AGPM 4 SP1 Deployment Guide

Deployment Guide

Published February 2013

Microsoft Advanced Group Policy Management v4.0 SP1 Deployment Guide

Page | 2

Important Notice

Copyright

The information contained in this document represents the current view of Microsoft Corporation on the

issues discussed as of the date of publication. Because Microsoft must respond to changing market

conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot

guarantee the accuracy of any information presented after the date of publication.

This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS,

IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT.

Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights

under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval

system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or

otherwise), or for any purpose, without the express written permission of Microsoft Corporation.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property

rights covering subject matter in this document. Except as expressly provided in any written license

agreement from Microsoft, the furnishing of this document does not give you any license to these patents,

trademarks, copyrights, or other intellectual property.

Unless otherwise noted, the companies, organizations, products, domain names, email addresses, logos,

people, places, and events depicted in examples herein are fictitious. No association with any real

company, organization, product, domain name, email address, logo, person, place, or event is intended

or should be inferred.

2013 Microsoft Corporation. All rights reserved.

Microsoft, Active Directory, ActiveX, Excel, SoftGrid, SQL Server, Windows, Windows PowerShell, and

Windows Vista are trademarks of the Microsoft group of companies.

All other trademarks are property of their respective owners.


Page | 3

Table of Contents

IMPORTANT NOTICE .............................................................................................................................................. 2

COPYRIGHT.................................................................................................................................................................... 2

INTRODUCTION TO THE DEPLOYMENT GUIDE ....................................................................................................... 5

AUDIENCE FOR THIS GUIDE ............................................................................................................................................... 5

PRODUCT DOCUMENTATION ................................................................................................................................. 5

OVERVIEW OF MICROSOFT AGPM ......................................................................................................................... 6

Microsoft AGPM Server Requirements .................................................................................................................. 6

Microsoft AGPM Client Requirements ................................................................................................................... 7

Mixed Environments .............................................................................................................................................. 8

Microsoft AGPM User Account Requirements ....................................................................................................... 9

PLANNING AGPM DEPLOYMENT .......................................................................................................................... 11

CENTRALIZED CONFIGURATION ........................................................................................................................................ 11

DECENTRALIZED CONFIGURATION .................................................................................................................................... 13

MANAGE GROUP POLICY IN EXTRANETS ............................................................................................................................ 15

COLLECT NECESSARY INFORMATION ABOUT THE EXISTING AD DS INFRASTRUCTURE AND GPOS ................................................. 16

DETERMINE THE NUMBER OF AGPM SERVERS REQUIRED .................................................................................................... 16

DETERMINE THE NUMBER OF AGPM CLIENTS REQUIRED ..................................................................................................... 17

DETERMINE THE E-MAIL INFRASTRUCTURE REQUIREMENTS ................................................................................................... 17

DETERMINE THE AGPM ARCHIVE LOCATION AND STORAGE REQUIREMENTS ........................................................................... 17

INSTALLING AND CONFIGURING AGPM 4.0 SP1 ................................................................................................... 19

STEPS FOR INSTALLING AGPM 4.0 SP1............................................................................................................................ 19

Step 1: Install AGPM Server ............................................................................................................................. 19

Step 2: Install AGPM Client .............................................................................................................................. 21

Step 3: Configure an AGPM Server Connection ............................................................................................... 22

Step 4: Configure Email Notification ................................................................................................................ 23

Step 5: Delegate Access ................................................................................................................................... 24


Page | 4

Step 6: Secure AGPM ....................................................................................................................................... 25

Assign the Appropriate Security Roles to Group Policy Administrators: .............................................................. 26

Secure the AGPM Service Account: ...................................................................................................................... 30

Secure the AGPM Archive: ................................................................................................................................... 30

Securing Communication Between the AGPM Clients and the AGPM Servers: ................................................... 31

Hardening of Computers Running AGPM Server: ................................................................................................ 33

Configuring AGPM-only Group Policy Management: .......................................................................................... 34

STEPS FOR MANAGING GPOS ......................................................................................................................................... 36

Step 1: Create a GPO:....................................................................................................................................... 36

Step 2: Edit a GPO: ........................................................................................................................................... 37

Step 3: Review and Deploy a GPO: ................................................................................................................... 39

Step 4: Use a Template to Create a GPO: ........................................................................................................ 40

Step 5: Delete and Restore a GPO: ................................................................................................................... 41

SUMMARY ........................................................................................................................................................... 45


Page | 5

Introduction to the Deployment Guide

This deployment guide is designed to help you evaluate and set up Microsoft Advanced Group Policy

Management (AGPM). This guide provides details of the steps necessary to install and configure AGPM

components, including AGPM Server and AGPM Client components, configuring an AGPM Server

connection, configuring notifications, delegating access, and securing AGPM.

Audience for This Guide

This guide was written for Microsoft Windows Group Policy administrators. As an information technology

(IT) professional, you should have sufficient knowledge and experience to accomplish the following tasks:

Set up operating systems and install applications.

Add computers to domains.

Set up and work comfortably with Active Directory Domain Services and Microsoft Domain

Name System (DNS).

Have a working knowledge of Active Directory Group Policies

Product Documentation

Additional documentation for AGPM is available from TechNet at:

http://technet.microsoft.com/library/dd420466.aspx.


Page | 6

Overview of Microsoft AGPM

AGPM increases the capabilities of the Group Policy Management Console (GPMC) by providing the

following benefits:

An archive to enable Group Policy administrators to create and modify Group Policy objects (GPOs)

offline before deploying them to a production environment.

The ability to roll back to any previous version of a GPO in the archive and to limit the number of

versions stored in the archive.

Check-in/check-out capability for GPOs to ensure that Group Policy administrators do not

inadvertently overwrite each other's work.

Manage Group Policies across different domain forests, allowing the ability to copy GPOs from one

domain forest to another.

GPO tracking is easier with the new Search and Filter capabilities. Allows the ability to search for

GPOs that were last changed by a specific administrator, on a particular date, or other criteria.

Standard roles for delegating permissions to manage GPOs to multiple Group Policy administrators,

as well as the ability to delegate access to GPOs in the production environment.

Note: For a table of the standard permissions that can be assigned to Group Policy administrators, and

the rights associated with each role, please see the Securing AGPM section later in this guide.

To help this process flow as smoothly as possible, we recommend that you read this guide carefully

before installing the Microsoft AGPM Console.

Microsoft AGPM Server Requirements

AGPM Server 4.0 Service Pack 1 (SP1) requires Windows Server 2012, Windows Server 2008 R2,

Windows Server 2008, Windows 8, Windows 7, or Windows Vista with SP1, and the Group Policy

Management Console from the Remote Server Administration Tools (RSAT) installed. Both 32-bit and 64-

bit versions are supported.

Before you install the AGPM Server, you must be a member of the Domain Admins group, and the

following Windows features must be preset, unless otherwise noted:

GPMC


Page | 7

Windows Server 2012, Windows Server 2008 R2, or Windows Server 2008: The GPMC is

automatically installed by AGPM if not already present.

Windows 8: You must install the GPMC from RSAT before you install AGPM. For more

information, see Remote Server Administration Tools for Windows 8

(http://www.microsoft.com/en-us/download/details.aspx?id=28972).



(http://go.microsoft.com/fwlink/?LinkID=131280).

Windows Vista with SP1: You must install the GPMC from RSAT before you install AGPM.

For more information, see Remote Server Administration Tools for Windows Vista with

Service Pack 1 (http://go.microsoft.com/fwlink/?LinkID=116179).

.NET Framework 3.5

The following Windows features are required by AGPM Server and will be automatically installed if not

present:

WCF Activation: Non-HTTP Activation

Windows Process Activation Service

Process Model

.NET Environment

Configuration APIs

Microsoft AGPM Client Requirements

AGPM Client refers to any computer that will be managing GPOs using AGPM. AGPM Client 4.0 SP1

requires Windows Server 2012, Windows Server 2008 R2, Windows Server 2008, Windows 8,

Windows 7, or Windows Vista SP1 and the GPMC from RSAT installed. Both the 32-bit and the 64-bit

versions are supported. AGPM Client can be installed on a computer running AGPM Server.

Note: While you must use one of the operating systems list above you can manage clients on any

version of Windows from Windows XP forward.


Page | 8

The following Windows features are required by AGPM Client and will be automatically installed by AGPM

if not present:

GPMC

Windows Server 2012, Windows Server 2008 R2, or Windows Server 2008: The GPMC is

automatically installed by AGPM if not already present.



(http://www.microsoft.com/en-us/download/details.aspx?id=28972).



(http://go.microsoft.com/fwlink/?LinkID=131280).

Windows Vista with SP1: You must install the GPMC from RSAT before you install AGPM.

For more information, see Remote Server Administration Tools for Windows Vista with

Service Pack 1 (http://go.microsoft.com/fwlink/?LinkID=116179).

.NET Framework 3.0

Windows Server 2012, Windows Server 2008 R2, Windows 8, or Windows 7: If the .NET

Framework 3.0 or later version is not present, the .NET Framework 3.5 is automatically

installed by AGPM.

Windows Server 2008 or Windows Vista SP1: If the .NET Framework 3.0 or later version is

not present, the .NET Framework 3.0 is automatically installed by AGPM.

Mixed Environments

Many companies today operate in a mixed environment; that is, the computer running the AGPM Server

and the computer running the AGPM Client may be running different operating systems. In the following

table, the AGPM Server is the computer that is running the AGPM service. The AGPM Client is the

computer that has the AGPM Console installed for managing GPOs. In a mixed environment that includes

newer and older operating systems, there are some limitations to functionality, as indicated in the

following table:

NOTE: This table refers to compatibility with the AGPM Client used for administrating AGPM. AGPM 4.0

SP1 can manage GPOs on Windows XP, Windows Vista, Windows 7, Windows 8, and Windows Server

versions.


Page | 9

AGPM Server Operating

System

AGPM Client Operating

System

Status of AGPM Support

Windows Server 2012 or

Windows 8


Windows 8

Supported

Windows Server 2008 R2

or Windows 7

Windows Server 2008 R2

or Windows 7

Supported, but cannot edit policy settings or

preference items that exist only in Windows

Server 2012 or Windows 8

Windows Server 2012,

Windows Server 2008

R2, Windows 8, or

Windows 7


Windows Vista SP1

Supported, but cannot edit policy settings or

preference items that exist only in Windows

Server 2012, Windows Server 2008 R2,

Windows 8, or Windows 7


Windows Vista SP1

Windows Server 2012,

Windows Server 2008 R2,

Windows 8, or Windows 7

Unsupported


Windows Vista SP1


Windows Vista SP1

Supported, but cannot report or edit policy

settings or preference items that exist only in

Windows Server 2012, Windows Server 2008

R2, Windows 8 or Windows 7

Microsoft AGPM User Account Requirements

With AGPM, you can assign roles to different users, or groups of users, delegating permissions for

viewing, creating, and approving GPOs. The following bullet points and flow chart offer a high-level

summary of the assigned roles:

Using an account that is a member of the Domain Admins group, install AGPM Server and assign

the AGPM Administrator role to an account or group.

Using accounts to which you will assign AGPM roles, install AGPM Client.

Using an account with the AGPM Administrator role, configure AGPM and delegate access to

GPOs by assigning roles to other accounts.


Page | 10

Using an account with the Editor role, request the creation of a GPO, which you then approve

using an account with the Approver role. With the Editor account, check the GPO out of the

archive, edit the GPO, check the GPO into the archive, and request deployment.

Using an account with the Approver role, review the GPO and deploy it to your production

environment.

Using an account with the Editor role, create a GPO template and use it as a starting point to

create a new GPO.

Using an account with the Approver role, delete and restore a GPO.

Figure 1: AGPM 4.0 SP1 Roles and their functions


Page | 11

Planning AGPM Deployment

AGPM can be deployed to serve the needs of any size organization, any network infrastructure, and any

security model. This planning guide presents common deployment configurations. Even though these

scenarios are presented as discrete units, your implementation of AGPM may consist of a combination of

these scenarios. For example, you might have data centers that use one configuration but branch offices

that use a different one.

Note: The level of management centralization in AGPM can be influenced by your corporate structure and

network performance issues between domains. The number of GPOs that AGPM manages is typically not a

factor in the level of management centralization.

Centralized Configuration

The centralized configuration assumes a single computer running AGPM Server and one or more client

computers running the AGPM Client. Figure 2 provides an example of the centralized configuration, in

which one AGPM Server is serving multiple domains.


Page | 12

Figure 2. Example of the centralized configuration

Select the centralized configuration when:

The Active Directory Domain Services (AD DS) infrastructure includes a single forest.

Availability and scalability do not require more than one computer running AGPM Server.

Note: One AGPM Server can support large workloads and is sufficient for most scenarios if the other

centralized configuration selection criteria are met. You are unlikely to need more than one AGPM Server

to meet scaling requirements.

High-speed and reliable network connectivity exists between domains, the AGPM Server, and the

AGPM Clients.


Page | 13

Decentralized Configuration

The decentralized configuration assumes that more than one computer is running AGPM Server. Figure 3

provides an example of the decentralized configuration, in which some AGPM Servers are serving

multiple domains while other AGPM Servers each serve only one domain, respectively.

Note: Ensure that each domain is served by only one AGPM Server. Do not allow multiple AGPM Servers to

serve the same domain.


Page | 14

Figure 3. Example of the decentralized configuration

Select the decentralized configuration when:

The AD DS infrastructure includes multiple forests.


Page | 15

Note: An AGPM Server can only serve multiple domains within a forest. An AGPM Server cannot serve

multiple domains in different forests.

Availability and scalability require more than one computer running AGPM Server.

Note: One AGPM Server can support large workloads and is sufficient for most scenarios if the other

centralized configuration selection criteria are met. You are unlikely to need more than one AGPM Server

to meet scaling requirements.

The network connectivity between sites is slow or erratic, which requires an AGPM Server to be

placed in each site.

Manage Group Policy in Extranets

Most organizations have extranets as a part of their network infrastructure. These extranets are also

known as perimeter networks or demilitarized zones (DMZs). In some extranets, organizations deploy an

AD DS forest dedicated to managing the identities and computers in the extranet. These domains also

have the same Group Policy management issues.

These extranet forests are intentionally isolated from the private forests in the intranet for security

reasons. Because the extranet forests are isolated, you must deploy at least one AGPM Server and

AGPM Client to manage the Group Policy settings in the extranet forest.

You deploy AGPM Server on at least one member server or domain controller in the extranet. You deploy

the AGPM Client on the computers that are currently used to manage the extranet forest, which can be in

the extranet or within the intranet.

If you deploy the AGPM Client on a computer in the intranet, you must enable intermediary firewall ports

for AGPM. By default, the AGPM Server and AGPM Client communicate by using TCP port 4600. You

must enable TCP port 4600 on any intermediary firewalls between the AGPM Server and AGPM Client.

The firewall rule should allow the traffic to originate in the internal network to the AGPM Server, and then

allow the AGPM Server to reply to the return port based on a stateful rule.

Note: If you change the default TCP port that AGPM communications use during the installation process,

enable that TCP port instead of the default TCP port 4600.


Page | 16

Collect Necessary Information About the Existing AD DS Infrastructure and

GPOs

As the first step in planning your AGPM deployment, collect all the pertinent information about your

existing AD DS infrastructure and the GPOs. In some instances, this information already exists as a part

of your documentation. If the information does not exist, gather this information for the planning process.

The required information is listed in Table 1.

Table 1. Information to Collect About the Existing AD DS Infrastructure and GPOs

Information collected: Helps you determine the:

Number of AD DS forests. Number of AGPM Servers.

Whether network connectivity issues exist between some

domains.

Number of AGPM Servers.

Level of centralization of administration. Number of AGPM Servers.

GPOs in each domain. Number of GPOs to manage using AGPM.

IT pros who:

Manage access to GPOs.

Edit GPOs.

Approve GPO creation, deployment, and deletion.

Require read-only access to information about GPOs.

AGPM roles to be assigned to each user and

who requires AGPM Client.

Determine the Number of AGPM Servers Required

In the single-server scenario, only one AGPM Server is deployed, which means the one AGPM Server

manages the GPOs for all the domains in a single forest. In the multiple-server scenario, you deploy two

or more computers running AGPM Server in your environment.

You can deploy AGPM Server on a member server or a domain controller. Installing AGPM Server installs

the AGPM Service on the computer. For information on the AGPM Server installation requirements, see

Microsoft AGPM Server Requirements.

In the multiple-server scenario, deploy a separate AGPM Server for:

Each forest in your AD DS infrastructure.

Each site that is isolated by network connectivity issues.

Each site that your organizations structure requires to be managed separately.


Page | 17

Note: At this step in the planning process, you are concerned only with the number of AGPM Servers

required to support your environment. Deploying additional AGPM Servers for availability and scalability is

discussed later in this guide.

Determine the Number of AGPM Clients Required

In either the single-server or multiple-server scenario, you deploy one or more AGPM Clients. Deploy the

AGPM Client on every computer used to administer GPOs. For information on the AGPM Client

installation requirements, see Microsoft AGPM Client Requirements.

Determine the E-mail Infrastructure Requirements

During configuration of the AGPM Server connection, you should specify the fully qualified domain name

(FQDN) of a computer running SMTP. This computer can be the SMTP service running on the same

computer as Microsoft Exchange Server, or it can be an SMTP relay that forwards e-mail messages to

your messaging infrastructure.

Additional e-mail infrastructure planning considerations exist:

If the SMTP servers restrict message relaying to a specific list of computers or IP addresses, you

must add each AGPM Server to the list of approved computers or IP addresses.

If there are intervening firewalls between the AGPM Servers and the SMTP servers, you may need to

modify the firewall rules to allow SMTP traffic from the AGPM Servers.

Determine the AGPM Archive Location and Storage Requirements

AGPM stores the current and previous versions of GPOs in the AGPM archive. The default path for the

AGPM archive is %ProgramData%\Microsoft\AGPM on the AGPM Server. Beneath this folder is a

subfolder for each GPO stored in the archive.

You can configure the AGPM Service to store the archive in a different path, even on another computer.

For example, you may want to store the archive on a volume that is located on a Storage Area Network

(SAN) logical unit (LUN) or on a local disk that has greater capacity than the system disk. To calculate the

storage requirements for the AGPM archive, use the following calculation:

Storage_Requrements=Avg_GPO_Size * Num_GPO * Num_Ver


Page | 18

Table 2 lists the variables in the equation listed above and provides a brief description of each. Perform

this calculation for each AGPM Server in your plan.

Table 2. Variables for Calculating AGPM Archive Storage Requirements

Variable Description

Avg_GPO_Size The average size of the GPOs in your environment; for most GPOs, you can use a value

of 64 kilobytes (KB).

Num_GPO The number of GPOs in your current production environment that this AGPM Server will

manage.

Num_Ver The number of GPO versions retained in the archive; you can configure the maximum

number of versions to retain in the archive (by default, AGPM retains all GPO versions).

For most modern computers, the storage requirements for the AGPM archive are negligible. However,

you can reduce the storage requirements by limiting the number of GPO versions retained. You can

specify a range of 0999 versions. If you specify a value of 0, only the current GPO version is retained in

the archive. Although each organization will vary, retaining the last 10 versions in the AGPM archive is a

recommended initial configuration value. Then, you can adjust the number of versions retained in the

archive based on your experience in your organization. For more information on how to limit the number

of GPO versions stored, see Limit the GPO Versions Stored in Microsoft Advanced Group Policy

Management Help.


Page | 19

Installing and Configuring AGPM 4.0 SP1

Before you install AGPM 4.0 SP1, create four user accounts: AGPM Administrator (granted Full Control to

AGPM), AGPM Approver, AGPM Editor, and AGPM Reviewer. Ensure these accounts have the

appropriate rights and capabilities to send email messages. You also must assign the Link GPOs

permission to the accounts created, which will be used as AGPM Administrator, Approver, and

(optionally) AGPM Editor roles.

Note: Link GPOs permission is assigned to members of Domain Administrators and Enterprise

Administrators by default. To assign Link GPOs permission to additional users or groups (such as

accounts with the roles of AGPM Administrator or Approver), from GPMC select the domain and then

click the Delegation tab, select Link GPOs, click Add, and select users or groups to which to assign the

permission.

Steps for Installing AGPM 4.0 SP1

You must complete the following steps to install and configure AGPM 4.0 SP1

Step 1: Install AGPM Server

Step 2: Install AGPM Client

Step 3: Configure an AGPM Server connection

Step 4: Configure email notification

Step 5: Delegate Access

Step 6: Secure AGPM

Step 1: Install AGPM Server

AGPM Server 4.0 SP1 can be installed on either a Domain Controller or a Member Server, although

installing on a domain controller is not recommended. The server that you install the AGPM Server on will

run the AGPM Service, and will be used to configure the AGPM archive. All AGPM operations are

managed through this Windows service and are executed using the services credentials. The AGPM


Page | 20

archive can be hosted on this server, or any other server within the same Active Directory Domain

Services forest.

To install the AGPM Server on the computer that will host the AGPM Service:

1. Logon to the server with an account that is a member of the Domain Admins group.

2. Insert the Microsoft Desktop Optimization Pack (MDOP) CD in the CD-ROM drive of the server. If

autoplay is enabled, the CD will start automatically. Otherwise, browse to the CD using File Explorer

or Windows Explorer, open the Launcher directory, and then launch Launcher.hta.

3. On the Microsoft Desktop Optimization Pack for Software Assurance splash screen, select Microsoft

Advanced Group Policy Management.

4. On the Microsoft Advanced Group Policy Management page, select the appropriate server to

install by selecting Install Server (32-bit) or Install Server (64-bit). The installation wizard will

launch.

5. On the Welcome to the Setup Wizard for Microsoft Advanced Group Policy Management Server

screen, click Next.

6. On the Microsoft Software License Terms page, read the license, and then click I accept the

license terms and then click Next.

7. On the Application Path page, accept the default location to install AGPM Server, or type a custom

location and then click Next.

8. On the Archive Path page, accept the default location to place the AGPM archive directory, or type a

custom path and then click Next.

9. On the AGPM Service Account page, type the username and password of the domain account

which will be used as the AGPM Service account and then click Next. Note that if you are in a single

Active Directory Domain Services domain, or will only be managing GPOs in a single domain, and are

installing AGPM Server on a domain controller, you can use the Local System Account as the AGPM

Service account.

10. On the Archive Owner page, type the user account which will be assigned the AGPM Administrator

(Full Control) role and then click Next. Once assigned, the AGPM Administrator can then delegate

roles to other GPO administrators.

11. On the Port Configuration page, accept the default port on which the AGPM Service should listen,

or type in a custom port and then click Next. You should not clear the Add port exception to firewall

checkbox unless you plan to manually configure the port exceptions.


Page | 21

12. On the Languages page, select the appropriate display languages for your organization to install

AGPM Server and then click Next.

13. On the Ready to Install Microsoft Advanced Group Policy Management Server page, click the

Details button to see which prerequisite Windows features are required for AGPM Server and then in

the Details box click OK. Note that if the required Windows features are not already present, they will

be installed by AGPM Server installation. Click Install.

14. On the Completed the Microsoft Advanced Group Policy Management Server Setup Wizard page,

click Finish.

Caution: Do not modify settings for the AGPM Service through Administrative Tools and Services in the

operating system. Doing so can prevent the AGPM Service from starting. For information on how to

modify settings for the service, see Help for Advanced Group Policy Management.

Step 2: Install AGPM Client

Each Group Policy administrator, that is anyone who will create, edit, review, deploy or delete GPOs,

must have the AGPM Client installed on his workstation that is used for managing GPOs. AGPM Client

does not need to be installed on end-user workstations, if those users do not administer GPOs.

To install AGPM Client on the computer that will be used to administer GPOs:

1. Logon to the computer with an account that is a member of the local Administrators group.

2. Insert the Microsoft Desktop Optimization Pack (MDOP) DVD in the DVD-ROM drive of the server.

If autoplay is enabled, the CD will start automatically. Otherwise, browse to the CD using File

Explorer or Windows Explorer, open the Launcher directory, and then launch Launcher.hta.

3. On the Microsoft Desktop Optimization Pack for Software Assurance splash screen, select Microsoft

Advanced Group Policy Management.

4. On the Microsoft Advanced Group Policy Management page, select the appropriate client to

install by selecting Install Client (32-bit) or Install Client (64-bit). The installation wizard will launch.

5. On the Welcome to the Setup Wizard for Microsoft Advanced Group Policy Management Client

screen, click Next.

6. On the Microsoft Software License Terms page, read the license, and then click I accept the

license terms and then click Next.


Page | 22

7. On the Application Path page, accept the default location to install AGPM Client, or type a custom

location and then click Next.

8. On the AGPM Server page, type the DNS Name or IP Address of the AGPM Server and the port

configured when installing the AGPM Server, and then click Next. You should not clear the Allow

Microsoft Management Console through the firewall unless you plan to manually configure the

firewall exceptions.

9. On the Languages page, select the appropriate display languages for your organization to install

AGPM Client and then click Next.

10. On the Ready to Install Microsoft Advanced Group Policy Management Client page, click the

Details button to see which prerequisite Windows features are required for AGPM Server and then in

the Details box click OK. Note that if the required Windows features are not already present, they will

be installed by AGPM Client installation. Click Install.

11. On the Completed the Microsoft Advanced Group Policy Management Client Setup Wizard page,

click Finish.

Step 3: Configure an AGPM Server Connection

AGPM stores all versions of each controlled Group Policy Object, which is all GPOs for which AGPM

provides change control, in a central archive, so that all Group Policy administrators can view or modify

GPOs offline without immediately impacting the deployed version of each GPO. The AGPM Server

connection ensures that all Group Policy Administrators connect to the same AGPM Server. For

information about configuring multiple AGPM Servers, see Help for Advanced Group Policy Management.

To configure an AGPM Server connection for all Group Policy Administrators:

1. Logon to the computer with the AGPM Client as the user assigned the AGPM Administrator (Full

Control) role. This is the user designated as the Archive owner during the installation of AGPM

Server.

2. Click Start, point to Administrative Tools, and then click Group Policy Management. This will

open GPMC.

3. Expand the Console Tree until you can click the Group Policy Objects container.

4. Right-click any GPO which is applied to all Group Policy Administrators, for example the Default

Domain Policy, and then click Edit.

5. In the Group Policy Management Editor window, expand User Configuration, Policies, Administrative

Templates, Windows Components, and then click AGPM.


Page | 23

6. In the Details pane, double-click AGPM: Specify default AGPM Server (all domains).

7. In the AGPM: Specify default AGPM Server (all domains) Properties window, select Enabled and

type the fully-qualified-domain-name (FQDN) and port of the server hosting the AGPM Archive, for

example AGPMServer.contoso.com:4600, and then click OK.

8. Close the Group Policy Management Editor window.

Note: At the next Group Policy refresh, typically 90 minutes on client computers, this policy setting will

take effect. Depending on your Active Directory Domain Services design, it could be several hours for

the policy setting to take effect on all computers.

Step 4: Configure Email Notification

When an Editor or a Reviewer attempts to create, deploy, or delete a GPO, a request for this action is

sent to a designated email address (or addresses) so that an Approver can evaluate the request and

either implement or deny the action. An AGPM Administrator (Full Control) can designate the email

address (or addresses) of Approvers and AGPM Administrators, and configure the alias from which the

emails are sent.

To configure email notification for AGPM:



Server.


open GPMC.

3. Expand the Console Tree until you can click the Change Control container.

4. In the Details pane, click the Domain Delegation tab.

5. In the From email address field, type the email alias for AGPM from which notifications should be

sent.

6. In the To email address field, type the email address (or addresses, separated by commas) of the

Approvers who should receive the request for approval. The email address can be that of a user or a

distribution list.

7. In the SMTP server field, type the FQDN of a valid SMTP Server.


Page | 24

8. In the User name and Password fields, type the credentials of a user with access to the SMTP

service and then click Apply.

Note: By default, email messages sent as a result of actions in Advanced Group Policy Management

are not encrypted. However, you can configure email security for AGPM using registry settings to

specify whether to use Secure Sockets Layer (SSL) encryption and which SMTP port to use. For more

information, go to the Secure AGPM section later in this guide.

Step 5: Delegate Access

Set up delegation for your environment so that Group Policy Administrators have the appropriate access

to, and control over, GPOs in the archive. There are baseline permissions you can apply to make

operations more efficient. You can grant permissions in any manner that meets the needs of your

organization.

Before you delegate permissions to manage GPOs, here are some points to consider:

By default, you must be an AGPM Administrator (Full Control) to perform this procedure. Specifically,

you must have Modify Security permission for the domain.

To delegate read access to Group Policy Administrators who use AGPM, you must grant List

Contents as well as Read Settings permissions. This enables the Group Policy Administrators the

ability to view GPOs on the Contents tab of AGPM. Other permissions must be explicitly delegated.

Editors must be granted Read permission for the deployed copy of a GPO to make full use of Group

Policy Software Installation.

Membership of the Group Policy Creator Owners group should be restricted, so that members do

not circumvent AGPM management access to GPOs.

To delegate access to all GPOs throughout the domain:



Server.


open GPMC.



Page | 25

4. On the Domain Delegation tab, click the Add button.

5. In the Select User, Computer, or Group dialog box, select the user account of the Group Policy

Administrator to which you wish to assign the Approver role, and then click OK.

6. In the Add Group or User box, in the Role drop-down list, select Approver. This will assign the

Approver role to this user or group account. The Approver role includes the Reviewer role.


Administrator to which you wish to assign the Editor role, and then click OK.

8. In the Add Group or User box, in the Role drop-down list, select Editor. This will assign the Editor

role to this user or group account. The Editor role includes the Reviewer role.


administrator to which you wish to assign the Reviewer role, and then click OK.

10. In the Add Group or User box, in the Role drop-down list, select Reviewer. This will assign the

Reviewer role to this user or group account.

Step 6: Secure AGPM

As you plan the configuration of your AGPM deployment, include the appropriate security decisions that

will ensure AGPM stays secure. These decisions include:

Assigning the appropriate security roles to Group Policy Administrators (those users in your

organization whose responsibilities include Group Policy management and administration).

Securing the service account used by the AGPM service running on each AGPM server.

Securing the AGPM archive.

Securing communication between the AGPM clients and the AGPM servers.

Hardening of computers running AGPM Server.

Configuring AGPM only Group Policy Management.

As discussed earlier in this guide, email notifications sent because of actions in AGPM are not encrypted,

and are sent through SMTP port 25. However, you can configure email security for AGPM by using the

Windows registry, and modifying settings to specify whether to use SSL encryption, and which SMTP port

to use. By encrypting AGPM email notifications, you can better protect those emails that could reveal

sensitive information about your organizations security. Encrypting email is recommended when the

email is being relayed through remote servers, and may be required by some compliance regulations.


Page | 26

Caution: Incorrectly editing the Windows Registry may severely damage your system. Before making

any changes to the Windows Registry, make a backup copy of the Windows registry, and back up any

data on the computer.

Assign the Appropriate Security Roles to Group Policy Administrators:

AGPM provides comprehensive, easy-to-use, role-based delegation. It includes domain-level permissions

that allow you to provide access to all GPOs throughout a domain, and GPO-level delegation that allows

you to configure access to specific GPOs. The following table lists the roles in AGPM, with a brief

description of each role:

Role Description

AGPM Administrator (Full

Control)

The role has full control of the AGPM environment. An AGPM

Administrator can assign any role to other Group Policy

Administrators, including assigning the AGPM Administrator role.

By default, the Archive owner, specified during AGPM server

installation, is assigned this role.

Approver This role approves changes to the GPOs by users who have been

assigned the Editor role. This role also has the ability to deploy the

GPOs to the production environment.

Editor This role modifies the GPOs. Any modifications made by Group

Policy Administrators assigned this role must be approved and

deployed by the Group Policy Administrator assigned the Approver

role.

Reviewer This role views the GPOs, and reviews the settings in reports. All

other roles include this role.

As a best practice, create Security Groups in Active Directory Directory Services and assign the AGPM

roles to the groups. Then add Group Policy Administrators into the appropriate Security Groups. This will


Page | 27

reduce the complexity of AGPM administration. Additional recommendations when planning the security

roles include:

Use the principle of least privilege: When planning which AGPM roles or permissions to assign to

users or groups, assign the lowest permissions set possible required to perform an AGPM task.

Limit the numbers of users assigned the AGPM Administrator (Full Control) role: This highly-

privileged role should only be assigned to a few users.

Perform regular security audits of AGPM roles: Auditing the roles and the group membership of

the groups assigned the roles, ensures that only authorized users are assigned the roles. These roles

and permissions should be tightly controlled.

The following table lists the permissions assigned:

Permission Description

Full Control Includes all other permissions

Create GPO Create GPOs in the domain (this is a domain-wide group)

List Contents Lists the GPOs in the domain

Read Settings Read the GPO settings within a specific GPO

Edit Settings Modify the GPO settings within a specific GPO

Delete GPO Delete a specific GPO

Modify Security Delegate domain-level access, access to a specific GPO, and

access to the production environment

Deploy GPO Deploy a GPO from the AGPM archive into the production

environment

Create Template Create an AGPM template

Modify Options Configure AGPM email notification and limit the GPO versions

stored in the archive


Page | 28

The following table lists the AGPM Roles, and the permissions assigned to these roles:

Role Includes these AGPM Permissions

AGPM Administrator (Full

Control)

List Contents

Read Settings

Edit Settings

Create GPO

Deploy GPO

Delete GPO

Modify Options

Modify Security

Create Template

Approver List Contents

Read Settings

Create GPO

Deploy GPO

Delete GPO

Editor List Contents

Read Settings

Edit Settings

Create Template

Reviewer List Contents


Page | 29

Read Settings

AGPM roles and permissions can be assigned at a domain-level or to individual GPOs. AGPM roles and

permissions assigned at the domain-level are automatically inherited by all GPOs in the domain. AGPM

roles or permissions assigned to individual GPOs override domain-level GPOs.

To assign domain-level roles and permissions:



Server.


open GPMC.


4. Click the Domain Delegation tab and then click Add.

5. In the Select User, Computer, or Group dialog box, enter the user or group to which you wish to

assign an AGPM role, click Check Names and then click OK.

6. In the Add Group or User box, click the Role drop-down arrow to select the appropriate role, and

then click OK.

To assign GPO-level roles and permissions:



Server.


open GPMC.


4. Click the Contents tab, and then select the GPO that you wish to assign the GPO-level permission,

and then click Add.

5. In the Select User, Computer, or Group dialog box, enter the user or group to which you wish to

assign an AGPM role, click Check Names and then click OK.

6. In the Add Group or User box, click the Role drop-down arrow to select the appropriate role, and

then click OK.


Page | 30

Secure the AGPM Service Account:

The AGPM service runs on any computer on which the AGPM Server is installed. During the installation

process, you must provide an account to be used as the AGPM Service account. The minimum set of

permissions required by the account specified as the AGPM service account include:

Membership in the Group Policy Creator Owners group in each domain that is managed by AGPM.

Membership in the Backup Operators group in each domain that is managed by AGPM.

Full Control permission on the AGPM Server archive folder. This permission is automatically granted

if the archive folder resides on the same local hard drive as the AGPM Server. Otherwise, the

permission must be manually assigned.

Full Control permission on the local system Temp folder typically %windir%\temp.

Full Control permission on any existing GPOs that will be managed by AGPM.

Additional recommendations on this account include:

Use strong passwords, increasing the length and complexity of the password.

Users should never interactively log on using the AGPM Service account. This account should be

restricted to only log on as a service. This right can be restricted by using Group Policy by configuring

the following setting: Computer Configuration\policies\Windows Settings\Security

Settings\Local Policies\User Rights Assignments\Logon as a service, and Computer

Configuration\policies\Windows Settings\Security Settings\Local Policies\User Rights

Assignments\Deny log on locally.

Use fine-grained password policies if your domain is at Windows Server 2008 domain function level.

For more information on fine-grained password policies, see http://technet.microsoft.com/en-

us/library/cc770394.aspx.

Secure the AGPM Archive:

By default, the AGPM Archive folder is stored on a local hard disk of the AGPM Server. However, this can

be stored on any computer other than the AGPM Server. The default installation of AGPM Server allows

file system access to the AGPM Service account, SYSTEM, and the local Administrators group on the

AGPM Server. The AGPM console allows you to control access to the archive. By default, AGPM

Administrators (Full Control) is the only role that has full control to the archive.

Recommendations to secure the AGPM archive include:


Page | 31

Limit the number of users in the local Administrators group on the AGPM Server.

Periodically audit the permissions of the archive and remove unauthorized permissions.

Securing Communication Between the AGPM Clients and the AGPM Servers:

The AGPM Server communicates with AGPM Clients, Active Directory Domain Services domain

controllers, Domain Name System (DNS) Servers, and the SMTP Server that delivers email notifications.

To help prevent unauthorized users from viewing the communication, encrypt all communications among

the AGPM Server, AGPM Clients, domain controllers, DNS servers, and the SMPT server.

Encrypt AGPM communication by using:

Internet Protocol Security (IPSec): IPSec encrypts all traffic and is transparent to higher-level

protocols.

Secure SMTP: Secure SMTP only requires a certificate for the encryption, which can come from

your organizations public key infrastructure (PKI) or from a public certificate company.

Configure email security for AGPM: By default, email messages sent as a result of actions in

Advanced Group Policy Management are not encrypted. However, you can configure email security

for AGPM using registry settings to specify whether to use SSL encryption and which SMTP port to

use.

o To configure email security for AGPM by using Group Policy Preferences:



Server.


open GPMC.

3. Expand the Console Tree until you can click the Group Policy Objects container.

4. Edit a GPO which is applied to all AGPM Servers for which you wish to configure email security, or

create a new GPO which will be applied to all AGPM Servers for which you wish to configure email

security.

5. In the Group Policy Management Editor window, expand to Computer Configuration, Preferences,

Windows Settings, Registry.

6. In the Console Tree, right-click Registry, point to New and then click Collection Item. Name the

New Collection Item AGPM Email Security.

7. In the Console tree, right-click AGPM Email Security, point to New and then click Registry Item.


Page | 32

8. In the New Registry Properties box, fill in the properties using the values in the following table and

then click OK.

Field Value

Action Update

Hive HKEY_LOCAL_MACHINE

Key Path SOFTWARE\Microsoft\AGPM

Value Name EncryptSmtp

Value Type REG_DWORD

Value Data 1 (to use SSL) or 0 (to send email without

encryption)

Base Decimal

9. In the Console tree, right-click AGPM Email Security, point to New and then click Registry Item.

10. In the New Registry Properties box, fill in the properties using the values in the following table and

then click OK.

Field Value

Action Update

Hive HKEY_LOCAL_MACHINE

Key Path SOFTWARE\Microsoft\AGPM

Value Name SmtpPort

Value Type REG_DWORD

Value Data 587 (to use SSL) or 25 (to send e-mail

without encryption)


Page | 33

Base Decimal

11. Close the Group Policy Management Editor window.

Hardening of Computers Running AGPM Server:

The default installation of AGPM Server installs AGPM Server in as secure a configuration as possible.

The following table describes the security footprint for the AGPM Server:

Installation Change Description

Services Service Name: AGPM Service

Display Name: AGPM Service

Path to Executable: %programfiles%\Microsoft\AGPM\Server\AGPM.exe

Startup: Automatic (Delayed Start)

Logon as: Account specified during installation

Windows Firewall The AGPM Server installation creates an inbound Windows Firewall rule with the following configuration:

Name: AGPM Service

Action: Allow the connection

Protocol type: TCP

Local Port: 4600

Remote Port: All ports

Local IP Address: Any

Remote IP Address: Any

File System The AGPM Server installation process creates folders and files on the local file system. The default installation folder for AGPM is %ProgramFiles%\Microsoft\AGPM. There is a subfolder beneath the AGPM folder for the AGPM Client and the AGPM Server, each with several files. By default, AGPM Administrator is granted rights to this folder during installation, but the AGPM Console can be used to grant and remove permissions.


Page | 34

Other recommendations for hardening the AGPM Server and the AGPM Archive computer (if different)

include:

Dedicate a computer to AGPM Server: This will help reduce the attack surface of the AGPM

Server. Installing additional roles, services, and applications on this server, which are not required by

AGPM, increases the attack surface of the computer. If the AGPM Archive is stored on a different

computer than the AGPM Server, consider dedicating that computer to only storing the AGPM

Archive.

Physically secure the AGPM Server: If unauthorized users have physical access to the server,

they may execute several attacks against the AGPM Server. Some recommended actions to perform

to physically secure the AGPM Server include:

o Place the computer in a locked (or lockable) server rack.

o Place the computer in a secured data center, or a locked computer closet or wiring closet,

depending on your organizations size and layout.

o Disable the DVD or CD-ROM drive in the computer to prevent installation of unauthorized

software.

o Disable USB ports to prevent connection of removable devices.

Enable Windows BitLockertm Drive Encryption: Encrypting local hard disks on the AGPM Server

and AGPM Archive computer prevents unauthorized access to AGPM information in the event that a

hard disk or the entire computer is stolen. Windows BitLocker Drive Encryption keys are necessary to

start the computer and access the information on the local hard disk.

Configuring AGPM-only Group Policy Management:

After implementing AGPM in the environment, steps should be taken to restrict Group Policy

management to only AGPM. This will prevent administrators from utilizing the GPMC to create new or

edit existing GPOs. GPMC is a pre-requisite to AGPM, so once AGPM is installed Group Policy

administration can be handled with either GPMC or AGPM. Because of the lack of change control, and

the inability to service GPOs offline, Group Policy administrators should only use AGPM for Group Policy

creation, management, and administration. The following tasks can be completed to ensure that AGPM

is the only option for Group Policy Management:

1. Restrict GPO creation to AGPM

2. Restrict GPO management to AGPM


Page | 35

Restrict GPO Creation to AGPM

Restricting GPOs to only AGPM requires modifying the existing Active Directory permissions that give

administrators that capability. Administrators can use GPMC to select the Group Policy Objects node,

click on the Delegation tab, and modify the permissions to eliminate creation of GPOs from GPMC.

AGPM performs all GPO administrative tasks through the AGPM Service account. Ensure that the

service account still has sufficient privileges to perform creation when removing or restricting permissions

of GPO creation.

Note: A limited number of administrators should still have access to manage Group Policy with

GPMC to circumvent the change management processing in exception scenarios.

Note: Modification of the Group Policy Creator Owners and Domain Admins groups may be

necessary if those groups were used to assign permissions.

Restrict GPO Management to AGPM

In the previous task it is recommended to restrict access for creating GPOs to only the service account.

However, since environments already have GPOs in production, restriction of management tasks for

existing GPOs must be considered carefully. It is recommended to bring GPOs into AGPM management

by making them Controlled GPOs. By default, AGPM changes the permissions within the Active

Directory using the settings in the Production Delegation tab. As GPOs are controlled by AGPM the

underlying Active Directory permissions are modified with the permissions defined in the production

delegation tab. Select the Change Control node within the GPMC and the Production Delegation tab to

modify what permissions are placed on the GPOs and restrict to ensure that management of Controlled

GPOs is only allowed from AGPM.

Note: A limited number of administrators should still have access to manage Group Policy with

GPMC to circumvent the change management processing in exception scenario.

Note: Modification of the Group Policy Creator Owners and Domain Admins groups may be

necessary if those groups were used to assign permissions.


Page | 36

Steps for Managing GPOs

You must complete the following steps to create, edit, review, and deploy GPOs using AGPM.

Additionally, follow these next steps to create a template, delete a GPO and restore a GPO.

Step 1: Create a GPO

Step 2: Edit a GPO

Step 3: Review and Deploy a GPO

Step 4: Use a Template to Create a GPO

Step 5: Delete and Restore a GPO

Step 1: Create a GPO:

AGPM divides roles and responsibilities relating to GPO administration. Only those with the Administrator

(Full Control) or the Approver role have the ability to create a GPO. An Editor can request the creation of

a GPO, and can then edit the settings within the GPO, but an editor cannot create the GPO. This is

because the creation of a GPO impacts the production environment, and therefore must be approved by

someone with the Approver role.

To request the creation of a New Managed GPO through AGPM:

1. Logon to the computer with the AGPM Client as the user assigned the AGPM Editor role.


open GPMC.


4. Right-click the Change Control node and then select New Controlled GPO.

5. Fill in the Submit New Controlled GPO Request box using the values in the following table, and

then click Submit:

Field Value

Cc: . Fill this in only if

you wish to receive a copy of the request.


Page | 37

GPO Name Name you wish to be assigned to the GPO

you are requesting to be created.

Comment This field is optional, but should be used to

describe what settings will be applied to the

GPO.

Create in Archive and Production

Create in Archive Only

Click Create in archive and production

so that the GPO will be immediately

available upon approval. This is the default

setting.

From GPO Template If the new Controlled GPO will be created

from a template, select the template here.

To Approve the pending request to create the GPO:

1. Logon to the computer with the AGPM Client as the user assigned the AGPM Approver role.

2. Open your email program. You will see an email message from the AGPM alias with the Editors

request to create a GPO.

3. Click Start, point to Administrative Tools, and then click Group Policy Management. This will open

GPMC.


5. Click the Change Control folder and then click the Pending tab.

6. Right-click the Pending GPO, and then click Approve.

7. In the Approve Pending Operation dialog box, type an optional comment and then click Yes.

8. In the AGPM Progress box, once the status displays as completed click Close.

Step 2: Edit a GPO:

Any user with the AGPM Editor or Administrator (Full Control) roles can edit a GPO. Before editing a

GPO, you must first check out the GPO from the AGPM Archive. Once it has been checked out, you can


Page | 38

edit the GPO settings offline, check the GPO back into the Archive, and finally request the edited GPO be

deployed into production.

To check the GPO out from the Archive for editing:



open GPMC.


4. Click the Change Control node and then click the Contents and Controlled tabs, if necessary, to

display all of the controlled GPOs.

5. Right-click the GPO you wish to edit and then select Check Out.

6. In the Check Out GPO dialog box, enter an optional Comment to be displayed in the history of the

GPO while it is checked out and then click Check Out.


To edit the GPO offline:

1. On the Controlled tab, notice the State of the GPO is displayed as Checked Out. Right-click the

GPO and select Edit.

2. In the Group Policy Management Editor make the necessary settings changes to the controlled

GPO, and then close the Group Policy Management Editor window.

To check the GPO into the Archive:

1. On the Controlled tab, notice the State of the GPO is still displayed as Checked Out. Right-click the

GPO and select Check In.

2. In the Check In GPO dialog box, enter an optional Comment, and then click OK.

3. In the AGPM Progress box, once the status displays as completed click Close. Notice the state of

the GPO is now Checked In.

To request the deployment of the GPO to the production environment:


Page | 39

Because the account with the Editor role does not have Approver permissions, you must submit a request

for deployment of the GPO. To request the deployment of the GPO:

1. On the Controlled tab, right-click the GPO you wish to have deployed, and then click Deploy.

2. In the Submit Deploy Request dialog box, in the Cc: field, enter your email address, if you wish to

be sent a copy of the submit request, and then enter an optional comment, and then click Submit.


Step 3: Review and Deploy a GPO:

In the last step, the Group Policy Administrator assigned the Editor role checked out a GPO from the

AGPM Archive, edited the GPO, and then checked it back into the AGPM Archive. Now an Approver must

review, approve, and deploy the GPO. Before approving the GPO, the Approver should create reports

and analyze the settings changes in the GPO to determine whether or not it should be approved and

deployed into the production environment. When it gets deployed, it must be linked to an Organizational

Unit (OU), the domain, or the Active Directory site, so that it goes into effect immediately after the

computers refresh their Group Policies.

To review settings in the GPO:

1. Logon to the computer with the AGPM Client as the user assigned the AGPM Approver role. Note

any GPO Administrator assigned the role of Reviewer, Editor, Approver, or Administrator (Full

Control) and run this step. For the purposes of this paper, you are using the Approver role, so that the

GPO can be deployed in the following steps.

2. Open your email program. You will see an email message from the AGPM alias with the Editors

request to deploy a GPO.


open GPMC.


5. Click the Change Control folder and then click the Pending tab.

6. Right-click the Pending GPO, and then click History.

7. In the History for GPO Name Request window, right-click the line with the most recent timestamp,

click Settings and then click HTML Report to display a summary of the GPOs settings.


Page | 40

8. In the Internet Explorer window, if necessary click the yellow bar at the top of the window to allow

the Active X control to run, and then click the Show All link.

9. When you are done reviewing the settings, close the Internet Explorer window.

To compare the most recent version of the GPO to the first version checked into the archive:

1. In the History for GPO Name Request window, click the line with the most recent timestamp, press

CTRL and click the oldest version of the GPO for which the Computer Version is not * (an asterisk)

and then click Differences.

2. In the Internet Explorer window, if necessary click the yellow bar at the top of the window to allow

the Active X control to run, and then click the Show All link.

3. When you are done reviewing the differences (highlighted in green), close the Internet Explorer

window.

4. Close the History of GPO Name Request window.

To deploy the GPO to the production environment:

1. On the Pending tab, right-click the Pending GPO which you want deployed in the production

environment, and then click Approve.

2. In the Approve Pending Operation dialog box, type an option Comment, and then click Yes.


To link the GPO to the domain or an existing OU:

1. In the Group Policy Management console, right-click the domain or the OU to which you wish to link

the GPO, and then select Link an Existing GPO.

2. In the Select GPO dialog box, select the GPO that you wish to link, and then click OK.

Step 4: Use a Template to Create a GPO:

A GPO Template is a static, uneditable version of a GPO which is used as a starting point for the creation

of other GPOs. Templates are useful for quickly creating multiple GPOs that include many of the same

settings. Any GPO Administrator who has been assigned the Editor role or Administrator (Full Control)

can create a Template.

To create a Template based on an existing GPO:



Page | 41


open GPMC.




5. Right-click the GPO you wish to edit and then select Save as Template.

6. In the Create New GPO Template dialog box, type a name for the Template and an optional

Comment, and then click OK.


Note: In Step 1 of this section, you learned how to create a Managed GPO. Follow those steps to

create a new Managed GPO that gets created by using this Template. The GPO will get created, but will

still need to be checked out of the archive, edited, checked into the archive, approved, and deployed.

You can follow Steps 2 and 3 of this section to edit the new GPO and review the differences between

the new Managed GPO and the Template, and to deploy the GPO into the production environment.

Step 5: Delete and Restore a GPO:

When you delete a Managed GPO, you have a choice of deleting the GPO from the archive while leaving

the deployed version of the GPO untouched in the production environment, or deleting the GPO from the

archive and the production environment.

When you delete a GPO, the GPO gets moved into the Recycle Bin in the AGPM console. A Group Policy

Administrator with the Approver role or the Administrator role has the permission to delete a GPO.

Specifically, any Group Policy Administrator with the List Contents and Delete GPO permissions has the

ability to delete a controlled GPO.

To delete a GPO:



GPMC.



Page | 42



5. Right-click the GPO you wish to delete and then select Delete. In the Delete dialog box select the

appropriate option, enter an optional Comment, and then click OK.

a. Delete GPO from archive only: Select this option to delete the GPO from the AGPM

Archive, but leave the GPO in the production environment deployed and untouched.

b. Delete GPO from archive and production: Select this option to delete the GPO from the

AGPM archive and from the production environment.

6. In the AGPM Progress box, once the status displays as completed click Close. The GPO is removed

from the Controlled tab and is displayed on the Recycle Bin tab where it can be restored or

destroyed.

You may discover a GPO which has been accidentally deleted, or a GPO which has been deleted at the

request of an Editor, but is still needed in the production environment. Any Group Policy Administrator

with the Approver role or Administrator (Full Control) role can restore a GPO. Specifically, any Group

Policy Administrator with List Contents and Deploy GPO permissions has the ability to restore a

controlled GPO.

To restore a deleted GPO:



GPMC.


4. Click the Change Control node and then click the Contents and Recycle Bin tabs, to display all of

the deleted controlled GPOs.

5. Right-click the GPO you wish to restore and then select Restore.

6. In the Restore GPO dialog box, type an optional Comment and then click OK.

7. In the AGPM Progress box, once the status displays as completed click Close. The GPO is removed

from the Recycle Bin tab and is displayed on the Controlled tab where it can be reviewed, edited,

approved, and re-deployed.


Page | 43

Note: If a GPO was deleted from the production environment, restoring the GPO to the archive does not

automatically redeploy the GPO to the production environment.

You may discover a GPO that is causing problems in the production environment. Once you delete the

GPO, you may want to ensure that the GPO never gets restored and redeployed to the production

environment. Any Group Policy Administrator with the Approver role or the Administrator (Full Control)

role can destroy a GPO. Specifically, any Group Policy Administrator with the List Contents and Delete

GPO permissions can destroy a GPO.

To destroy a deleted GPO:



GPMC.


4. Click the Change Control node and then click the Contents and Recycle Bin tabs, to display all of

the deleted controlled GPOs.

5. Right-click the GPO you wish to destroy and then select Destroy.

6. In the Destroy GPO message box, read the message warning and then click OK.


Note: If a GPO was deleted from the archive, but remained deployed to the production environment, when

you destroy the GPO, the GPO remains in the production environment, but all backups of the GPO, as well

as the controlled GPO itself, are destroyed.

After editing and deploying a GPO, you may discover that recent changes to the GPO are causing a

problem in the production environment. Deploying an earlier version of the GPO overwrites the version of

the GPO currently in production. Any Group Policy Administrator with the Approver role or Administrator

(Full Control) role can roll a GPO back to an earlier version of the GPO from the GPO history. Specifically,

any Group Policy Administrator with List Contents and Deploy GPO can deploy an earlier version of a

controlled GPO.


Page | 44

To roll back a GPO to an earlier version:



open GPMC.




5. Right-click the GPO you wish to roll back and then select History.

6. Right-click the earlier version you wish to deploy, and then click Deploy.

7. In the Deploy GPO dialog box, click Yes.


Note: To verify that the version which has been redeployed matches the version intended, run a differences

report for the two versions. In the History window for the GPO, select the two versions by clicking each

while pressing the CTRL key, right-click the selection, point to Differences, and then click HTML Report.


Page | 45

Summary

AGPM can help any size organization manage GPOs more securely and efficiently than by using only the

GPMC. AGPM allows you to delegate Group Policy administration based on roles for the tasks that Group

Policy administrators perform. AGPM also allows you to delegate Group Policy administration at a domain

level and at a GPO level so that you can allow different administrators to manage different GPOs.

In addition, AGPM allows you to control the version of GPOs deployed from the GPO archive to your

production environment. This level of control allows you to keep a record of changes to each GPO and to

revert a current GPO to a previous GPO in the event of a problem with a change to a Group Policy

setting.

With AGPM, you reduce the risks associated with deploying GPOs as well as the ongoing support costs

for managing GPOs. This helps your organization focus on managing the mission-critical applications and

services in your production environment instead of focusing on GPO change-management processes and

security.

Documents

AGPM 4 SP1 Deployment Guide