AGPM aka change management for GPO’s

AGPM (Advance Group Policy Management) is pretty much a change management tool for group policy – it assists in deploying new policies, modifying existing policies and being able to roll-back to older versions if something has gone wrong!

I’m a big fan of AGPM simply from the point of view of being able to see a) who’s done what and b) what’s changed between edits. It gives you that extra level of change control around your GPO’s. In the environment I’m in, it also means we’re not needing to put in changes for every single miniscule change being made to our GPO’s because we have this system in place.

The AGPM Installer is part of the MDOP suite. Currently MDOP 2015 is out and AGPM’s latest version is 4.0 SP3.

There are two parts to AGPM:

  •  client (installed locally or on a jump box)
  •  server (installed on a specific AGPM server – can be a DC, but preferably its own server)

Microsoft’s tech documentation on this can be found here and here.

Some of the information I’ve got here is duplications from their documentation, but is written slightly different in a way that’s easier for me (and my team…and hopefully others!) to understand and follow.

Prerequisites

  • RSAT tools – These are required for the Group Policy Management Tools (also, I can’t be the ONLY one who giggles every time they say ‘RSAT’ out loud :P) and are required for both Server & Client installs
  • .NET 3.5 is installed – I suggest doing this prior to attempting the install, as the install may fail if this isn’t present and it doesn’t fail in an easily-detectable way (at least from personal experience)
  • An AGPM service account – this service account will have full access to all Group Policy objects
    • If you have an existing domain, you will need to give this account the rights to the current policies and environment in order for AGPM to work correctly
    • This account must be a member of both:
      • Group Policy Creator Owners
      • Backup Operators
  • AGPM Archive Group – Group set up to take ownership (and be able to access and backup) the group policy archive
    • Ideally, this will contain your Domain Admin group and the service account you’ve setup for AGPM

Before starting the install, you’ll want to give the AGPM service account that you just created the correct rights:

  • Create the AGPM service account
  • Open ‘Group Policy Management’
  • Expand out the domain and click on ‘Group Policy Objects’
  • Select the ‘Delegation’ tab
  • Click ‘Add…’
  • Add the AGPM service account
  • For any group policies that already exist that you’re going to want to control via AGPM
    • Click the specific Group Policy
    • Select the ‘Delegation’ tab
    • Click ‘Add…’
    • Type in the AGPM service account
    • Click ‘OK’
    • In the ‘Add Group or User’ window, change the permissions to be ‘Edit settings, delete, modify security’
    • Click ‘OK’

If you have the “Deny log on as a service” GPO in place, you’ll also need to be sure you add the AGPM service account to the “Log on as a service” for your AGPM servers.

Installation

Installing AGPM Server

  • Open up MDOP ISO/CD
  • Browse to: <DRIVE>:\AGPM\AGPM 4.0 SP3\Installers
  • Choose your installer type (most server installs will be x64)
  • Double click on agpm_403_server_<ArchitectureType>.exe
    • If prompted with UAC, click ‘Yes’
    • Click ‘Next’
    • Tick the ‘I accept the license terms.’ box
    • Click ‘Next’
    • Either accept the default or change the install location
    • Click ‘Next’
    • Either accept the default or change the archive store location
    • Click ‘Next’
    • Enter the credentials for your AGPM service account – ensure that it is in <domain>\<username> format or the install will fail (and fail relatively silently)
      • See prerequisites if you haven’t created this yet
    • Click ‘Next’
    • Select the group who will be the owner of your group policy archives
      • See prerequisites for who should be in this group if you haven’t yet created it
    • Click ‘Next’
    • Select the port – leave as default (4600) unless you have a specific reason to modify the port
    • Ensure the ‘Add port exception to firewall’ is ticked
    • Click ‘Next’
    • Leave all languages selected or deselect those that won’t be used in your environment
    • Click ‘Next’
    • Click ‘Install’
    • Click ‘Finish’ once the install has completed

Installing AGPM Client

  • Open up MDOP ISO/CD
  • Browse to: <DRIVE>:\AGPM\AGPM 4.0 SP3\Installers
  • Choose your installer type (x64 or x86)
  • Double click on agpm_403_client_<ArchitectureType>.exe
    • If prompted with UAC, click ‘Yes’
    • Click ‘Next’
    • Tick the ‘I accept the license terms.’ box
    • Click ‘Next’
    • Either accept the default or change the install location
    • Click ‘Next’
    • Type in the DNS/IP of the AGPM server
    • Type in the port of the AGPM server
    • Ensure ‘Allow the Microsoft Management Console through the firewall’ is ticked
    • Click ‘Next’
    • Leave all languages selected or deselect those that won’t be used in your environment
    • Click ‘Next’
    • Click ‘Install’
    • Click ‘Finish’ once the install has completed

Configuring AGPM

Permissions & Delegation

  • Open Group Policy Management (via where ever you have installed the AGPM client)
  • Expand the domain
  • Click on ‘Change Control’
    • This is the AGPM area – all editing of group policies is now to be done here and nowhere else  (something you may struggle to get your fellow admins to remember)
  • Select the ‘Domain Delegation’ tab
    • This is where you’ll be able to add users/groups and assign them permissions within AGPM
    • You should see the group you created originally who are the Group Policy Archive Owners within AGPM listed here as ‘Full Control’ – don’t change this, it is required
  • Click ‘Add…’
  • Select the group you’d like to be given a role within AGPM
  • Click ‘OK’
  • In the ‘Add Group or User’ window, select which role you want that user or group to have
    • Reviewer – these users can view group policies and their settings and create reports, but they have no edit rights
    • Editor – includes the rights of Reviewers, but can also edit existing GPO’s
    • Approver – includes the rights of Reviewers, but can also create, deploy and delete GPO’s; can approve or reject requests from Editors;
      • If a user is only an approver, they do not have the same rights as Editors (edit existing GPO policies) so you may want to give some of your Approvers Editor rights as well
    • Full Control – full permissions; includes rights of all three previous roles (Review, Editor, Approver) and can also edit permissions within AGPM/Group Policy
  • Click ‘OK’

Approval Request email settings

  • Open Group Policy Management (via where you installed the AGPM client)
  • Expand the domain
  • Click on ‘Change Control’
    • This is the AGPM area – all editing of group policies is now to be done here and nowhere else (do you notice I’m emphasizing this point?)
  • Select the ‘Domain Delegation’ tab
  • In the ‘Sent approval requests’ section
    • Add the ‘From’ email address of where you’d like your approval emails to be coming from
    • Add the email address you’d like your emails to be going to – this should be an email group containing all users who hold ‘Approver’ status
    • Add the SMTP server
      • If your SMTP server requires a username and password, put these values in to their respective fields.
  • Click ‘Apply’

Using AGPM

Using AGPM may take a little bit to get used to, especially if you’re used to just editing GPO’s on the fly. I promise it’s worth it!

To create a new Controlled GPO

  • Open ‘Group Policy Management’ as an Editor or Approver
  • Click on ‘Change Control’
  • Make sure you’re on the ‘Contents’/’Controlled’ tab
  • Right-click and select ‘New Controlled GPO…’
  • Give your GPO a name (please remember to stick to whatever naming convention you have in place – and if you don’t have one get one!)
  • Add in any comments regarding what the GPO is designed to do (though this isn’t required, but is recommended)
  • Ensure that ‘Create in archive and production’ is selected
  • Click ‘Submit’
  • On the progress window that appears, click ‘Close’ once the actions have completed
    • Your GPO will need to be approved by an Approver before you can edit any settings if you created this as an Editor

To control an existing GPO

  • Open ‘Group Policy Management’ as a Approver
  • Open ‘Group Policy Objects’ (above ‘Change Control’) and select the policy you’d like to be controlled
  • In right-hand view, click on ‘Delegation’ tab
  • Select the service account you created above to have rights over your GPO’s
  • Give it the following permissions: Edit settings, delete, modify security
  • Click ‘OK’
    • You’ll now be able to control that GPO via AGPM
  • In ‘Change Control’ within AGPM, make sure you’re on the ‘Contents’/’Uncontrolled’ tab
  • Right-click on the GPO you’d like to control
  • Click ‘Control…’
  • Comments can be put in to describe why this policy is being required, but they aren’t necessary
  • Click ‘OK’
  • On the progress window that appears, click ‘Close’ once the actions have completed

To edit a Controlled GPO

  • Open ‘Group Policy Management’ as an Editor
  • Click on ‘Change Control’
  • Make sure you’re on the ‘Contents’/’Controlled’ tab
  • Right-click on the GPO you wish to edit and select ‘Checkout…’
  • Place comments in as to why it’s being checked out (as with all other comments, not required, but can be useful if you’re going to be checking it out for an extended period of time)
  • Click ‘OK’
  • On the progress window that appears, click ‘Close’ once the actions have completed
  • Right-click on the GPO you’ve just checked-out and select ‘Edit’
  • Make the changes you require to the GPO settings and close the GPM Editor window
  • Right-click on the GPO you edited and select ‘Checkin…’
  • Place comments in as to why it’s being checked in (again, totally optional)
  • Click ‘OK’
  • On the progress window that appears, click ‘Close’ once the actions have completed
  • Right-click on the GPO you edited and select ‘Deploy’
  • Place comments in as to what changes have been made
    • This is the only time I’ll say that comments are mandatory – you should document what changes you’ve made so that someone reviewing can compare the changes made to the group policy with what you’ve said you were changing
  • Click ‘OK’
  • On the progress window that appears, click ‘Close’ once the actions have completed
    • If this was performed as a user with only ‘Editor’ rights, it will now need to be approved by someone with the ‘Approver’ role

Approving a controlled GPO

  • Open ‘Group Policy Management’ as an Approver
  • In ‘Change Control’ within AGPM, make sure you’re on the ‘Contents’/’Pending’ tab
  • If there are GPO’s to be approved, they’ll be displayed within this view (you should also have received an email from AGPM to alert you to the editing of the GPO, depending on how your AGPM environment has been configured)
  • Right click on the GPO to be approved and select ‘Differences’ -> ‘HTML Report’
    • This will allow you to view what has been changed from the original GPO
    • If this is a brand new GPO, this option will be greyed out
    • Check this every time – you want to ensure that what’s being changed is legitimate
  • View the differences to the GPO and then close down Internet Explorer
  • Right-click on the GPO to be approved and select either Approve or Reject
    • Comments aren’t necessarily required, but if rejecting, a rejection reason should be supplied
  • On the progress window that appears, click ‘Close’ once the actions have completed

There are other things to do within AGPM, but these are the major actions you’ll be performing within AGPM of a daily basis.

AGPM tips & tricks

  • Control all your GPO’s – this will just make the process easier so that you’re only going to have one way of editing/managing GPO’s
  • Remove your DA’s from being GPO owners – this is an interesting one, but I highly suggest it. This means you’re less likely to get conflicts with DA’s editing GPO’s directly via a DC.
  • Separate your rolesI’ve spoken about it before, but it makes sense to keep your roles separate:
    • Domain Admin accounts: Approvers
    • Server Admin accounts: Editors
    • Desktop Admin accounts: Reviewers (if required)
  • Do not approve your own GPO changes – for sanity checking, get someone else to approve your GPO deploys. If you’re editing using your own Server Admin account, don’t approve with your Domain Admin account – get someone else to sanity check it!

 


 

So there you have it – my run down on AGPM, how to install it, how to use it and a few tips and tricks on the best way to use it and get the most out of it! Hopefully useful to some of you!

(If there is anything incorrect, missing or you’d like to see some other functionality described etc. etc. please let me know!)

5 thoughts on “AGPM aka change management for GPO’s

  1. Alicia

    If only you didn’t need software assurance (or MDOP) to get it. it’s awesome but can end up hideously expensive if you have a big user base and no SA. Want…

    Reply
  2. Kyle

    I really wanted to like AGPM, but found it was just too finicky. I have a large but physically disparate team of SysAdmins, each responsible for a number of sites in the state they are based. AGPM sounded great to add the auditing and permission delegations I wanted for GPO’s.

    Basic things, however, like security filtering not being handled by AGPM has killed any hope of using it at this point. (e.g. a GPO that is filtered by membership to “SecurityGroupA”. If you import it into AGPM, edit it and then deploy it – you will find that security filtering has been reset and now applies to “Authenticated Users”. You then have to manually re-apply the filtering using normal GPMC and re-import back into AGPM.

    Other items like GPLinks, WMI filtering, GPO status and renaming GPO’s also have a number of manual tasks that need to be done each time AGPM touches them. So instead of making life easier for the team, it would actually complicate it too much.

    Such a shame, as the basic principle is a good one.

    Reply
    1. Fred Speece

      Any alternative to AGPM that handles all your cases Kyle, or anyone else? I setup a server and spent a decent amount of time obtaining the software and reading about it then read this comment, really sucks as AGPM is useless because of those points raised.

      Reply
  3. Kribag

    We’re experiencing the same issues regarding Security Filtering getting replaced With Authenticated Users, when a GPO is changed/deployed. This could be fatal when testing stuff.. I Guess there’s nothing to do about this? What AGPM Version are you guys running?

    Reply

Leave a Reply