Using Advanced Group Policy Management to Protect your GPOs
Most companies today are utilizing Group Policy to control almost every aspect and area of their desktop environment. In some cases, Group Policy is also being utilized to control servers. With such a heavy reliance on Group Policy, every effort possible should be made to protect the Group Policy Objects that are performing these configurations. The new Advanced Group Policy Management (AGPM) tool from Microsoft can help with this and more.
My GPOs are Not Protected Today?
Microsoft released the Group Policy Management Console (GPMC) years ago, which is an amazing innovation in Group Policy management. The tool provides control over Group Policy in the following manner:
- Easy administration of all GPOs across the entire Active Directory Forest
- View of all GPOs in one single list
- Reporting of GPO settings, security, filters, delegation, etc.
- Control of GPO inheritance with Block Inheritance, Enforce, and Security Filtering
- Delegation model
- Backup and restore of GPOs
- Migration of GPOs across different domains and forests
With all of these benefits, there are still negatives in using the GPMC alone. Granted, the GPMC is needed and should be used by everyone for what it is ideal for. However, it does fall a bit short when you want to protect the GPOs from the following:
- Role based delegation of GPO management
- Being edited in production, potentially causing damage to desktops and servers
- Forgetting to back up a GPO after it has been modified
- Change management of each modification to every GPO
Establishing Delegation Using AGPM
If you have dealt with Group Policy and GPOs for a long time, I am sure that you have made an "errant" setting in a GPO that has gone live and done some damage to the network. This is due to the inherent nature of how GPOs are edited by default. GPOs are edited directly from the domain controllers, then when a change is made (and the OK or Apply button are selected), the change is immediately made to the GPO and then replicated. There is no option to "Undo" or "Save," the changes are made immediately.
This behavior is controlled currently in the GPMC by establishing delegation on the GPOs for editing, as shown in Figure 1.
Figure 1: Delegation within GPMC to allow editing of GPOs
This delegation from within the GPMC Group Policy Objects node should be removed after the AGPM tool is installed. The reasons for this shift in delegation include:
- AGPM uses its own delegation model, which is more granular
- AGPM does all editing of GPOs offline, not affecting production GPOs
- Without GPMC delegation, admins won't be able to edit production GPOs anymore
AGPM also uses a service account to access the GPOs in the AGPM archive. All of these GPOs in the AGPM archive are "not in production" or "offline," making editing of GPOs safer.
To create delegated permissions within the AGPM environment, you have two choices. The first is on the Domain Delegation tab, as shown in Figure 2.
Figure 2: Domain Delegation in AGPM
Here you can configure delegation for admins to control all GPOs within the AGPM repository at a specified level.
The second level of delegation within AGPM is at the GPO level, as shown in Figure 3.
Figure 3: GPO level delegation within AGPM
At each GPO within AGPM, you can establish what admins can perform per GPO, which gives granular control of the overall GPO infrastructure.
Benefits of Offline Editing within AGPM
The Group Policy Object Editor (GPOE) is the tool used to edit all GPOs. Even within the AGPM tool, the GPOE still updates the GPOs on the domain controller. This is an edit of the live, production GPOs in the Active Directory enterprise. Since the GPOE does not provide any type of "Save as", or "undo" option, this is a dangerous task to update a live GPO.
With the AGPM tool, all GPOs that you edit are offline. The GPOs are stored on the AGPM server, which handles a backed up copy of the GPO, not the live version. The entire process of editing a GPO through the AGPM tool is done on the AGPM server, even the initial "Check out" process, as seen in Figure 4.
Figure 4: Before a GPO can be edited, it must be Checked out
The reason the GPO needs to be checked out before it can be edited is due to the tracking that AGPM does with each edit to a GPO, which we discuss later in this article.
Change Management of AGPM
One of the features that the GPMC lacks, even with a manual or scripting solution, is the ability for change management. The concepts of change management are becoming more and more prevalent and important with today's IT infrastructure. The key data points that need to be tracked when a GPO is changed include:
- Who made the change
- When the change was made
- What change was made
The AGPM tool does all of these tasks and more. When a GPO is checked out and edited, a copy of the GPO is made in the AGPM archive. This isolates each version of the GPO as it goes through changes. The "Check out" procedure is key, as with the GPMC multiple administrators can be in the same GPO at the same time. This would cause a disconnection in the tracking of the GPO changes, since the last administrator out of the GPO would win any rights to the GPO. Since the AGPM tool does track each GPO separately, the result is a full listing of each GPO change in an historical view, as seen in Figure 5.
Figure 5: AGPM tracks each change to the GPO
You can see that each GPO has the date the change was made and who made the change. By simply right clicking on any GPO in the archive, you can see a settings report, which describes what settings are in each GPO. To go one step further, two GPOs can be selected and then a Difference Report can be created, as shown in Figure 6.
Figure 6: A difference report can be generate describing what has changed between two GPOs
The GPMC is an amazing tool by Microsoft. The ability to control GPOs for the Active Directory environment is made much easier with the GPMC. There are a few features that are lacking in the GPMC, which everyone is aware of. With the new AGPM tool that Microsoft offers through the MDOP, all of these issues are solved. The AGPM tool provides a much better method for delegation of administration of the GPOs. Not only does the AGPM tool provide a better delegation model, it pushes the administration of GPOs offline, instead of modifying the production GPOs like the GPMC does. Finally, the AGPM tool provides an automated change management feature. This tracks all of the essential changes of each GPO, such as who made the change, when the change was made, and what changes were made in the GPO.