This post is part of following article:
- Advanced Group Policy Management – Introduction
- Advanced Group Policy Management – Server Installation
- Advanced Group Policy Management – Client Installation
- Advanced Group Policy Management – Securing AGPM
AGPM is a part of Microsoft Desktop Optimization Pack which for available for licenses with Software Assurance. AGMP itself is actually more like a plugin for GPMC than a separate tool. It increases the capabilities of the standard GPMC by providing following benefits:
- An archive to enable Group Policy administrators to create and modify Group Policy objects (GPOs) offline before deploying them to a production environment.
- The ability to roll back to any previous version of a GPO in the
archive and to limit the number of versions stored in the archive.
Check-in/check-out capability for GPOs to ensure that Group Policy administrators do not inadvertently overwrite each other’s work.
- Manage Group Policies across different domain forests, allowing the ability to copy GPOs from one domain forest to another.
- GPO tracking is easier with the new Search and Filter capabilities. Allows the ability to search for GPOs that were last changed by a specific administrator, on a particular date, or other criteria.
- Standard roles for delegating permissions to manage GPOs to multiple Group Policy administrators, as well as the ability to delegate access to GPOs in the production environment.
AGPM can help any size organization manage GPOs more securely and efficiently than by using only the GPMC. AGPM allows you to delegate Group Policy administration based on roles for the tasks that Group Policy administrators perform. AGPM also allows you to delegate Group Policy administration at a domain level and at a GPO level so that you can allow different administrators to manage different GPOs. There are four default roles you can use:
- Reviewer – List, Read
- Editor – List, Read, Edit, Create Template
- Approver – List, Read, Create GPO, Deploy GPO, Delete GPO
- Full control – it’s name speaks for itself
Workflow below (from offical guide) explains how specific roles work:
AGPM is divided for two installation roles – server and client. Server role is kind of archive for Group Policies – it will allow you to deploy / roll back and offline edit your policies. Client role is a front-end interface (similar to standard GPMC) installed on each computer that will be managing GPOs.
AGPM Server Requirements:
AGPM Server 4.0 Service Pack 1 (SP1) requires Windows Server® 2012, Windows Server 2008 R2, Windows Server 2008, Windows 8, Windows 7, or Windows Vista with SP1, and the Group Policy Management Console from the Remote Server Administration Tools (RSAT) installed. Before you install the AGPM Server, you must be a member of the Domain Admins group.
So in general, our pre-installation perquisites are:
- Windows 2008 / Vista SP1 or higher (preferred is 2012 / 8)
- GPMC installed
- WCF Activation: Non-HTTP Activation
- Windows Process Activation Service
- Process Model
- .NET Environment
- Configuration APIs
- Domain Admin account
- AGMP Administrator Account (see installation guide part 2)
- AGMP Service Account (see installation guide part 2)
- Proper permissions on existing GPOs
AGPM Client Requirements:
AGPM Client 4.0 SP1 requires Windows Server 2012, Windows Server 2008 R2, Windows Server 2008, Windows 8, Windows 7, or Windows Vista SP1 and the GPMC from RSAT installed. Both the 32-bit and the 64-bit versions are supported. AGPM Client can be installed on a computer running AGPM Server.
Following table describes why you should consider using latest version of Windows Server / Client.
Read more about AGPM Server installation in part 2 of this article.