If you would like to read the other parts in this article series please go to:
- Advanced Group Policy Management (Part 1) – Introduction
- Advanced Group Policy Management (Part 2) – Initial Configuration
- Advanced Group Policy Management (Part 3) – Creating and Deploying Controlled GPOs
- Advanced Group Policy Management (Part 4) – Editing Controlled GPOs
- Advanced Group Policy Management (Part 5) – Managing GPOs
Introduction
In the previous articles of this series we’ve learned how to install, configure and use Advanced Group Policy Management 4.0 (AGPM 4.0), part of the Microsoft Desktop Optimization Pack (MDOP) for Software Assurance (SA), to create, edit, approve, deploy and roll back GPOs. AGPM provides the a number of benefits for Group Policy administrators including offline editing, change control, role-based delegation and other powerful capabilities that make Group Policy management much easier using AGPM. In this final article we’ll look at two additional capabilities of AGPM, namely:
- How to use AGPM to create templates based on existing GPOs and use these templates as a starting point for creating new GPOs.
- How to use AGPM to migrate GPOs from your test environment to your production environment.
As described earlier the previous article of this series, the various AGPM roles have been assigned to different CONTOSO users as follows:
- Tony Allen ([email protected]) will hold the AGPM Administrator (Full Control) role
- Karen Berg ([email protected]) will hold the Approver role
- Jacky Chen ([email protected]) will hold the Editor role
- Sara Davis ([email protected]) will hold the Reviewer role
Working with Templates
AGPM templates are read-only versions of GPOs that can be used as a starting point for creating editable GPOs. Using this feature you can pre-configure a set of policy settings, save the settings as a template, use the template to create different GPOs for different locations or departments, and then customize each new GPO by editing them further with the Group Policy Management Editor. Let’s see how this works.
We’ll begin with a scenario where Jacky Chen, an AGPM Editor, has previously created a Folder Redirection GPO which Karen Berg, an AGPM Approver, has approved. This GPO has been configured by Jacky with basic Folder Redirection policies that are common to all district offices of Contoso Ltd. Jacky is now going to create a new template based on the Folder Redirection GPO, and then will use the resulting template to create additional Folder Redirection GPOs for Contoso’s district offices which can then be further customized to meet the specific needs of each district office. Figure 1 below shows Jacky logged on to her administrator workstation with the Folder Redirection GPO visible on the Controlled tab of the Change Control node of the GPMC:
Figure 1: The Folder Redirection GPO will be used to create a new template.
To create a new template from the existing GPO, Jacky right-clicks on the Folder Redirection GPO and selects Save As Template:
Figure 2: Step 1 of creating a new template from an existing GPO.
Note:
Creating a template from an existing GPO does not destroy or otherwise affect the existing GPO.
In the Create New GPO Template dialog, Jacky types a descriptive name for the new template:
Figure 3: Step 2 of creating a new template from an existing GPO.
Clicking OK brings up the AGPM Progress dialog:
Figure 4: Step 3 of creating a new template from an existing GPO.
The newly created template is now visible on the Templates tab as shown next:
Figure 5: The new template has been created.
Jacky is now going to use the new template to create a customized Folder Redirection GPO for the Seattle office. To do this, Jacky right-clicks on the Folder Redirection GPO Template and selects New Controlled GPO:
Figure 6: Step 1 of creating a new controlled GPO from a template.
In the Submit New Controlled GPO Request dialog, Jacky first specifies the name of the new GPO as Seattle Folder Redirection GPO. Then in the From GPO Template drop-down list control at the bottom of this dialog, Jacky selects Folder Redirection GPO Template as shown here:
Figure 7: Step 2 of creating a new controlled GPO from a template.
Jacky will also create a new Folder Redirection GPO for the New York office. This time however Jacky does this a bit differently by right-clicking on the Change Control node in the GPMC and selecting New Controlled GPO as shown here:
Figure 8: Another way of creating a new controlled GPO from a template.
Again, Jacky must specify the name for the new GPO and select the desired template from which the new GPO will be based:
Figure 9: Creating an additional GPO from the same template.
Jacky’s requests to create two new controlled GPOs are now visible on the Pending tab when Karen opens the GPMC on her administrative workstation:
Figure 10: Karen must approve Jacky’s pending requests.
Karen must approve these pending requests from Jacky before the new controlled GPOs are created and deployed.
Working with Test Environments
A powerful feature of AGPM is its capability for migrating GPOs from one Active Directory forest to another. To do this, you begin by exporting the GPO to a file, then you copy the file to the other forest and import from there. Only AGPM Administrators (users holding the Full Control role) can perform this action.
A scenario where this capability can be extremely useful is where you set up a separate test forest that mirrors the Active Directory structure of your production forest. For example, Contoso Ltd. might set up a ContosoTest forest where GPOs are created and tested to make sure the policies they enforce will have the desired impact on targeted users and computers. Then, once a GPO has been thoroughly tested in the test environment, it can be migrated to the production environment using AGPM. Let’s see how this works.
The AGPM Administrator of the test environment has completed testing the Seattle BitLocker Encryption Policy and wants to migrate this GPO to the production environment. To do this, the AGPM Administrator begins by right-clicking on this GPO and selecting Export To as shown here:
Figure 11: Step 1 of migrating a GPO from a test environment to the production environment.
In the Export The GPO To A File dialog, the AGPM Administrator specifies the name Exported BitLocker GPO for the CAB file to be exported. The AGPM Administrator also specifies a save location on the network that is accessible from both the test and production environments:
Figure 12: Step 2 of migrating a GPO from a test environment to the production environment.
After the AGPM Administrator clicks the Export button, the AGPM Progress dialog indicates the success or failure of the export operation:
Figure 13: Step 3 of migrating a GPO from a test environment to the production environment.
Double-clicking on the CAB file shows the different files that comprise the exported GPO:
Figure 14: Details of the exported GPO.
The AGPM Administrator of the production environment now right-clicks on the Change Control node of the GPMC and selects New Controlled GPO:
Figure 15: Step 4 of migrating a GPO from a test environment to the production environment.
In the New Controlled GPO dialog, the AGPM Administrator specifies a name for the new GPO that will be created and selects the Import option as shown below. The Import option is selected because the exported policy settings are going to be imported into the new GPO that is being created. The AGPM Administrator then clicks the Launch Wizard button:
Figure 16: Step 5 of migrating a GPO from a test environment to the production environment.
The opening page of the Import Settings Wizard is displayed:
Figure 17: Step 6 of migrating a GPO from a test environment to the production environment.
On the next wizard page, the AGPM Administrator specifies the path to the previously exported GPO’s CAB file:
Figure 18: Step 7 of migrating a GPO from a test environment to the production environment.
The next wizard page summarizes the import operation that is going to be performed:
Figure 19: Step 8 of migrating a GPO from a test environment to the production environment.
On the next wizard page, the wizard displays the results of a scan that is performed to ensure the exported GPO can be imported properly:
Figure 20: Step 9 of migrating a GPO from a test environment to the production environment.
The final wizard page summarizes the details of the import process:
Figure 21: Step 10 of migrating a GPO from a test environment to the production environment.
The progress dialog displays the success or failure of the import operation:
Figure 22: Step 11 of migrating a GPO from a test environment to the production environment.
The AGPM Administrator in the production environment can now see the migrated New York BitLocker GPO on the Controlled tab as shown below:
Figure 23: The New York BitLocker GPO has been successfully migrated from the test forest to the production forest.
Additional Resources
To learn more about working with AGPM 4.0 see this topic in the TechNet Library here. Another useful resource is the Springboard Series page for MDOP at this link. Finally, if you have questions about AGPM you can post them to the TechNet Forum for Group Policy here.
If you would like to read the other parts in this article series please go to:
- Advanced Group Policy Management (Part 1) – Introduction
- Advanced Group Policy Management (Part 2) – Initial Configuration
- Advanced Group Policy Management (Part 3) – Creating and Deploying Controlled GPOs
- Advanced Group Policy Management (Part 4) – Editing Controlled GPOs
- Advanced Group Policy Management (Part 5) – Managing GPOs
