Advanced Group Policy Management (Part 1) - Introduction
If you would like to read the other parts in this article series please go to:
Managing Group Policy Objects (GPOs) in a large organization can be challenging. Advanced Group Policy Management (AGPM), which is part of the Microsoft Desktop Optimization Pack (MDOP) for Software Assurance (SA), helps lessen this challenge by providing change control and simplified management of GPOs.
This series of articles focuses on AGPM 4.0, which is the version of AGPM you should use for environments running Windows Server 2008 R2 and Windows 7. AGPM 4.0 is part of MDOP 2009 R2, which you can download from the Microsoft Volume Licensing Center. MDOP 2009 R2 is also available through your MSDN or TechNet subscription for testing and evaluation purposes.
Benefits of AGPM
AGPM provides the following benefits for Group Policy administrators:
- Offline editing – AGPM maintains an archive of GPOs it manages. GPOs that are stored in the AGPM archive are called controlled GPOs. The AGPM archive is stored offline from SYSVOL, so any changes you make to GPOs while they are in the archive do not affect your production environment.
- Change control – You can check a controlled GPO out of the AGPM archive, edit it, check it back in, and deploy it to your production network. Checking out a GPO locks the GPO so that no one else can edit it while you're working on it. AGPM also maintains a history of all changes made to a GPO. This lets you compare different versions of GPOs and roll back to a previous version if needed.
- Role-based delegation – AGPM lets you delegate the administration of controlled GPOs to different people on your team. AGPM roles include reviewers, editors, approvers and administrators. This role-based delegation model allows you to establish workflows for how GPOs will be managed in your environment.
- Search and filtering – AGPM provides enhanced search and filtering capabilities to help you quickly find the version of a particular GPO you are looking for in your archive.
- Test to production – AGPM lets you copy controlled GPOs between two forests. This means you can create a separate test environment that mirrors your production environment and use AGPM in your test environment to test GPOs you create. Then once your testing is completed, you can copy the GPOs from your test environment to your production environment and then use AGPM in your production environment to deploy the GPOs.
Architecture of AGPM
AGPM uses a client/server architecture. The AGPM Server component installs on a domain controller or member server and it manages the AGPM archive via the AGPM Service. If desired, the archive can be located on a different computer than the one on which the AGPM Server component is installed. The AGPM Client component installs on a domain controller, member server or administrator workstation and it extends the functionality of the Group Policy Management Console (GPMC) on that computer. If the AGPM Client is on a different computer than the AGPM Server, the two components communicate through firewall port 4600 on the server. Figure 1 illustrates the AGPM client/server architecture.
Figure 1: Client/server architecture of AGPM.
Installing the AGPM Server
In this walkthrough we'll install the AGPM Server component on a domain controller named SEA-DC-01 in the contoso.com domain. Begin by logging on as an administrator (we'll use the CONTOSO\Administrator account) and inserting your MDOP 2009 R2 media. The MDOP splash screen appears:
Figure 2: MDOP 2009 R2 splash screen.
Clicking the Advanced Group Policy Management option takes you to the following screen:
Figure 3: Screen for installing AGPM components.
In the AGPM 4.0 section of the screen, click Install Server (64-bit). This launches the setup wizard shown next:
Figure 4: Step 1 of installing the AGPM Server component.
After accepting the licensing agreement, you can accept the default path where the AGPM Server components will be stored:
Figure 5: Step 2 of installing the AGPM Server component.
On the next screen you provide the path for where the AGPM archive will be located. This can be on the local server or somewhere on your network. We'll accept the default:
Figure 6: Step 3 of installing the AGPM Server component.
The next screen lets you specify an account under which the AGPM Server will run. Since we're installing the AGPM Server components on a domain controller, we can select the Local System option:
Figure 7: Step 4 of installing the AGPM Server component.
On the next screen you specify the user account that will be the owner of the AGPM archive. We'll select the domain administrator account for this purpose:
Figure 8: Step 5 of installing the AGPM Server component.
The next screen lets you open port 4600 on the server's firewall. If you choose to install the AGPM Client component on a different computer, such as an administrator workstation, then this port must be open on the server's firewall so that the AGPM Client can communicate with the AGPM Server. We'll accept the default here and make sure Add Port Exception To Firewall is checked as shown below:
Figure 9: Step 6 of installing the AGPM Server component.
On the next screen, we'll deselect all languages except English which is the only language we'll need for this scenario:
Figure 10: Step 7 of installing the AGPM Server component.
On the next screen you click Install to install the AGPM Server component:
Figure 11: Step 8 of installing the AGPM Server component.
You can click Finish to close the wizard once the AGPM Server components have been installed:
Figure 12: Step 9 of installing the AGPM Server component.
Installing the AGPM Client
In this walkthrough we'll install the AGPM Client component on a Windows 7 SP1 x64 workstation named SEA-ADMIN-1 in the contoso.com domain. Before you can install the AGPM Client on the workstation, you must download and install the Remote Server Administration Tools (RSAT) for Windows 7 with Service Pack 1. You can download this from here. Once you've installed RSAT on your workstation, use Add Windows Features to enable the feature named Group Policy Management Tools. Once this is done, make sure you're logged on as an administrator (once again we'll use the CONTOSO\Administrator account) and insert your MDOP 2009 R2 media. When the MDOP splash screen appears, click the AGPM option to display the AGPM installation screen:
Figure 13: AGPM installation screen.
Click the Install Client (64-bit) option to launch the AGPM Client setup wizard. After the welcome and licensing screens, you specify an application path. Then on the next screen you specify the FQDN of your AGPM server:
Figure 14: Specifying the default AGPM Server.
Continue through the wizard until you click Install and then Finish. To verify that the AGPM Client has been successfully installed, open the Group Policy Management Console (GPMC) from Administrative Tools. Expand the console tree until beneath your domain you see a Change Control node (see Figure 15 below). This Change Control node is the extra feature that installing the AGPM Client component adds to the GPMC. In other words, AGPM extends the functionality of the GPMC instead of replacing it. You'll still use the GPMC as your main tool for managing all aspects of Group Policy in your environment. It's just that the GPMC now has extra functionality for change control management of GPOs.
Figure 15: The Change Control tab of the GPMC when the AGPM Client is installed.
If when you open the GPMC and select the Change Control node you get an error saying "Could not retrieve a list of controlled GPOs. You do not have sufficient permissions to perform this operation" then you're probably logged on to your admin workstation using a different user account than the one you used earlier to install the AGPM Server component on your domain controller. Be sure to use the same admin-level user account for both walkthroughs above. We'll learn how to delegate AGPM roles in a later article of this series.
This article examined AGPM 4.0 and described the benefits it can bring to your environment, how it works, and how to install it. In the next article we'll see how to take control of existing GPOs in our environment and how to create, edit and deploy controlled GPOs to production.
If you would like to read the other parts in this article series please go to: