Advanced Group Policy Management (Part 2) – Initial Configuration

If you would like to read the other parts in this article series please go to:


Once you’ve installed the client and server components of AGPM, your next task is to set up your environment. Initial configuration of the AGPM environment includes the following tasks:

  • Taking Control of your existing GPOs
  • Configuring the AGPM server connection
  • Configuring GPO version limits for the archive
  • Configuring domain delegation settings
  • Configuring production delegation settings
  • Delegating AGPM roles

The sections that follow explain how to perform these tasks. We will perform our AGPM initial configuration tasks using the CONTOSO\Administrator account. The reason for using this account is because this is the account that was specified as the AGPM Archive Owner in Part 1 of this series, and the Archive Owner account is automatically assigned the AGPM Administrator role and thus has full permissions to configure the AGPM environment. 

The roles of AGPM Administrator (Full Control), Editor, Reviewer and Approver are explained later in this article.

Taking Control of Your Existing GPOs

AGPM distinguishes Group Policy Objects (GPOs) as either controlled or uncontrolled as follows:

  • Uncontrolled GPO – Also called production GPO, this is present in SYSVOL only and is not managed by AGPM. Uncontrolled GPOs are managed using the Group Policy Management Console (GPMC).
  • Controlled GPO – Present in both SYSVOL and in the AGPM archive. The copy stored in the archive is the one you manage using the AGPM extension (the Change Control node) for the GPMC.

Taking control of a production GPO stores a copy of the GPO in the AGPM archive. Once a GPO is controlled, you can check it in or out of the archive to edit it and deploy it back into your production environment. Figure 1 below shows the Change Control node on a computer where AGPM Client component has been installed. The Controlled sub-tab of the Contents tab is selected, and as you can see there are no controlled GPOs yet.

Figure 1: No GPOs are controlled yet.

The next figure shows the Uncontrolled sub-tab, which displays the production GPOs. These GPOs are not yet managed by AGPM.

Figure 2: The production GPOs are not yet managed by AGPM.

To take control of some of your production GPOs, select them (use CTRL to multi-select) and right-click and select Control from the shortcut menu as shown here:

Figure 3: Controlling the GPOs targeting servers in Seattle.

The Control GPO dialog is displayed, allowing you to specify a comment as shown below. This comment will be saved as part of the version history of the GPOs being controlled. 

Figure 4: You can optionally add a comment to each action you performing in AGPM.

The progress bar and status message will indicate once the selected GPOs selected are controlled:

Figure 5: The selected GPOs are now controlled.

Selecting the Controlled sub-tab indicates that the GPOs we selected are now controlled.

Figure 6: The GPOs targeting servers in Seattle are now controlled by AGPM.

Note that you don’t need to take control of all your production GPOs if you don’t want to. For example, you might leave the Default Domain Policy and Default Domain Controllers Policy since best practice is to make only minimal changes to these GPOs (see here for details). You might also take control of your custom GPOs in several stages instead of all at once. For example, in the walkthrough above we’ve only taken control of GPOs that target OUs containing servers because the Contoso IT staff who administer servers are a separate group from the IT staff who administer client computers and user accounts. 

Configuring the AGPM Server Connection

From your admin workstation, you can manually configure the connection to your AGPM server. If this was correctly done when you installed the AGPM Client component on your workstation then you don’t need to perform this step. If the connection to your AGPM server was not correctly done when you installed the AGPM Client, or if you change the firewall port for AGPM connections, or if you need to reconfigure the workstation to connect to a different AGPM server on your network, you can use the AGPM Server tab of the Change Control node in GPMC to do this as shown in Figure 7:

Figure 7: You can manually configure the AGPM host and port number if needed.

If you have multiple AGPM administrators each having their own workstation with the AGPM client installed, you can use Group Policy to ensure these workstations have their AGPM server connection configured properly. The Group Policy setting to use for this is:

User Configuration\Policies\Administrative Templates\Windows Components\AGPM\AGPM: Specify default AGPM Server (all domains)

If your forest has multiple domains and you override the default AGPM server and configure separate AGPM servers for some or all of your domains, then in addition to the previous Group Policy setting you can also configure this one:

User Configuration\Policies\Administrative Templates\Windows Components\AGPM\AGPM: Specify AGPM Servers

Configuring GPO Version Limits for the Archive

By default AGPM will save each and every version you create of every controlled GPO in the AGPM archive. This can add up to a lot of GPO versions over time, which not only consumes disk space but also can make it harder to filter/search for GPO versions because of unwanted results being returned. It’s therefore a good idea to limit how many versions of each controlled GPO can be stored in your archive. You can do this on the AGPM Server tab as shown below by selecting the checkbox and specifying the number of versions to be stored from 0 to 999. 

If you specify 0 then only the current version of each controlled GPO is saved in the archive.

Figure 8: Limiting the number of GPO versions stored in the archive.

Configuring Domain Delegation Settings

When an AGPM Editor or Reviewer wants to create a new controlled GPO or deploy a controlled GPO into production, an email notification message can be automatically sent to an AGPM Approver who can then either approve or deny the requested action. These email notifications can be configured on a per-domain basis using the Domain Delegation tab as shown below. Specify the From and To addresses, the FQDN of your SMTP server, and the credentials used to connect to your SMTP server, then click Apply. The figure shows that users Tony Allen ([email protected]) and Karen Berg ([email protected]) will be delegated with authority to approve AGPM change control actions for the domain. We’ll see later in this article how to assign users the roles of AGPM Administrator (Full Control), Editor, Reviewer and Approver.

Figure 9: Configuring domain-wide email notification settings.

Configuring Production Delegation Settings

You can use the Product Delegation tab (see next figure) to configure how different security groups can access controlled GPOs in your production environment (i.e. stored in SYSVOL). If you choose to do this, you should also limit membership in the Group Policy Creator Owners group since members of this group can circumvent AGPM management of access to production GPOs. For this walkthrough we’ll leave the default permissions and groups as is. Note that the settings here only affect production GPOs that are controlled (have copies in the AGPM archive) and not any uncontrolled production GPOs you may have.

Figure 10: You can modify access to controlled GPOs in the production environment.

Delegating AGPM roles

AGPM supports roles-based delegation so you can distribute different responsibilities for managing your controlled GPOs among the members of your team. Briefly, the four predefined roles of AGPM in essentially decreasing order of authority are as follows:

  • AGPM Administrator (Full Control) – Users having this role can perform any AGPM management task. This role therefore includes the permissions of all other roles and is used primarily for configuring the AGPM environment and for assigning roles to other users.
  • Approver – Users having this role can create, delete and deploy controlled GPOs to the production environment of the domain. They can also view GPO settings but cannot modify them.
  • Editor – Users having this role can check out controlled GPOs, edit them, and check them back into the archive. They can also create templates from GPOs and can import and export GPOs.
  • Reviewer – Users having this role can view GPO settings but cannot modify them.

Full details concerning the specific permissions associated with each AGPM role (and therefore the tasks each role can perform) are summarized in the following table:


AGPM Roles

Full Control




List Contents





Read Settings





Edit Settings



Create GPO



Deploy GPO



Delete GPO



Export GPO



Import GPO



Create Template



Modify Options


Modify Security


Table 1

From the above table you can see that Approvers and Editors are also Reviewers.

For the purposes of this walkthrough we’ll assign AGPM roles to CONTOSO users (who are also domain admins for CONTOSO) as follows:

In addition as mentioned previously the built-in CONTOSO\Administrator account also holds the AGPM Administrator (Full Control) role since it was the account we specified for Archive Owner when we installed the AGPM Server component.

Begin by creating these user accounts with Active Directory Users and Computers as shown below:

Figure 11: AGPM role holders for CONTOSO.

To assign AGPM roles to users, select the Domain Delegation tab:

Figure 12: Initially only CONTOSO\Administrator holds the AGPM Administrator (Full Control) role.

We’ll begin by assigning the AGPM Administrator (Full Control) to Tony Allen. Click the Add button on the Domain Delegation tab above to open the AD DS selection dialog, then type Tony Allen and click Check Names:

Figure 13: Step 1 of assigning the AGPM Administrator (Full Control) role to Tony Allen.

Once Tony’s username is displayed in the selection dialog, click OK to display the Add Group or User dialog as shown next:

Figure 14: Step 2 of assigning the AGPM Administrator (Full Control) role to Tony Allen.

Under Role, select Full Control as shown next and then click OK.

Figure 15: Step 3 of assigning the AGPM Administrator (Full Control) role to Tony Allen.

Tony Allen should now be displayed on the Domain Delegation tab as having the Full Control role:

Figure 16: Tony Allen now holds the AGPM Administrator (Full Control) role.

Continue assigning roles to the other users until all AGPM roles have been delegated as planned:

Figure 17: All AGPM roles have now been delegated to appropriate individuals.

To verify that the roles have been assigned as expected, you can log on as Karen Berg who holds the Approver role. When Karen right-clicks on a controlled GPO on the Controlled sub-tab of the Contents tab, the Check Out option is unavailable because she does not hold the Editor role (see figure below). Only Editors (or AGPM Administrators) have the permissions needed to check out controlled GPOs for editing. 

Figure 18: Karen Berg who holds the Approver role cannot check out a controlled GPO for editing.

The Domain Delegation tab is used to assign AGPM roles for all controlled GPOs in the domain. You can also assign AGPM roles for individual controlled GPOs by selecting them on the Controlled sub-tab of the Contents tab and then using the bottom portion of the tab to add, remove or modify AGPM permissions for users.


In this article we’ve learned how to perform initial configuration tasks associated with your AGPM environment. In the next few articles we’ll see how AGPM role holders can manage controlled GPOs by checking them in or out of the archive, editing them, deploying them to production, rolling the back, and so on.

If you would like to read the other parts in this article series please go to:

About The Author

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top