs from GPMC.
AGPM performs all GPO administrative tasks through the AGPM Service account. Ensure that the
service account still has sufficient privileges to perform creation when removing or restricting permissions
of GPO creation.
Note: A limited number of administrators should still have access to manage Group Policy with
GPMC to circumvent the change management processing in exception scenarios.
Note: Modification of the Group Policy Creator Owners and Domain Admins groups may be
necessary if those groups were used to assign permissions.
Restrict GPO Management to AGPM
In the previous task it is recommended to restrict access for creating GPOs to only the service account.
However, since environments already have GPOs in production, restriction of management tasks for
existing GPOs must be considered carefully. It is recommended to bring GPOs into AGPM management
by making them Controlled GPOs. By default, AGPM changes the permissions within the Active
Directory using the settings in the Production Delegation tab. As GPOs are controlled by AGPM the
underlying Active Directory permissions are modified with the permissions defined in the production
delegation tab. Select the Change Control node within the GPMC and the Production Delegation tab to
modify what permissions are placed on the GPOs and restrict to ensure that management of Controlled
GPOs is only allowed from AGPM.
Note: A limited number of administrators should still have access to manage Group Policy with
GPMC to circumvent the change management processing in exception scenario.
Note: Modification of the Group Policy Creator Owners and Domain Admins groups may be
necessary if those groups were used to assign permissions.
-
Microsoft Advanced Group Policy Management v4.0 SP1 Deployment Guide
Page | 36
Steps for Managing GPOs
You must complete the following steps to create, edit, review, and deploy GPOs using AGPM.
Additionally, follow these next steps to create a template, delete a GPO and restore a GPO.
Step 1: Create a GPO
Step 2: Edit a GPO
Step 3: Review and Deploy a GPO
Step 4: Use a Template to Create a GPO
Step 5: Delete and Restore a GPO
Step 1: Create a GPO:
AGPM divides roles and responsibilities relating to GPO administration. Only those with the Administrator
(Full Control) or the Approver role have the ability to create a GPO. An Editor can request the creation of
a GPO, and can then edit the settings within the GPO, but an editor cannot create the GPO. This is
because the creation of a GPO impacts the production environment, and therefore must be approved by
someone with the Approver role.
To request the creation of a New Managed GPO through AGPM:
1. Logon to the computer with the AGPM Client as the user assigned the AGPM Editor role.
2. Click Start, point to Administrative Tools, and then click Group Policy Management. This will
open GPMC.
3. Expand the Console Tree until you can click the Change Control container.
4. Right-click the Change Control node and then select New Controlled GPO.
5. Fill in the Submit New Controlled GPO Request box using the values in the following table, and
then click Submit:
Field Value
Cc: . Fill this in only if
you wish to receive a copy of the request.
-
Microsoft Advanced Group Policy Management v4.0 SP1 Deployment Guide
Page | 37
GPO Name Name you wish to be assigned to the GPO
you are requesting to be created.
Comment This field is optional, but should be used to
describe what settings will be applied to the
GPO.
Create in Archive and Production
Create in Archive Only
Click Create in archive and production
so that the GPO will be immediately
available upon approval. This is the default
setting.
From GPO Template If the new Controlled GPO will be created
from a template, select the template here.
To Approve the pending request to create the GPO:
1. Logon to the computer with the AGPM Client as the user assigned the AGPM Approver role.
2. Open your email program. You will see an email message from the AGPM alias with the Editors
request to create a GPO.
3. Click Start, point to Administrative Tools, and then click Group Policy Management. This will open
GPMC.
4. Expand the Console Tree until you can click the Change Control container.
5. Click the Change Control folder and then click the Pending tab.
6. Right-click the Pending GPO, and then click Approve.
7. In the Approve Pending Operation dialog box, type an optional comment and then click Yes.
8. In the AGPM Progress box, once the status displays as completed click Close.
Step 2: Edit a GPO:
Any user with the AGPM Editor or Administrator (Full Control) roles can edit a GPO. Before editing a
GPO, you must first check out the GPO from the AGPM Archive. Once it has been checked out, you can
-
Microsoft Advanced Group Policy Management v4.0 SP1 Deployment Guide
Page | 38
edit the GPO settings offline, check the GPO back into the Archive, and finally request the edited GPO be
deployed into production.
To check the GPO out from the Archive for editing:
1. Logon to the computer with the AGPM Client as the user assigned the AGPM Editor role.
2. Click Start, point to Administrative Tools, and then click Group Policy Management. This will
open GPMC.
3. Expand the Console Tree until you can click the Change Control container.
4. Click the Change Control node and then click the Contents and Controlled tabs, if necessary, to
display all of the controlled GPOs.
5. Right-click the GPO you wish to edit and then select Check Out.
6. In the Check Out GPO dialog box, enter an optional Comment to be displayed in the history of the
GPO while it is checked out and then click Check Out.
7. In the AGPM Progress box, once the status displays as completed click Close.
To edit the GPO offline:
1. On the Controlled tab, notice the State of the GPO is displayed as Checked Out. Right-click the
GPO and select Edit.
2. In the Group Policy Management Editor make the necessary settings changes to the controlled
GPO, and then close the Group Policy Management Editor window.
To check the GPO into the Archive:
1. On the Controlled tab, notice the State of the GPO is still displayed as Checked Out. Right-click the
GPO and select Check In.
2. In the Check In GPO dialog box, enter an optional Comment, and then click OK.
3. In the AGPM Progress box, once the status displays as completed click Close. Notice the state of
the GPO is now Checked In.
To request the deployment of the GPO to the production environment:
-
Microsoft Advanced Group Policy Management v4.0 SP1 Deployment Guide
Page | 39
Because the account with the Editor role does not have Approver permissions, you must submit a request
for deployment of the GPO. To request the deployment of the GPO:
1. On the Controlled tab, right-click the GPO you wish to have deployed, and then click Deploy.
2. In the Submit Deploy Request dialog box, in the Cc: field, enter your email address, if you wish to
be sent a copy of the submit request, and then enter an optional comment, and then click Submit.
3. In the AGPM Progress box, once the status displays as completed click Close.
Step 3: Review and Deploy a GPO:
In the last step, the Group Policy Administrator assigned the Editor role checked out a GPO from the
AGPM Archive, edited the GPO, and then checked it back into the AGPM Archive. Now an Approver must
review, approve, and deploy the GPO. Before approving the GPO, the Approver should create reports
and analyze the settings changes in the GPO to determine whether or not it should be approved and
deployed into the production environment. When it gets deployed, it must be linked to an Organizational
Unit (OU), the domain, or the Active Directory site, so that it goes into effect immediately after the
computers refresh their Group Policies.
To review settings in the GPO:
1. Logon to the computer with the AGPM Client as the user assigned the AGPM Approver role. Note
any GPO Administrator assigned the role of Reviewer, Editor, Approver, or Administrator (Full
Control) and run this step. For the purposes of this paper, you are using the Approver role, so that the
GPO can be deployed in the following steps.
2. Open your email program. You will see an email message from the AGPM alias with the Editors
request to deploy a GPO.
3. Click Start, point to Administrative Tools, and then click Group Policy Management. This will
open GPMC.
4. Expand the Console Tree until you can click the Change Control container.
5. Click the Change Control folder and then click the Pending tab.
6. Right-click the Pending GPO, and then click History.
7. In the History for GPO Name Request window, right-click the line with the most recent timestamp,
click Settings and then click HTML Report to display a summary of the GPOs settings.
-
Microsoft Advanced Group Policy Management v4.0 SP1 Deployment Guide
Page | 40
8. In the Internet Explorer window, if necessary click the yellow bar at the top of the window to allow
the Active X control to run, and then click the Show All link.
9. When you are done reviewing the settings, close the Internet Explorer window.
To compare the most recent version of the GPO to the first version checked into the archive:
1. In the History for GPO Name Request window, click the line with the most recent timestamp, press
CTRL and click the oldest version of the GPO for which the Computer Version is not * (an asterisk)
and then click Differences.
2. In the Internet Explorer window, if necessary click the yellow bar at the top of the window to allow
the Active X control to run, and then click the Show All link.
3. When you are done reviewing the differences (highlighted in green), close the Internet Explorer
window.
4. Close the History of GPO Name Request window.
To deploy the GPO to the production environment:
1. On the Pending tab, right-click the Pending GPO which you want deployed in the production
environment, and then click Approve.
2. In the Approve Pending Operation dialog box, type an option Comment, and then click Yes.
3. In the AGPM Progress box, once the status displays as completed click Close.
To link the GPO to the domain or an existing OU:
1. In the Group Policy Management console, right-click the domain or the OU to which you wish to link
the GPO, and then select Link an Existing GPO.
2. In the Select GPO dialog box, select the GPO that you wish to link, and then click OK.
Step 4: Use a Template to Create a GPO:
A GPO Template is a static, uneditable version of a GPO which is used as a starting point for the creation
of other GPOs. Templates are useful for quickly creating multiple GPOs that include many of the same
settings. Any GPO Administrator who has been assigned the Editor role or Administrator (Full Control)
can create a Template.
To create a Template based on an existing GPO:
1. Logon to the computer with the AGPM Client as the user assigned the AGPM Editor role.
-
Microsoft Advanced Group Policy Management v4.0 SP1 Deployment Guide
Page | 41
2. Click Start, point to Administrative Tools, and then click Group Policy Management. This will
open GPMC.
3. Expand the Console Tree until you can click the Change Control container.
4. Click the Change Control node and then click the Contents and Controlled tabs, if necessary, to
display all of the controlled GPOs.
5. Right-click the GPO you wish to edit and then select Save as Template.
6. In the Create New GPO Template dialog box, type a name for the Template and an optional
Comment, and then click OK.
7. In the AGPM Progress box, once the status displays as completed click Close.
Note: In Step 1 of this section, you learned how to create a Managed GPO. Follow those steps to
create a new Managed GPO that gets created by using this Template. The GPO will get created, but will
still need to be checked out of the archive, edited, checked into the archive, approved, and deployed.
You can follow Steps 2 and 3 of this section to edit the new GPO and review the differences between
the new Managed GPO and the Template, and to deploy the GPO into the production environment.
Step 5: Delete and Restore a GPO:
When you delete a Managed GPO, you have a choice of deleting the GPO from the archive while leaving
the deployed version of the GPO untouched in the production environment, or deleting the GPO from the
archive and the production environment.
When you delete a GPO, the GPO gets moved into the Recycle Bin in the AGPM console. A Group Policy
Administrator with the Approver role or the Administrator role has the permission to delete a GPO.
Specifically, any Group Policy Administrator with the List Contents and Delete GPO permissions has the
ability to delete a controlled GPO.
To delete a GPO:
1. Logon to the computer with the AGPM Client as the user assigned the AGPM Approver role.
2. Click Start, point to Administrative Tools, and then click Group Policy Management. This will open
GPMC.
3. Expand the Console Tree until you can click the Change Control container.
-
Microsoft Advanced Group Policy Management v4.0 SP1 Deployment Guide
Page | 42
4. Click the Change Control node and then click the Contents and Controlled tabs, if necessary, to
display all of the controlled GPOs.
5. Right-click the GPO you wish to delete and then select Delete. In the Delete dialog box select the
appropriate option, enter an optional Comment, and then click OK.
a. Delete GPO from archive only: Select this option to delete the GPO from the AGPM
Archive, but leave the GPO in the production environment deployed and untouched.
b. Delete GPO from archive and production: Select this option to delete the GPO from the
AGPM archive and from the production environment.
6. In the AGPM Progress box, once the status displays as completed click Close. The GPO is removed
from the Controlled tab and is displayed on the Recycle Bin tab where it can be restored or
destroyed.
You may discover a GPO which has been accidentally deleted, or a GPO which has been deleted at the
request of an Editor, but is still needed in the production environment. Any Group Policy Administrator
with the Approver role or Administrator (Full Control) role can restore a GPO. Specifically, any Group
Policy Administrator with List Contents and Deploy GPO permissions has the ability to restore a
controlled GPO.
To restore a deleted GPO:
1. Logon to the computer with the AGPM Client as the user assigned the AGPM Approver role.
2. Click Start, point to Administrative Tools, and then click Group Policy Management. This will open
GPMC.
3. Expand the Console Tree until you can click the Change Control container.
4. Click the Change Control node and then click the Contents and Recycle Bin tabs, to display all of
the deleted controlled GPOs.
5. Right-click the GPO you wish to restore and then select Restore.
6. In the Restore GPO dialog box, type an optional Comment and then click OK.
7. In the AGPM Progress box, once the status displays as completed click Close. The GPO is removed
from the Recycle Bin tab and is displayed on the Controlled tab where it can be reviewed, edited,
approved, and re-deployed.
-
Microsoft Advanced Group Policy Management v4.0 SP1 Deployment Guide
Page | 43
Note: If a GPO was deleted from the production environment, restoring the GPO to the archive does not
automatically redeploy the GPO to the production environment.
You may discover a GPO that is causing problems in the production environment. Once you delete the
GPO, you may want to ensure that the GPO never gets restored and redeployed to the production
environment. Any Group Policy Administrator with the Approver role or the Administrator (Full Control)
role can destroy a GPO. Specifically, any Group Policy Administrator with the List Contents and Delete
GPO permissions can destroy a GPO.
To destroy a deleted GPO:
1. Logon to the computer with the AGPM Client as the user assigned the AGPM Approver role.
2. Click Start, point to Administrative Tools, and then click Group Policy Management. This will open
GPMC.
3. Expand the Console Tree until you can click the Change Control container.
4. Click the Change Control node and then click the Contents and Recycle Bin tabs, to display all of
the deleted controlled GPOs.
5. Right-click the GPO you wish to destroy and then select Destroy.
6. In the Destroy GPO message box, read the message warning and then click OK.
7. In the AGPM Progress box, once the status displays as completed click Close.
Note: If a GPO was deleted from the archive, but remained deployed to the production environment, when
you destroy the GPO, the GPO remains in the production environment, but all backups of the GPO, as well
as the controlled GPO itself, are destroyed.
After editing and deploying a GPO, you may discover that recent changes to the GPO are causing a
problem in the production environment. Deploying an earlier version of the GPO overwrites the version of
the GPO currently in production. Any Group Policy Administrator with the Approver role or Administrator
(Full Control) role can roll a GPO back to an earlier version of the GPO from the GPO history. Specifically,
any Group Policy Administrator with List Contents and Deploy GPO can deploy an earlier version of a
controlled GPO.
-
Microsoft Advanced Group Policy Management v4.0 SP1 Deployment Guide
Page | 44
To roll back a GPO to an earlier version:
1. Logon to the computer with the AGPM Client as the user assigned the AGPM Approver role.
2. Click Start, point to Administrative Tools, and then click Group Policy Management. This will
open GPMC.
3. Expand the Console Tree until you can click the Change Control container.
4. Click the Change Control node and then click the Contents and Controlled tabs, if necessary, to
display all of the controlled GPOs.
5. Right-click the GPO you wish to roll back and then select History.
6. Right-click the earlier version you wish to deploy, and then click Deploy.
7. In the Deploy GPO dialog box, click Yes.
8. In the AGPM Progress box, once the status displays as completed click Close.
Note: To verify that the version which has been redeployed matches the version intended, run a differences
report for the two versions. In the History window for the GPO, select the two versions by clicking each
while pressing the CTRL key, right-click the selection, point to Differences, and then click HTML Report.
-
Microsoft Advanced Group Policy Management v4.0 SP1 Deployment Guide
Page | 45
Summary
AGPM can help any size organization manage GPOs more securely and efficiently than by using only the
GPMC. AGPM allows you to delegate Group Policy administration based on roles for the tasks that Group
Policy administrators perform. AGPM also allows you to delegate Group Policy administration at a domain
level and at a GPO level so that you can allow different administrators to manage different GPOs.
In addition, AGPM allows you to control the version of GPOs deployed from the GPO archive to your
production environment. This level of control allows you to keep a record of changes to each GPO and to
revert a current GPO to a previous GPO in the event of a problem with a change to a Group Policy
setting.
With AGPM, you reduce the risks associated with deploying GPOs as well as the ongoing support costs
for managing GPOs. This helps your organization focus on managing the mission-critical applications and
services in your production environment instead of focusing on GPO change-management processes and
security.