Advanced Group Policy Management (Part 4) – Editing Controlled GPOs

If you would like to read the other parts in this article series please go to:

Introduction

In the previous article of this series we learned how to create a new controlled GPO and deploy it to your production environment. In this article we’ll learn how to edit controlled GPOs, review the changes made during editing and redeploy the GPO into production.  

As described earlier the previous article of this series, the various AGPM roles have been assigned to different CONTOSO users as follows:

Because the permissions for the Reviewer role are also included in the Approval role, for simplicity Karen Berg will act as both Reviewer and Approver for any GPO edits performed by Jacky Chen. 

Editing a Controlled GPO

In the previous article of this series, Jacky Chen, an AGPM Editor, proposed creating a new controlled GPO named New York Computers – Power GPO. Karen Berg, an AGPM Approver, received Jacky’s request and approved it. Karen then deployed the new GPO into the CONTOSO production environment and linked it to the New York Computers OU so the policy settings configured in the GPO would be applied to computers in that OU. However, the New York Computers – Power GPO was deployed in a pristine state, that is, with no policy settings configured. In line with company policy, Jacky now proposes that the active power plan for New York computers be changed to Power Saver. 

Jacky begins by logging on to his administrator workstation and opens the Group Policy Management Console (GPMC). He selects the Change Control node and then on the Controlled tab as shown here:


Figure 1: Step 1 of editing the controlled GPO.

Before Jacky can edit the controlled GPO, he must first check the GPO out of the AGPM archive. Checking a GPO out of the archive prevents any other AGPM Editor from making changes to the GPO until Jacky finishes working with it. To check out the New York Computers – Power GPO, Jacky right-clicks on it and selects Check Out as shown here:


Figure 2: Step 2 of editing the controlled GPO.

In the Check Out GPO dialog that displays next, Jacky enters a comment to help track the history of all changes made to the GPO:


Figure 3: Step 3 of editing the controlled GPO.

After clicking OK, the checked out GPO is displayed with a red icon on the Controlled tab:


Figure 4: Step 4 of editing the controlled GPO.

The checked out GPO can now be edited, so Jacky right-clicks on the GPO and selects Edit from the context menu:


Figure 5: Step 5 of editing the controlled GPO.

Doing this opens the New York Computers – Power GPO in the Group Policy Management Editor for editing. Jacky navigates to the Select An Active Power Plan policy setting as shown next:


Figure 6: Step 6 of editing the controlled GPO.

Jacky double-clicks on the Select An Active Power Plan policy setting to open it for editing. He then enables the policy setting and selects Power Saver as the Active Power Plan:


Figure 7: Step 7 of editing the controlled GPO.

After clicking OK to close the policy setting and then closing the Group Policy Management Editor, Jacky returns to the Change Control node of the GPMC. He then right-clicks on the New York Computers – Power GPO on the Controlled tab and selects Check In to check the modified GPO back into the AGPM archive:


Figure 8: Step 8 of editing the controlled GPO.

In the Check In GPO dialog that is displayed next, Jacky enters a comment so the history of changes made to this GPO can be more easily tracked in the future:


Figure 9: Step 9 of editing the controlled GPO.

The New York Computers – Power GPO has now been configured, but only on the copy that is stored in the AGPM archive. The copy of this controlled GPO that exists in the CONTOSO production environment (i.e. in SYSVOL) has not been changed at this point, but Jacky is confident that he’s configured the right policy changes so he decides to request redeployment of the GPO he has just modified. To do this, Jacky again right-clicks on the New York Computers – Power GPO and this time he selects Deploy from the shortcut menu:


Figure 10: Jacky requests redeployment of the controlled GPO he just modified.

Jacky adds his comment to the Submit Deploy Request as shown below:


Figure 11: Jacky’s request for redeploying the controlled GPO to production.

Once Karen receives Jacky’s Submit Deploy Request email via AGPM, it’s up to her to review the changes and decide whether the modified GPO should be rolled out production. That’s what we’ll look at next.

Reviewing and Redeploying the Modified GPO

Karen, who as an AGPM Approver also holds the AGPM Reviewer role, is now going to review the changes that Jacky has made to the archived copy of the New York Computers – Power GPO and then redeploy the modified GPO into the production environment. To begin doing this, Karen logs on to her administrator workstation, opens the GPMC, selects the Change Control node, selects the Controlled tab, right-clicks on the New York Computers – Power GPO and selects History from the shortcut menu:


Figure 12: Step 1 of reviewing and redeploying a controlled GPO that has been modified.

In the History For dialog that displays next, the All States tab provides more information that Karen needs at he moment concerning the change history of the New York Computers – Power GPO:


Figure 13: Step 2 of reviewing and redeploying a controlled GPO that has been modified.

So Karen selects the Unique Versions tab and sees that the most recent change version was checked in by Jacky and is ready for her review:


Figure 14: Step 3 of reviewing and redeploying a controlled GPO that has been modified.

Karen then clicks the Differences button at the bottom left of the History For dialog shown above. Doing this opens Internet Explorer and displays any differences between the selected version of the controlled GPO (the version labeled “Checked in” in Figure 14 above) and the previous version of the same controlled GPO (the version labeled “Created” in Figure 14 above). The Difference Report shows that the only change Jacky made to the GPO was to enable the Active Power Plan policy setting and set it to Power Saver:  


Figure 15: Step 4 of reviewing and redeploying a controlled GPO that has been modified.

Karen decides that the changes Jacky has made to the New York Computers – Power GPO are OK, so she closes Internet Explorer and clicks the Close button in the History For dialog shown in Figure 14 previously. Doing this displays the Approve Pending Operation dialog shown here:


Figure 16: Step 5 of reviewing and redeploying a controlled GPO that has been modified.

After typing her comment into the above dialog, Karen clicks Advanced to make sure the modified GPO will be redeployed properly. Clicking the Advanced button opens the GPO Links For Selected GPOs dialog, and Karen notes that redeploying the New York Computers – Power GPO will re-link it to the New York Computers OU as expected: 


Figure 17: Step 6 of reviewing and redeploying a controlled GPO that has been modified.

Karen clicks OK to close the GPO Links For Selected GPOs dialog. Then she clicks OK in the Approve Pending Operation dialog shown previously in Figure 16. A progress bar indicates when the modified New York Computers – Power GPO has been redeployed into production:


Figure 18: Step 7 of reviewing and redeploying a controlled GPO that has been modified.

The modified GPO will now be applied to computers in New York according the usual Group Policy processing mechanisms.

Conclusion

In this article we’ve learned how to modify a controlled GPO, review changes made, and redeploy the modified GPO into your production environment. In the next article we’ll examine how to roll back changes and perform other tasks with controlled GPOs using AGPM.

If you would like to read the other parts in this article series please go to:

About The Author

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top