If you would like to read the other parts in this article series please go to:
- Advanced Group Policy Management (Part 1) – Introduction
- Advanced Group Policy Management (Part 2) – Initial Configuration
- Advanced Group Policy Management (Part 3) – Creating and Deploying Controlled GPOs
- Advanced Group Policy Management (Part 4) – Editing Controlled GPOs
- Advanced Group Policy Management (Part 6) – Templates and Migration
Introduction
In the previous articles of this series we learned how to create, edit, review and deploy controlled GPO using AGPM 4.0. In this article we’ll learn how to perform the following tasks:
- Withdraw a pending request for approval
- Reject a request for approval
- Roll back to a previous version of a GPO
- Restore a deleted GPO
As described earlier a previous article of this series, the various AGPM roles have been assigned to different CONTOSO users as follows:
- Tony Allen ([email protected]) will hold the AGPM Administrator (Full Control) role
- Karen Berg ([email protected]) will hold the Approver role
- Jacky Chen ([email protected]) will hold the Editor role
- Sara Davis ([email protected]) will hold the Reviewer role
Because the permissions for the Reviewer role are also included in the Approval role, for simplicity Karen Berg will act as both Reviewer and Approver for any controlled GPOs created and edited by Jacky Chen.
Withdrawing a Pending Request
Figure 1 shows the situation after Jacky Chen, who holds the Editor role, created three new controlled GPOs for managing Windows BitLocker encryption, Folder Redirection and wireless networking policies in Seattle. These new controlled GPOs are currently displayed on the Pending tab, which means they will not actually be created until Karen Berg, who holds the Approver role, approves their creation. Jacky is currently logged on to her administrative workstation and is looking at the Pending tab as shown below:
Figure 1: Three new controlled GPOs created by Jacky are waiting for Karen’s approval.
Jacky realizes that her request to create the Seattle Wireless Networking Policy was a mistake. Instead of sending a personal email to Karen asking her to ignore the approval request email she received from the AGPM Server for this item, Jacky decides to withdraw her earlier request. To do this, Jacky right-clicks on the Seattle Wireless Networking Policy item on the Pending tab and selects Withdraw:
Figure 2: Jacky withdraws her earlier request to create a Seattle Wireless Networking Policy GPO.
In the Submit Withdraw dialog, Jacky specifies the reason she is withdrawing her earlier request:
Figure 3: Jacky specifies the reason she is withdrawing her earlier request.
Once Jacky clicks Submit, her request to create the Seattle Wireless Networking Policy GPO is withdraw and this item is removed from the Pending tab:
Figure 4: Jacky’s request to create a Seattle Wireless Networking Policy GPO is no longer pending Karen’s approval.
Approving a Pending Request
In Figure 5 below, Karen is currently logged on. The Pending tab shows two requests from Jacky to create new controlled GPOs, one to create a Seattle BitLocker Encryption Policy GPO and the other to create a Seattle Folder Redirection Policy GPO. These requests are awaiting Karen’s approval, and after reviewing the first request (Seattle BitLocker Encryption Policy) Karen decides to approve creation of this GPO. To do this, she right-clicks on the pending request and selects Approve:
Figure 5: Karen approves Jacky’s request to create a new controlled GPO.
Karen adds a comment when approving the pending request:
Figure 6: Adding a comment when approving a pending request.
The AGPM Progress dialog shows that the new controlled GPO has been successfully created:
Figure 7: AGPM Progress dialog.
Once the pending request to create the Seattle BitLocker Encryption Policy has been approved, the request is removed from the Pending tab:
Figure 8: The pending request for Seattle BitLocker Encryption Policy has been approved.
The Seattle BitLocker Encryption Policy is now displayed on the Controlled tab, which shows that the new controlled GPO has indeed been created:
Figure 9: The Seattle BitLocker Encryption Policy has been created
In addition, when the Group Policy Objects node is selected in the Group Policy Management Console (GPMC) the new GPO is displayed there as well:
Figure 10: Seattle BitLocker Encryption Policy GPO
Rejecting a Pending Request
After reviewing the second pending request from Jacky (to create a Seattle Folder Redirection Policy GPO) Karen decides that this particular request should be rejected since the new GPO does not satisfy the requirements of the organization. To reject this pending request, Karen right-clicks on it and selects Reject:
Figure 11: Karen rejects Jacky’s request to create a new Seattle Folder Redirection Policy GPO
Karen enters a comment indicating why the request has been rejected:
Figure 12: Karen adds a comment to her rejection.
Once the pending request is rejected, it is removed from the Pending tab:
Figure 13: The request is no longer pending.
Rolling Back a GPO
One of the powerful capabilities of AGPM is change control, which enables you to roll back GPOs to earlier versions when needed. Let’s see this feature at work. At this point in time, the Seattle BitLocker Encryption Policy GPO created earlier by Jacky and approved by Karen has been edited several times, and therefore has gone through several versions. As described earlier in article 2 of this series, the AGPM Server maintains older versions of controlled GPOs in the AGPM archive, with the number of stored versions being configurable from 0 to 999.
Karen decides that the current version of the Seattle BitLocker Encryption Policy GPO does not satisfy the needs of the organization, and she wants to revert back to the previous version of this GPO instead. To do this, Karen begins by selecting the Controlled tab of the History dialog for the Seattle BitLocker Encryption Policy GPO. She then right-clicks on the Seattle BitLocker Encryption Policy GPO and selects History:
Figure 14: Step 1 of rolling back a controlled GPO to a previous version.
Karen selects the Unique Versions tab to display the different versions of this GPO that are stored in the archive. The current version of the GPO has 4 as its Computer version number (User version numbers for GPOs are displayed in a column off to the right of this figure):
Figure 15: Step 2 of rolling back a controlled GPO to a previous version.
Karen wants to roll back to the previous version (Computer version 3) of this GPO, so she right-clicks on this previous version and selects Deploy:
Figure 16: Step 3 of rolling back a controlled GPO to a previous version.
A dialog box asks Karen to confirm whether to perform the roll back operation:
Figure 17: Step 4 of rolling back a controlled GPO to a previous version.
After Karen clicks Yes in the above dialog box, the AGPM Progress dialog displays the results of the operation:
Figure 18: Step 5 of rolling back a controlled GPO to a previous version.
Karen switches to the All States tab of the History dialog for the Seattle BitLocker Encryption Policy GPO. The second history item in the list indicates that the previous version (Computer version 3) of this GPO has now been deployed to the production environment:
Figure 19: The roll back operation has been completed.
Note:
In the above walkthrough, the roll back operation was performed on a controlled GPO that was stored in the AGPM archive but was not yet deployed to the production environment. You can also use AGPM to roll back controlled GPOs that are already deployed, and the procedure is similar except you also have the option of choosing whether to restore the GPO links as well.
Deleting and Restoring a Controlled GPO
The following week Karen decides that the Seattle BitLocker Encryption Policy GPO is no longer needed, so she decides to delete this GPO from the AGPM archive. To do this, Karen selects the Controlled tab, right-clicks on the GPO and selects Delete:
Figure 20: Step 1 of deleting a controlled GPO.
In the Delete dialog, Karen has the option of deleting the GPO only from the archive or deleting it from both the archive and the production environment:
Figure 21: Step 2 of deleting a controlled GPO.
Deleting a GPO can be a serious thing, so Karen is prompted to confirm the operation:
Figure 22: Step 3 of deleting a controlled GPO.
The progress dialog indicates the GPO has been deleted from the archive (by uncontrolling it) and also from the production environment:
Figure 23: Step 4 of deleting a controlled GPO.
To confirm that deletion has occurred, Karen notes that the GPO is no longer listed on the Controlled tab, which means it is no longer present in the AGPM archive:
Figure 24: The GPO has been deleted from the AGPM archive.
Selecting the Group Policy Objects node in the GPMC shows that the GPO is also no longer present in the production environment:
Figure 25: The GPO has also been deleted from SYSVOL.
But Karen suddenly realizes she has made a mistake—she should not have deleted the Seattle BitLocker Encryption Policy GPO! It was a different GPO that she should have deleted. What can she do? Fortunately, AGPM allows undeletion of controlled GPOs, so Karen selects the Recycle Bin tab which displays the recently deleted GPO. She right-clicks on this GPO and selects Restore:
Figure 26: Step 1 of restoring a previously deleted controlled GPO.
Karen adds a comment to her operation:
Figure 27: Step 2 of restoring a previously deleted controlled GPO.
The undeleted GPO disappears from the Recycle Bin tab:
Figure 28: Step 3 of restoring a previously deleted controlled GPO.
And re-appears on the Controlled tab, indicating that the undelete operation has been successful:
Figure 29: The previously deleted GPO has been restored!
Note that restoring a controlled GPO that has been previously deleted does not redeploy the GPO to the production environment. To see this, select the Group Policy Objects node—the undeleted Seattle BitLocker Encryption Policy GPO is not displayed:
Figure 30: But it hasn’t been redeployed to production.
So if you restored a deleted GPO from your production environment using AGPM, you must still redeploy it to your production environment afterwards.
Conclusion
The last several articles of this series have examined various ways you can manage GPOs using AGPM. The next and final article of this series will examine templates and how to migrate GPOs from a test environment to your production environment using AGPM.
If you would like to read the other parts in this article series please go to:
- Advanced Group Policy Management (Part 1) – Introduction
- Advanced Group Policy Management (Part 2) – Initial Configuration
- Advanced Group Policy Management (Part 3) – Creating and Deploying Controlled GPOs
- Advanced Group Policy Management (Part 4) – Editing Controlled GPOs
- Advanced Group Policy Management (Part 6) – Templates and Migration
