UPDATE – These instructions have now officially been added to the AGPM Microsoft Docs documentation.
Super quick post, but I want to put this out there because it’s taken me weeks to figure out what the hell has been going on with one of my AGPM servers.
Late last year, had someone in my SOE team say that they couldn’t see difference reports for a specific domain. Errored every time.
Should be a quick fix…it wasn’t. Tried all sorts of things and in the end, ended up blowing the AGPM server away and starting again. It worked…for a time.
It then started giving the same error again. So I knew that blowing it away and reinstalling would work…but only temporarily. So I went looking for an *ACTUAL* fix.
The main link I found was this one and while it did have some useful information in it, it still didn’t solve my problem. It talks of a hotfix – which (up until a few weeks ago) had disappeared and couldn’t be found. They have since relinked it back so you can still grab it.
So without further ado, here are the steps I used to fix this problem once and for all!
- Make sure you know the username/password of your AGPM service account
- If you don’t know the password, change it and then modify your AGPM installation
- Give your AGPM service account administrative rights over your AGPM server – even if it’s just temporarily!
- Log onto your AGPM server AS YOUR AGPM SERVICE ACCOUNT
- This step is critically important – if you log on as a different user, it will not work. (Yes, even as a Domain/Enterprise admin. I know. I tried.)
- This step is the one that is missing from every help article I went looking at – none of the mentioned this!
- Shutdown AGPM service
- This just saves you having to wait while the installer tries to do it and then complains about it
- Install hotfix: MDOP March 2017 Servicing Release (AGPM4.0SP1_Server_X64_KB4014009.exe)
- Once done, don’t worry about restarting the service, the installation will do that all for you!
- Remove the admin rights for the AGPM Service Account if you don’t want it to a permanent admin of the server
- Log off the server
- Connect to AGPM using an AGPM client
- Preferably on a machine that is not the AGPM server!
- See that your difference reports now work again!
I really really hope this helps someone else who’s bashed their head against the wall repeatedly trying to fix this. If it has, shoot me a comment and let me know!
Thank you so much for this Post! I safed a lot of time after I spend already enough work troubleshooting the issue to generate a HTML GPO difference report. It actually helped me a lot after I bashed my head against the wall repeatingly trying to fix this.
Great POST!!!!
Lyn
(System Engineer)
Excellent, you helped me! Thank you!
what if I was lazy and used a Local System Account instead of a proper service account when I installed AGPM?
psexec /sid cmd.exe 😉 And run installer from this new CMD instance
That’s a nice article , Thanks 🙂
thankyou soo much – cant believe its 2022, and they STILL havent merged it with the current MDOP release..
THANK YOU! 2023 and this is still needed.
Thank you so much!
To the person who asked about what happens if you use the Local System Account, the patch DOES appear to work. After installing the patch, I could immediately get the reports to work but I also had a second issue where I could check out a GPO but received the username/password error 80004003 if I attempted to check it bck in. I had to reboot the whole server for the “check in” issue to go away.
I simpy installed the patch. I didn’t have to do all the other stuff such as logging in as the service account but maybe that is still required if you aren’t using the Local Service Account?
Brilliant! Despite SP3 installed, my AGPM behave exactly as described and your fix solved problem. Thank you sooo much! 🙂
Honestly, this is such an old post but I get so many folks who say that it’s helped them. I’m so thrilled it’s still helping folks years later! Gives me the warm and fuzzies.
A big Thank you also from my side for providing us with this information. As most of the readers, it took me hours to fiddle around with the error until I finally discovered your post.