Advanced Group Policy Management

In this article we will demonstrates advanced techniques for Group Policy management that

use the Group Policy Management Console (GPMC) and Microsoft Advanced Group Policy

Management (AGPM). AGPM increases the capabilities of the GPMC, providing:

Standard roles for delegating permissions to manage Group Policy objects (GPOs) to

multiple Group Policy administrators, in addition to the ability to delegate access to

GPOs in the production environment.

An archive to enable Group Policy administrators to create and modify GPOs offline

before the GPOs is deployed into a production.

The ability to roll back to any earlier version of a GPO in the archive and to limit the

number of versions stored in the archive.

Check-in and check-out capability for GPOs to make sure that Group Policy

administrators do not unintentionally overwrite each other's work.

The ability to search for GPOs with specific attributes and to filter the list of GPOs

displayed

E-mail Notification to the approver to review and approve for deployment of GPO

Very Simple way to Backup and Restore of GPO objects.

to demonstrate how Group Policy can be managed in an environment thru AGPM I created

below 4 user account in my active directory server.

USER ACCOUNT AGMP Role Member Of Email address

agpmadmin Full Control, AGPM server and client installation

Domain Admin agpmadmin@abhi.local

agpmeditor Editor Domain Users agpmeditor@abhi.local

agpmapprover Approver Domain Users agpmapprover@abhi.local

agpmreviewer Reviewer Domain Users agpmreviewer@abhi.local

You can also assign these four roles to group account instead of user account. For this lab

demonstration I have used these four accounts. These accounts must be able to send and

receive e-mail messages. Also we have to assign Link GPOs permission to the accounts that

have the AGPM Administrator, Approver, and (optionally) Editor Roles. To assign Link GPO

permission, do following:

Open Delegation of Control Wizard , and click Next

Add user account which we want to delegate control. In this lab the account which we need to

add is agpmadmin, agpmapprover, agpmeditor ,as shown below:

Check the box Manage Group Policy links and click next and Finish closing the wizard box.

Steps for installing and configuring AGPM

Step 1: Install AGPM Server

Now we are going to install AGPM server on our Domain Controller for this lab, DC01.abhi.local.

You can install AGPM server on any member server also. AGPM server installation will

automatically installed Group Policy Management Console (GPMC) on server if its not present.

For this lab demonstration I am going to use account agpmadmin to install the AGPM server

and client on domain controller.

To install AGPM server, perform following steps on domain controller:

Log into server with account abhi\agpmadmin. Start the Microsoft Desktop Optimization Pack CD and follow the instructions on screen to select Advanced Group Policy Management – Server. In the Welcome dialog box click Next.

In the Application Path dialog box, select a location in which to install AGPM Server. The computer on which AGPM Server is installed will host the AGPM Service and manage the archive. Click Next

In the Archive Path dialog box, enter a location for the archive path.

In the AGPM Service Account dialog box, enter a service account under which the AGPM Service will run and then click next

In the Archive Owner dialog box, enter an account or group to which you assign the AGPM Administrator (Full Control) role. In this demo the account is abhi\agpmadmin.

In the Port Configuration dialog box, type a port on which the AGPM Service should

listen. By Default it will take port number 4600.

(Do not clear the Add port exception to firewall check box unless you manually configure port exceptions or use rules to configure port exceptions.)

In the Languages dialog box, select one or more display languages to install for AGPM Server. 11. Click Install, and then click Finish to exit the Setup Wizard.

So we have finished the AGPM server installation. Each Group Policy administrator—anyone

who creates, edits, deploys, reviews, or deletes GPOs—must have AGPM Client installed on

computers that they use to manage GPOs. For this lab demo, we will be installing AGPM Client

on the same domain controller.

To install AGPM client, I logged into domain controller with account abhi\agpmadmin. Perform

following steps to install AGPM client.

Step 2: Install AGPM Client

Logged as abhi\agpmadmin

Start the Microsoft Desktop Optimization Pack CD and follow the instructions on screen to select Advanced Group Policy Management - Client.

In the Application Path dialog box, select a location in which to install AGPM Client. Click Next.

In the AGPM Server dialog box, type the DNS name or IP address for the AGPM Server and the port to which you want to connect. The default port for the AGPM Service is 4600. Click Next.

(Do not clear the Allow Microsoft Management Console through the firewall check box unless you manually configure port exceptions or use rules to configure port exceptions)

Follow the screen and click Next to finish the AGPM Client Installation.

Once AGPM server and client installation finished, we need to configure an AGPM server

connection. In the following steps now we will be configuring an AGPM Server connection and

ensure that all Group Policy administrators connect to the same AGPM Server.

Step 3: Configure an AGPM Server connection

To configure an AGPM server connection, perform following steps:

On a computer on which we have installed AGPM Client, in this demo its domain controller DC01.abhi.local, Open Group Policy Management Console (GPMC.msc).

Expand Forest abhi.local. Expand Domain and select domain abhi.local. Right click the selected domain and click Create a GPO in this domain, and Link it here.

In the Group Policy Management Editor window, double-click User Configuration, Policies, Administrative Templates, Windows Components, and AGPM . Double-click AGPM: Specify default AGPM Server (all domains). In the Properties window, select Enabled and type the DNS name or IP address and port. For this lab demo it is DC01.abhi.local:4600.

So now we have finished the AGPM server connection configuration. Now it’s time to configure

E-mail notification. In this, we designate the e-mail addresses of Approvers and AGPM

Administrators to whom an e-mail message that contains a request is sent when an Editor tries

to create, deploy, or delete a GPO.

Step 4: Configure e-mail notification

To configure email notification, perform following steps:

Open GPMC.msc, select change control, and in the details pane click Domain

Delegation. Enter the field from e-mail address and to email-address. Enter the settings

of your SMTP server, as shown in below figure:

Please make sure In the From e-mail address field, you typed the e-mail address for AGPM from which notifications should be sent. And In the To e-mail address field, you typed the e-mail address for the user account to which you intend to assign the Approver role

Step 5: Delegate access

As an AGPM Administrator (Full Control), we can delegate domain-level access to GPOs,

assigning roles to the account of each Group Policy administrator. To delegate access, perform

following:

On the Domain Delegation tab, click the Add button, select the user account of the Group Policy administrator to serve as Approver, and then click OK. In the Add Group or User dialog box, select the Approver role to assign that role to the account, and then click OK.

For this lab demo, our approver account name is AGPMapprover, and I have assigned Approver role to this account using above steps and as shown in below figure.

Using same above steps I have delegate different roles to all four accounts which I created for

this lab demo. As shown in below figure , I have delegate the different roles to different

account.

Ok, so we have finished all necessary configuration and role based access delegation. It’s time

now for managing GPO. Now we will see and demonstrate how to create GPO, edit ,review and

deploy gpo, and finally delete and restore a GPO object.

Steps for managing GPOs

Step 1: Create a GPO To request that a new GPO be created and managed through AGPM Logged as editor account – abhi\agpmeditor

Open Group Policy Management Console (gpmc.msc), on computer where we install

AGPM client. Right click Change Control and then click New Controlled GPO.

In the New Controlled GPO dialog box: To receive a copy of the request, type your e-mail address in the Cc field.

Type the name of GPO. For this demonstration in this case the name of this GPO is MyLabGPO

Type a comment for the new GPO.

Click Create in archive and production so that the new GPO will be deployed to the production environment immediately upon approval. Click Submit.

When the AGPM Progress window indicates that overall progress is complete, click Close. The new GPO is displayed on the Pending tab.

Now we have submitted the request to create a GPO. It’s pending for the approval from GPO

approver. We will now see how to approve the pending request to create a GPO.

To approve the pending request to create a GPO

Logged as approver- abhi\agpmapprover

On a computer on which we have installed AGPM Client, log on with a user account that has the role of Approver in AGPM. And Open the e-mail inbox for the account, and here we have received an e-mail message from the AGPM alias with the Editor's request to create a GPO.

In the Group Policy Management Console tree, click Change and On the Contents tab, click the Pending tab to display the pending GPOs, as shown in below figure

Right-click MyLabGPO, and then click Approve

Click Yes to confirm approval and type the comment and move the GPO to the Controlled tab

Step 2: Edit a GPO

Logged as editor- abhi\agpmeditor

Now GPO pending request has been approve from approver to create GPO. So it’s time to edit

GPO and to configure settings. To do so perform following:

On the Contents tab in the details pane, click the Controlled tab to display the controlled GPOs and Right-click MyLabGPO, and then click Check Out

When the AGPM Progress window indicates that overall progress is complete, click Close. On the Controlled tab, the state of the GPO is identified as Checked Out , as shown in below figure:

To edit the GPO offline and configure the settings

On the Controlled tab, right-click MyLabGPO, and then click Edit to open the Group Policy Management Editor window and change an offline copy of the GPO .

For this lab demo I configured this GPO for desktop wallpaper settings for all users in sales OU,

as shown in below figure:

To check the GPO into the archive

On the Controlled tab, right-click MyLabGPO and then click Check In .

Type a comment, and then click OK.

To request the deployment of the GPO to the production environment

On the Controlled tab, right-click MyLabGPO and then click Deploy

Because this account is not an Approver or AGPM Administrator, you must submit a request for deployment. To receive a copy of the request, type your e-mail address in the Cc field. Type a comment to be displayed in the history of the GPO, and then click Submit.

When the AGPM Progress window indicates that overall progress is complete, click Close. MyLabGPO is displayed on the list of GPOs on the Pending tab , as shown in below figure

Step 3: Review and deploy a GPO

To review settings in the GPO

Now we will be creating reports and analyzing the settings and changes to settings in the GPO

to determine whether approver should approve them. After evaluate the GPO, we can deploy it

to the production environment and link the GPO to a domain or an organizational unit (OU).

The GPO takes effect when Group Policy is refreshed for computers in that domain or OU.

To do so, perform following steps:

On a computer on which we have installed AGPM Client, log on with a user account that is assigned the role of Approver in AGPM. Any Group Policy administrator with the Reviewer role, which is included in all of the other roles, can review the settings in a GPO.

Open the e-mail inbox for the account and notice that we have received an e-mail message from the AGPMadmin with an Editor's request to deploy a GPO , as shown in below figure

On the Contents tab in the details pane, click the Pending tab . Double-click MyLabGPO to display its history

In the History window, right-click the GPO version with the most recent time stamp, click Settings, and then click HTML Report to display a summary of the GPO's settings

The HTML report will be shown as below figure. Result which is highlighted in green and preceded by [+], This indicates that the setting is configured only in the latter version of the GPO.

To deploy the GPO to the production environment

On the Pending tab, right-click MyLabGPO and then click Approve

Type a comment to include in the history of the GPO

To link the GPO to a domain or organizational unit

In the GPMC, right-click either the domain or an organizational unit (OU) to which you want to apply the GPO that you configured, and then click Link an Existing GPO. For this lab demo I linked GPO at sales OU, as shown below:

In the Select GPO dialog box, click MyLabGPO, and then click OK.

So we have finished the GPO settings and configuration at production environment. We have

edited our GPO in offline mode and received approve to deploy and linked it to desired OU.

Step 5: Delete and restore a GPO

Logged as approver- abhi\agpmapprover

Now we will see the demo on how we can restore a delete GPO. To demonstrate this, first I

delete the GPO which we have created in this lab MyLabGPO. Following is the steps how you

can delete any existing GPO from AGMP:

On the Contents tab, click the Controlled tab to display the controlled GPOs.

Right-click MyLabGPO, and then click Delete. Click Delete GPO from archive and production to delete both the version in the archive and the deployed version of the GPO in the production environment

When the AGPM Progress window indicates that overall progress is complete, click Close. The GPO is removed from the Controlled tab and is displayed on the Recycle Bin tab, where it can be restored or destroyed , as shown below:

To restore a deleted GPO

On the Contents tab, click the Recycle Bin tab to display deleted GPOs. Right-click , and then click Restore

When the AGPM Progress window indicates that overall progress is complete, click Close. The GPO is removed from the Recycle Bin tab and is displayed on the Controlled tab, as shown in below figure

Please note that Restoring a GPO to the archive does not automatically redeploy it to the production environment. To return the GPO to the production environment

To roll back to an earlier version of a GPO

On the Contents tab, click the Controlled tab to display the controlled GPOs. Double click GPO to display its History.

Right-click the version to be deployed, click Deploy, and then click Yes

To verify that the version that was redeployed is the version intended, examine a difference report for the two versions. In the History window for the GPO, select the two versions, right-click them, point to Difference, and then click either HTML Report or XML Report . This article described AGPM 4.0 and the benefits it can bring to our environment, how it works,

and how to install it. Also we learned see how to take control of existing GPOs in our

environment and how to create, edit and deploy controlled GPOs to production