Overview of Microsoft Advanced Group Policy Management
Microsoft Advanced Group Policy Management eases the burden of managing Group Policy objects
By Jerry Honeycutt
Published September 2009
Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted in examples herein are fictitious. No association with any real company, organization, product, domain name, e-mail address, logo, person, place, or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.
© 2009 Microsoft Corporation. All rights reserved.
Microsoft, MSDN, SharePoint, Windows, Windows Server, and Windows Vista are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.
All other trademarks are property of their respective owners.
Contents
Overview
Offline Editing
GPMC Integration
Change Control
Role-Based Delegation
Search and Filter
Cross-Forest Management
Windows Support
Case Study: Forsyth County
Evaluating AGPM
Overview
Imagine a tool that could help you take control of Group Policy. What would this tool do? It could help you delegate who can review, edit, approve, and deploy Group Policy objects (GPOs). It might help prevent widespread failures that can result from editing GPOs in production environments. You could use it to track each version of each GPO, just as developers use version control to track source code. Any tool that provided these capabilities, that cost little, and that was easy to deploy would certainly be worth a closer look.
Such a tool indeed exists, and it is an integral part of the Microsoft Desktop Optimization Pack (MDOP) ( for Software Assurance. MDOP can help organizations reduce the cost of deploying applications, deliver applications as services, and better manage desktop configurations. Together, the MDOP applications shown in Figure 1 can give Software Assurance customers a highly cost-effective and flexible solution for managing desktop computers.
Figure 1. MDOP applications
Microsoft Advanced Group Policy Management (AGPM) is the MDOP application that can help you overcome the challenges that can affect Group Policy management in any organization, particularly those with complex information technology (IT) environments. A robust delegation model, role-based administration, and change-request approval provide granular administrative control. For example, you can delegate Reviewer, Editor, and Approver roles to other users—even users who do not typically have access to production GPOs. (Editors can edit GPOs but cannot deploy them; Approvers can deploy GPO changes.)
AGPM can also help reduce the risk of widespread failures. You can use AGPM to edit GPOs offline, outside of the production environment, and then audit changes and easily find differences between GPO versions. In addition, AGPM supports effective change control by providing version tracking, history capture, and quick rollback of deployed GPO changes. It even supports a management workflow by allowing you to create GPO template libraries and send GPO change e-mail notifications.
This overview describes the key features of AGPM, such as change controland role-based delegation. The overviewthen describes how Software Assurance customers can begin evaluating AGPM today.
Offline Editing
The AGPM archive provides offline storage for GPOs. As Figure 2 shows, changes that you make to GPOs in the archive do not affect the production environment until you deploy the GPOs. By limiting changes to the archive, you can edit GPOs and test them in a safe environment without affecting the production environment. After reviewing and approving the changes, you can then deploy them with the knowledge that you can quickly roll them back if they have an undesired effect.
Figure 2. Offline editing
GPMC Integration
AGPM has a server component (the AGPM Service) and a client component (the AGPM snap-in), each of which you install separately. First, you install Microsoft Advanced Group Policy Management – Serveron a system that has access to the GPOsthat you want to manage. Then, you install the Microsoft Advanced Group Policy Management –Client on any system from which Group Policy administrators will review, edit, and deploy GPOs.
The AGPM snap-in integrates completely with the Group Policy Management Console (GPMC), as Figure 3 shows. Click Change Control in the console tree to open AGPM in the details pane and to manage the AGPM archive on the Contents tab. Here, you can review, edit, and deploy controlled GPOs (that is, GPOs managed by AGPM and stored in the archive). You can also take control of uncontrolled GPOs (that is, GPOs not managed by AGPM and not stored in the archive), approve pending changes, and manage GPO templates. On the Domain Delegation tab, AGPM Administrators (Full Control)can delegateroles to AGPM users and configure e-mail notifications.On the AGPM Server tab, you can configure the AGPM Server connection. AGPM 3.0 introduced the Production Delegation tab, which AGPM Administrators can use to delegate permission to edit GPOs in the production environment.
Figure 3. AGPM integration with the GPMC
Change Control
AGPM provides advanced change control features that can help you manage the lifecycle of GPOs. Many of the AGPM change control concepts will be familiar to administrators who have experience using common version-control tools, such as the version control feature in Microsoft Office SharePoint® Server 2007.
The following steps are necessary to change and deploy a GPO:
- Check the GPO out from the archive.
- Edit the GPO as necessary.
- Check the GPO into the archive.
- Deploy the GPO to production.
Change control means more than locking a GPO to prevent multiple users from changing it at the same time. AGPM keeps a history of changes for each GPO, as shown in Figure 4. You can deploy any version of a GPO to production, so you can quickly roll back a GPO to an earlier version if necessary. AGPM can also compare different versions of a GPO, showing added, changed, and deleted settings. Therefore, you can easily review changes before approving and deploying them to the production environment. In addition, a complete history of each GPO enables you to audit not only changes but also all activities related to that GPO.
Figure 4. GPO history
Role-Based Delegation
Group Policy already provides a rich delegation model that allows you to delegate administration to regional and task-oriented administrators. However, Group Policy also lets administrators approve their own changes. In contrast, AGPM provides a role-based delegation model that adds a review and approval step to the workflow, as shown in Figure 5.
Figure 5. Role-based delegation
An AGPM Administrator has full control of the AGPM archive. In addition to the AGPM Administrator role, AGPM defines three special roles to support its delegation model:
- Reviewer. Reviewers can view and compare GPOs. They cannot edit or deploy GPOs.
- Editor. Editors can check out GPOs fromthe archive, edit GPOs, and check in GPOs to the archive. Editors can request deployment of a GPO. Editors can also view and compare GPOs.
- Approver. Approvers can approve the creation and deployment of GPOs. (When Approvers create or deploy a GPO, approval is automatic.) Approvers can also view and compare GPOs.
As an AGPM Administrator, you can delegate these roles to users and groups for all controlled GPOs within the domain (domain delegation). For example, you can delegate the Reviewer role to users, allowing them to review any controlled GPO in the domain. You can also delegate these roles to users for individual controlled GPOs. Rather than allow users to edit any controlled GPO in the domain, for example, you can give them permission to edit a specific controlled GPO by delegating the Editor role for that GPO only.
Search and Filter
AGPM 4.0 introduces the ability to filter the list of GPOs that it displays. For example, you can filter the list by name, status, or comment. You can even filter the list to show GPOs that were changed by a particular user or on a specific date. AGPM displays partial matches, and searches are not case sensitive.
AGPM supports complex search strings using the format column:string, where column is the name of the column by which to search and string is the string to match. For example, to display GPOs that were checked in by Jerry, type state: “checked in” changed by: Jerry in the Search box.Figure 6 shows another example. You can also filter the list by GPO attributes by using the format attribute:string, where attribute is the name of the GPO attribute to match. To display all GPOs that use aWindows® Management Instrumentation (WMI) filter called MyWMIFilter, type wmi filter: mywmifilter in the Search box.
Figure 6. Search example
When searching for GPOs, you can use special terms to search by date,dynamically. These special terms are the same terms that you can use when searching for files by using Windows Explorer. For example, you can filter the list to display GPOs that were changed today, yesterday, this week, last week, and so on.
Cross-Forest Management
In addition to filtering, AGPM 4.0 also introduces cross-forest management. You can use the following process to copy a controlled GPO from a domain in one forest to a domain in a second forest:
- Export the GPO from a domain in the first forest to a CAB file by using AGPM (Figure 7).
Figure 7. GPO export
- On a computer in a domain in the first forest, copy the CAB file to a portable storage device.
- Insert the portable storage device into a computer in a domain in the second forest.
- Import the GPO into the archive in a domain in the second forest by using AGPM.
When you import the GPO into the second forest, you can import it as a new controlled GPO. Alternatively, you can import it to replace the settings of an existing GPO that is checked out of the archive.
The obvious benefit of cross-forest management is testing. Combined with offline editing and change control, cross-forest management enables you to test GPOs in a controlled test environment (the first forest). After verifying the GPO, you can move it into the production environment (the second forest).
Windows Support
Three versions of AGPM are available: AGPM 2.5, AGPM 3.0, and AGPM 4.0. Each is incompatible with the others and supports different Windows operating systems. For more information about choosing the right version of AGPM for your environment and about the Windows operating systems that each supports, see Choosing Which Version of AGPM to Install (
AGPM 4.0 introduces support for Windows 7 and Windows Server® 2008 R2. Additionally, AGPM 4.0 still supports Windows Vista® with Service Pack 1 (SP1) and Windows Server 2008. Table 1 describes the limitations in mixed environments that include newer and older Windows operating systems.
Table 1. Limitations in Mixed Environments
If the AGPM Server 4.0 runs on: / And the AGPM Client 4.0 runs on: / AGPM 4.0 is:Windows Server 2008 R2 or Windows 7 / Windows Server 2008 R2 or Windows 7 / Supported
Windows Server 2008 R2 or Windows 7 / Windows Server 2008 or
Windows Vista with SP1 / Supported, but cannot edit policy settings or preference items that exist only in Windows Server 2008 R2 or Windows 7
Windows Server 2008 or
Windows Vista with SP1 / Windows Server 2008 R2 or Windows 7 / Unsupported
Windows Server 2008 or
Windows Vista with SP1 / Windows Server 2008 or
Windows Vista with SP1 / Supported, but cannot report or edit policy settings or preference items that exist only in Windows Server 2008 R2 or Windows 7
Case Study: Forsyth County
Forsyth County covers the Winston-Salem, North Carolina, metropolitan area. The county’s population of nearly 325,000 is located in a 410-square-mile area. The county’s IT department supports approximately 1,400 users and 1,650 desktop computers.
Forsyth County needed a solution for managing desktop computers—a solution that did not compromise server security, helped the County nimbly update desktop computer configurations, and provided a rich history of changes. Michael Wilcox, MIS client services supervisor, said, “I attended a seminar on Group Policy and learned about Microsoft Advanced Group Policy Management. I was impressed with how it could enhance the delegation capabilities for administrators.” Forsyth County went on to implement AGPM.
After deploying AGPM, Forsyth County immediately began realizing benefits. “It’s amazing. Managing our desktop configurations is so much easier. We’d be floundering without it,” Wilcox said. Using AGPM, the county can easily and safely build GPOs. It can create and change GPOs without affecting the production environment. Importantly, administrators at Forsyth County don’t need to manually document their changes, because AGPM keeps a rich history of such changes. According to Wilcox, “Advanced Group Policy Management has been like a magic bullet for us. Its automated change management and workflow-enabled delegation capabilities are impressive. I wouldn’t be able to manage GPOs without it.”
Evaluating AGPM
AGPM is an add-on license available only to Software Assurance customers. Begin your evaluation today:
- Download and evaluate AGPM as part of MDOP
MDOP is available to Volume Licensing customers,Microsoft Development Network (MSDN®) subscribers, and Microsoft TechNet subscribers. The evaluation includes a step-by-step guide that walks you through most AGPM capabilities.
- See Microsoft Desktop Optimization Packon Microsoft.com
To learn how AGPM and MDOP for Software Assurance can help you better manage GPOs, see
- See Microsoft Desktop Optimization Packon TechNet
For technical information about AGPM and MDOP for Software Assurance, see
1
Overview of Microsoft Advanced Group Policy Management