Microsoft Advanced Group Policy Management (AGPM) Myths and Facts
As a Group Policy MVP, I am often asked about Microsoft's Advanced Group Policy Management software, or AGPM for short. AGPM is a "change management" system around Group Policy Objects (GPOs) themselves. It enables teams of administrators to avoid stepping on people's toes, enables quick rollback of undesired changed GPOs, provides a history of changes, and performs comparisons between live and "offline" GPOs.
In considering AGPM, administrators and managers are often confused about:
- What it does, versus what is in the box.
- What it costs, and how do they get it.
- How it works and how to install it.
- The underlying architecture
- Resources to get more information
...and more !
With that in mind, here's a handful of AGPM Myths and Facts to help you decide if AGPM is right for you and some tips on your AGPM journey.
MYTH: I don’t need AGPM, I have everything I need in the box.
Fact: For starters, AGPM doesn’t ship in the box with, say, Server 2008 or Server 2012. What does ship in the box as included as part of both Windows server and Windows client, would be called “Group Policy Core” functionality, which includes the GPMC utility, the Group Policy and Group Policy Preferences settings. The “change management” functionality (or the other features listed earlier) of AGPM aren’t in the box. What is true, however, is that AGPM fits “inside” the GPMC, which administrators know and love. You can see AGPM inside the GPMC in Figure 1.
Figure 1: AGPM fits inside the GPMC
MYTH: AGPM is free to use / I want to buy just AGPM
Fact: AGPM isn’t a free download. It’s part of the paid “Microsoft Desktop Optimization Pack” MDOP suite of tools. And, the tools within MDOP are not sold separately. When you get an MDOP subscription you acquire all the tools in MDOP, even if you only wish to utilize AGPM. For more information on purchasing MDOP start out at www.Microsoft.com/mdop and/or talk with your Microsoft representative about purchase options.
MYTH: AGPM adds super-powers to every desktop
Fact: AGPM adds zero super-powers to your desktop. That’s OK, AGPM isn’t meant to add more super-powers to every desktop.
Remember: AGPM is a “change management” tool, not a “desktop management” tool.
This is the biggest myth about AGPM, mostly because it ships within the “Microsoft Desktop Optimization Pack” bundle. People see the words “Desktop Optimization” in the MDOP suite name, and falsely assume AGPM adds more super-powers to the Group Policy “core” or perform new abilities on desktops themselves.
Note, I’m not saying AGPM isn’t powerful or useful. It is – to do the job it was designed for. It simply doesn’t have any desktop super-powers.
The kinds of super-powers people often want to add to their arsenal of desktop management is configuring 3rd party applications, which, Microsoft’s in-the-box Group Policy doesn’t excel at. If you’re looking to actually add desktop superpowers to your existing Group Policy superpowers, consider PolicyPak Professional (www.PolicyPak.com) which is specifically designed to augment existing Group Policy deployments, and add extra super powers like managing Lync, IE, Firefox, Flash, Java, Acrobat, and 80+ other applications via Group Policy. PolicyPak can additionally perform true security upon these apps so users cannot work around your settings – even when they’re offline. In other words, true desktop superpowers.
MYTH: AGPM has a complicated architecture
Fact: AGPM almost couldn’t be simpler. There is a server piece, which can live on any Windows server (latest Windows Server version always preferred.) There is no UI to the AGPM server, it literally installs just a Windows service. Then there’s the AGPM “client”. The AGPM client is loaded on administrator computers and simply extends the GPMC to provide the AGPM node and interface to AGPM. That’s it.
There are no databases to install, and the client piece doesn’t need to be loaded on everyone’s machine in the company. Simply on administrators’ machines who want to participate with the AGPM change management system.
MYTH: There is no formal training for AGPM
Fact: Microsoft has no formal AGPM training in any Microsoft Official Curricilum course that I'm aware of. However, in my Group Policy Master Classes (www.GPanswers.com/training) I cover all the ins and outs of AGPM. From installation, to working together as a team, to pitfalls and troubleshooting. If your team is considering an AGPM rollout, consider taking my battery of Group Policy training which includes AGPM training.
MYTH: All 3rd party Group Policy products are compatible with AGPM
There are a wide variety of 3rd party Group Policy products which extend Group Policy’s functionality. Do note, however, that not all 3rd party Group Policy extension products are compatible with AGPM. Specifically, AGPM works by performing backups of GPOs, then restoring them when necessary during rollback operations. If your 3rd party Group Policy product doesn’t play nicely with the built-in Group Policy backup and restore system, it likely won’t play nicely within AGPM.
Making sure your 3rd party Group Policy product works with AGPM is very important. The last thing you want to do is have a Group Policy change management system you use only 80% of the time, because it’s incompatible with a 3rd party Group Policy product you also need to use.
For an example video of a 3rd party utility (PolicyPak) that does play nicely within AGPM, check out this example video.
AGPM is powerful – for what it’s designed to do. That is, again, to enable teams of administrators to manage GPOs without stepping on each others’ toes.
AGPM is very simple to deploy and the architecture is easy to understand and manage.
However, remember AGPM doesn’t add super-powers to the desktop for increased settings delivery or lockdown functionality. To perform these kinds of super-powers you need 3rd party Group Policy extensions (and AGPM is not one.)
I hope this Myths and Facts guide helped you out.