Advanced Group Policy Management V3

I was looking into AGPM v3 recently and thought that it would be good to put a reference to it on my Blog.   The challenging thing is, this is a great tool but you have to know about it first to then realise it!.

If you like Group Policies, then you will love this tool.  In brief, this will enable you to take group policy management out of Active Directory and into a separate database that you can strictly control.   This gives you the ability to have change control, historical version control, group policy comparison reports and a recycle bin for group polices too.  This is not a new tool, we are now on version 3 and it is rock solid.  

New features in AGPM 3.0 are:


Full x64 support

Both the client and server components fully support x64 architecture and operating systems. There is a 64 & 32 bit version of both the client and server. Wow64 is not be supported. This means that a 64-bit version of AGPM must be installed on a 64-bit version of the host Operating System and a 32-bit version of AGPM must be installed on a 32-bit version of AGPM. Communication between different bitness client and server is fully supported. This means that a 64-bit AGPM client can communicate with a 32-bit AGPM server and a 32-bit AGPM client can communicate with a 64-bit AGPM server.

Windows Vista SP1 & Windows Server 2008

Significant changes have been made to the GPMC in these OSs and AGPM depends on the GPMC interfaces extensively. Therefore this version of AGPM is only installable on Windows Vista SP1 with Remote Server Administration Toolkit (RSAT) or Windows Server 2008. Windows Vista SP1 does not have the GPMC integrated into the operating system. The GPMC needs to be installed on Windows Vista SP1 through an optional tool called RSAT prior to installing either the client or server.
Note: Although version 2.5 will still be available for customers who do not plan to upgrade to these operating systems, version 3.0 client or service will not communicate with the version 2.5 client or service.

Customizable permissions

Version 3.0 allows the permissions deployed to a GPO in production to be customized. The default permissions are the same as version 2.5, however, custom permissions can be configured for each domain. The permissions configured on the “Production Delegation” tab will replace any permission already on a production GPO when it is controlled or deployed from the AGPM server. Applying the above permissions to the production GPO when taken into AGPM control will prevent changes to production GPOs from outside of AGPM as soon as a GPO is controlled.

More robust change tracking

The AGPM history has been changed to track more changes made to GPOs such as when/who made a request, when/who Approved/Rejected the request, when/who made changes to AGPM delegation, etc.

Purge Historical data

This version gives the AGPM administrator the ability to purge old data by specifying on the AGPM Server tab how many historical versions to retain. Purging old data deletes the data (GPO backup) from the archive so this data is no longer be accessible. The information about the historical action is, however, retained in the history and an entry is recorded in the history that data was purged. This means that if a checked in GPO from 6 months ago was purged, reports, etc. cannot be run against it but the history view still shows that a check-in was performed.

Group Policy Preferences Support

This version fully supports the new Group Policy Preferences (GPP) functionality added to Windows Server 2008.

General UI improvements

Changes have been made to field names and ordering to better describe the information contained in the field. Additionally the order in which the fields are displayed has been changed to make more pertinent information easier to find.


Localized in 11 additional languages.

The above feature list was taken from Micheal Kieef’s blog (project manager for AGPM)  I highly recommend reading more from him :) and the other PM’s on Group Polices.  Check out: