Wednesday, April 6, 2011

Advanced Group Policy Management (AGPM)

Microsoft Advanced Group Policy Management is a component of the Microsoft Desktop Optimization Pack for Software Assurance (MDOP SA).
The Advanced Group Policy Management (AGPM) increases the capabilities of the Group Policy Management Console (GPMC), providing:
  • Standard roles for delegating permissions to manage Group Policy objects (GPOs) to multiple Group Policy administrators.
  • An archive to enable Group Policy administrators to create and modify GPOs offline before deploying them to a production environment.
  • The ability to roll back to any previous version of a GPO.
  • Check-in/check-out capability for GPOs to ensure that Group Policy administrators do not overwrite each other's work.
If you want to more information about what it brings, have a look at the Advanced Group Policy Management datasheet.
Some features include:
• Offline editing of GPOs
• Difference reporting and audit logging
• Recovery of a deleted GPO (Recycle Bin)
• Repair of live GPOs
• Creation of GPO template libraries
• Subscription to policy change e-mail notifications
• Version tracking, history capture, and quick rollback of deployed changes
• Role-based administration (Editor, Reviewer, Approver)
• Change request approval
AGPM is built out of a client and server component, which need to be installed.
AGPM Server will host the "AGPM Service" and manages the GPO archive.  All AGPM operations are managed through this Windows service and are executed with the service's credentials.  AGPM stores all versions of each controlled Group Policy object (GPO) - which is a GPO for which AGPM provides change control - in a central archive, so that Group Policy administrators can view and modify GPOs offline without immediately impacting the deployed version of each GPO.
Each Group Policy administrator - anyone who creates, edits, deploys, reviews or deletes GPOs - must have the AGPM Client installed on computers that they use to manage GPOs.

Installation Requirements

AGPM Client requires Windows Vista (32-bit version) or Microsoft Windows Server 2003 (32-bit version) as well as the Group Policy Management Console (GPMC).  AGPM Client can be installed on the same computer running the AGPM Server.
AGPM Server requires Windows Vista (32-bit version) or Microsoft Windows Server 2003 (32-bit version) as well as the Group Policy Management Console (GPMC).  Additionally, you must be a member of the Domain Admins group to install AGPM Server.  The AGPM Server component can be installed on a member server or domain controller.

1. AGPM Server Installation Process


  • In the Welcome dialog box, click Next.


  • In the Application Path dialog box, select a location in which to install AGPM Server.  The computer on which AGPM Server is installed will host the AGPM Service and manage the archive.  Click Next.

  • In the Archive Path dialog box, select a location for the archive relative to the AGPM Server. The archive path can point to a folder on the AGPM Server or elsewhere, but you should select a location with sufficient space to store all GPOs and history data managed by this AGPM Server. Click Next.


  • In the AGPM Service Account dialog box, select a service account under which the AGPM Service will run and then click Next.
    AGPM Service Account

  • In the Archive Owner dialog box, select an account or group to which to initially assign the AGPM Administrator (Full Control) role. This AGPM Administrator can assign AGPM roles and permissions to other Group Policy administrators (including the role of AGPM Administrator). Click Next.

    Click Install, and then click Finish to exit the Setup Wizard.

    2. AGPM Client Installation Process

  • In the Welcome dialog box, click Next.


  • In the Application Path dialog box, select a location in which to install AGPM Client. Click Next.


  • In the AGPM Server dialog box, type the fully-qualified computer name and the port for the AGPM Server to which to connect. The default port for the AGPM Service is 4600. Click Next.

    Click Install, and then click Finish to exit the Setup Wizard.

    GPMC User Interface changes
    Advanced Group Policy Management (AGPM) adds a Change Control node to each domain displayed in the Group Policy Management Console (GPMC).  In an environment where multiple domains are managed with the GPMC, each domain is listed under the Domains node in the console tree. 
    Within the details pane there are 3 primary tabs, providing access to both GPO-level settings and domain-level settings for AGPM.
    1. Contents Tab: GPO settings and commands and GPO-level delegation
    2. Domain Delegation Tab: AGPM e-mail notification settings and domain-level delegation
    3. AGPM Server Tab: Domain-level archive connection settings

    AGPM adds a History tab to all Group Policy objects (GPOs) and Group Policy links displayed in the GPMC.  The features of the History tab in the details pane of a GPO are the same as those of the History window displayed through the Change Control tab (by double-clicking a "controlled/uncontrolled GPO").

    In the Microsoft Windows Server 2003 operating system (only!), AGPM adds an Extensions tab to all GPOs and Group Policy links displayed in the GPMC.  This tab lists all extensions that contain settings in the GPO (or all registered extensions if "Show all registered extensions" is checked) and identifies them as part of the user or computer context.


    AGPM Administrative Template
    AGPM is shipped with an administrative template (AGPM.ADM located in the %windir%\inf) containing settings for Advanced Group Policy Management (AGPM) to enable you to centrally configure logging and tracing options for AGPM clients and servers to which a Group Policy object (GPO) with these settings is applied.  Similarly, these settings enable you to centrally configure archive locations and the visibility of the Change Control node and History tab for Group Policy administrators to whom a GPO with these settings is applied.

    Role based administration 

    In an environment where multiple people build/edit Group Policy objects (GPOs), you can delegate specific tasks to specific people for specific GPOs based on a role model (Reviewer, Editor, Approver, Administrator).
    AGPM Administrators can delegate permissions to "Editors" who make changes to GPOs and to "Approvers" who deploy GPOs to the production environment.  AGPM Administrators can configure permissions to meet the needs of your organization, since the "AGPM Administrator" role includes the permissions for all other roles and thus can perform the tasks normally associated with any other role.
    • Approvers can perform "Approver Tasks", such as creating, deploying, or deleting GPOs
    • Editors can perform "Editor Tasks", such as editing, renaming, labeling, or importing GPOs, creating templates, or setting a default template
    • Reviewers can perform "Reviewer Tasks", such as reviewing settings and comparing GPOs
     
    NOTE:
    To delegate (read) access to Group Policy administrators who use AGPM, you must grant them "List Contents" as well as "Read Settings" permissions (Reviewers role).  This enables them to view GPOs on the Contents tab of AGPM.  Set the permission to apply to This object and nested objects.

    For more information: Advanced Group Policy Management datasheet
    Also watch the AGPM video presented by Kevin Sullivan, Senior/Lead Program Manager in Group Policy Product Team (23 min)
    Or listen to the AGPM talk on Technet Radio on AGPM (15 min)

    Related blog post: Windows Server 2008 & Group Policy Management Console (GPMC)

    • Posted by at
    Labels:

    No comments:

    Post a Comment

    Subscribe to: Post Comments (Atom)