Group Policy

Dive into Advanced Group Policy Management

Derek Melber


At a Glance:

  • AGPM installation and architecture
  • Offline editing of GPOs
  • Change management with AGPM
  • Disaster recovery

Microsoft very recently acquired DesktopStandard, a company that created a product that enables full management of Group Policy Objects. In my opinion, every enterprise that uses Active Directory should be running this tool—Advanced Group Policy Management (AGPM).

AGPM provides for offline editing of Group Policy Objects (GPOs), change management, workflow of updating policies, delegation, and much, much more. In this article, I'll delve into the inner workings of the tool, giving you an in-depth view of this amazing, exceedingly useful product.

Let me first give a little background. AGPM was initially known as GPOVault. After acquiring DesktopStandard, Microsoft renamed it AGPM and added it to the Microsoft® Desktop Optimization Pack (MDOP). You can currently only get MDOP if your Windows Vista® desktop licenses are covered by Microsoft Software Assurance.

Based on my experience with the tools included, I think the MDOP is by far one of the most impressive offerings from Microsoft in recent memory. MDOP comes with five different tools, each of which is impressive individually, and together they create a most remarkable and valuable toolset. For more information about MDOP, please refer to the MDOP Web site:

AGPM Installation and Architecture

AGPM installation has been designed to be very slim and easy—it consists of a server component and a client (administrative) component. The server component should be installed on a member server in the domain; it does not alter Active Directory®, the schema, or any other directory service. AGPM can be installed on a domain controller if the situation requires it.

The server installation will install a service that requires a domain-based service account from which AGPM accesses the live production Group Policy Objects on the behalf of the user. The installation also requires that there be an AGPM Admin, which will control all of the settings within AGPM, such as delegation and initial GPO management.

The client must be installed on a computer running Windows Vista where normal administrative functions already occur, most likely on the desktop of the administrators of the network and Active Directory. The client now needs to point the AGPM settings to the AGPM server and the connection to the archive is made. The AGPM client uses the Group Policy Management Console (GPMC) interface and shows up as the Change Control node, as shown in Figure 1.

Figure 1 AGPM is fully integrated into the GPMC for ease of use

Figure 1 AGPM is fully integrated into the GPMC for ease of use (Click the image for a larger view)

The files that the AGPM client will access are stored in a basic file format on the AGPM server. This is the simplest method for storing these files and makes for easy backup of the entire AGPM archive. Most AGPM functions use the built-in GPMC APIs, which again makes for seamless integration and use of the product. AGPM does not use a database; it stores the GPOs in a single folder and a manifest controls the correlation of all GPOs to the parent GPO within the archive. This ensures that all GPOs have a unique GUID, but when placed into production, the correct GUID is associated with the GPO at deployment.

AGPM Offline Editing

The most basic feature of AGPM is the ability to take the editing of GPOs offline, away from the production environment. It is a well-known issue that editing the GPOs using the default GPMC can result in errant settings being immediately pushed into the production environment, potentially causing disastrous results.

The APGM handles editing of GPOs offline by "controlling" the GPOs. A controlled GPO, as shown in Figure 2, is one that can be edited offline without causing any intrusion on the production environment.

Figure 2 Controlled GPOs are stored in the AGPM archive and can be edited offline

Figure 2 Controlled GPOs are stored in the AGPM archive and can be edited offline (Click the image for a larger view)

Controlling a GPO is very simple. The uncontrolled GPOs, as shown in Figure 3, list all GPOs that are not yet associated with the AGPM archive. Right-clicking any one of these GPOs provides a menu, which includes Control. Selecting the Control menu option will copy the GPO from the production location (the system volume, or SYSVOL, share on the domain controller) and place it in the AGPM archive. Multiple GPOs can be controlled; just hold down the Shift or Control key when selecting the GPOs to obtain the correct list of GPOs that you want to control, and then right-click to access the Control menu option. You still edit controlled GPOs using the Group Policy Object Editor (GPOE). This is just another way that AGPM has been fully integrated into the GPMC.

Figure 3 Uncontrolled GPOs are placed in the archive by selecting the Control menu option

Figure 3 Uncontrolled GPOs are placed in the archive by selecting the Control menu option (Click the image for a larger view)

AGPM Delegation of Administration

Let's look at how AGPM handles delegation by first examining how you can delegate GPO administration using the GPMC. Within the GPMC, you have five different delegation tasks you can grant to a user: Create GPO, Link GPO, Edit GPO, Manage GPO, and Read GPO.

All of these delegations are completed within the GPMC interface. They are all controlled by the users and groups that are listed on the Delegation tabs associated with the different nodes within the GPMC. The delegations we are concerned about are those that allow the creation of new GPOs, as well as the editing and management of existing GPOs.

The creation of GPOs within the GPMC is handled by the Delegation tab associated with the Group Policy Objects node, as shown in Figure 4. Once you have AGPM installed, you will be able to remove all users and groups from the list of those who have access to create GPOs. (There's no need to remove system, computers, or computer groups from the Delegation tab to create GPOs.) The creation of GPOs will now be handled by the service account controlling the AGPM service. This account will be granted the delegation to create GPOs on behalf of all users and groups that are granted Create GPOs and Deploy delegations from within AGPM.

Figure 4 Creation of GPOs is controlled by the list of accounts on the Delegation tab on the Group Policy Objects node in the GPMC

Figure 4 Creation of GPOs is controlled by the list of accounts on the Delegation tab on the Group Policy Objects node in the GPMC (Click the image for a larger view)

This new ability to create GPOs allows for separation of duties and protects the production network. Ideally, GPOs are created, configured, and verified before they're deployed from the AGPM environment to production. There should rarely be any errant configurations pushed out like there are today without AGPM.

For the delegation related to editing or management of GPOs, the story is similar. Within the GPMC, these delegations are configured on the Delegation tab associated with each GPO, as shown in Figure 5.

Figure 5 Editing and managing GPOs is associated with each GPO individually

Figure 5 Editing and managing GPOs is associated with each GPO individually (Click the image for a larger view)

Once AGPM is installed, these delegations need to be removed from each GPO listed under the Group Policy Objects node. This will restrict all administrators from editing GPOs from outside of the AGPM. In essence, this channels all administration of GPOs to the AGPM, where tasks like offline editing, change management, and disaster recovery are possible.

The removal of users and groups from editing GPOs outside of the AGPM is a manual process. The installation and configuration of AGPM does not remove any user or group from editing GPOs in the production environment. Since the service account controlling the AGPM service will be performing the actions on behalf of the users modifying production GPOs from AGPM, there does not need to be any user or user group listed on the Delegation tab for each GPO. (Computer and computer groups should not be removed from these delegation tabs.)

After all delegations for editing a GPO within the GPMC are removed, all admins will be denied the ability to edit a GPO from the GPMC, as shown in Figure 6.

Figure 6 Admins can't edit GPOs from the GPMC once they are denied delegation for this action

Figure 6 Admins can't edit GPOs from the GPMC once they are denied delegation for this action (Click the image for a larger view)

To finalize the configuration, all admins who need to edit GPOs must be added to the appropriate Access Control Lists (ACLs) within AGPM. If an admin needs to be able to edit all GPOs that are in the archive, his user account should be added to a group that has been granted editing capabilities at the domain level within AGPM, as shown in Figure 7. If an administrator should be limited to editing a few GPOs within the AGPM archive, this configuration should occur at each GPO (see Figure 8).

Figure 7 Domain Delegation tab allows for configuration of editing all GPOs in the archive

Figure 7 Domain Delegation tab allows for configuration of editing all GPOs in the archive (Click the image for a larger view)

Figure 8 Editing of individual GPOs needs to be configured on the ACL of that GPO

Figure 8 Editing of individual GPOs needs to be configured on the ACL of that GPO (Click the image for a larger view)

AGPM GPO Change Management

One of the incredible benefits of AGPM is the ability to track all changes that are made to GPOs within the archive. As this is an automated process, it doesn't need to be set up, configured, or managed. The tracking of all changes occurs in the background when GPOs are managed through the AGPM Client interface.

This is a significant enhancement to the way the default GPMC handles GPO management. Within the default GPMC, there are no automated, or even built-in, capabilities for tracking changes to GPOs. This has been a major complaint of most Group Policy administrators over the years and the problem is now eliminated.

The AGPM change management feature tracks all essential modifications that could occur to a GPO. Along with the changes that are made to the GPO, the change management system will also help in an auditing or overall admin tracking situation. The change management system will monitor, track, and document the following specifics per GPO edit and change: date and time the GPO was modified, user who made the change, original GPO settings, and modifications to the GPO settings.

Since the tracking of all changes is seamless, it is important to know what actions trigger the automated tracking. Within the AGPM Client interface, you can right-click on a GPO under the Controlled tab, then select the Check-out menu option, as shown in Figure 9.

Figure 9 Checking out a GPO will trigger the automated process to track changes

Figure 9 Checking out a GPO will trigger the automated process to track changes (Click the image for a larger view)

This procedure must be followed to edit the GPO, which I'll discuss in the next section. Even if a GPO is checked out and immediately checked back in without any changes, there will be an archive made of that action. Since GPOs are so integral to the enterprise, the tool tracks even the possibility of a change occurring.

The Check-out procedure is forced within AGPM because there must be a mechanism that tracks GPO changes to the specific admin who made the change. Two admins cannot check out the same GPO at the same time. If an admin checks out the GPO and then fails to check it back in, there is a built-in mechanism that allows the AGPM admin to check it back in.

AGPM GPO Editing

As long as the AGPM client is installed, you can access the AGPM archive. Once delegation for editing or Full Control is granted within the AGPM tool, you will be able to edit stored GPOs. After a GPO is checked out, it can be edited by right-clicking on the GPO and selecting the Edit menu option. (Note: if you can only edit some of the GPOs within the AGPM archive, you may have only been granted delegated capabilities over some of the GPOs, not for all GPOs within the archive.)

With the acquisition of DesktopStandard, Microsoft also acquired PolicyMaker, now renamed Group Policy Preferences. This set of Group Policy features is included in the GPMC that will ship with Windows Server® 2008. Group Policy Preferences enables the administrator to configure applications or Windows components not ordinarily configurable via Group Policy, as well apply it to certain users or computers based on a very rich set of targeting rules. Group Policy Preferences is fully integrated with GPMC and AGPM in Windows Server 2008.

AGPM GPO Deployment

AGPM was designed with efficiency and workflow in mind. As GPO management is now more stable and controlled using AGPM, it makes sense to have admins who have the ability only to edit a GPO, but not deploy it to production. Within AGPM, this is controlled very smoothly with the interface, dialog boxes, and work mechanisms. For instance, if an admin with edit-only rights attempts to deploy a GPO, the system will block it. The admin will then be shown a dialog box for communication with an administrator who does have the deploy delegated permission. This workflow feature will both send an e-mail to the To: and CC: recipients and place the GPO in a unique state. That unique state can be found under the Pending tab in the AGPM interface. Here the GPO is flagged as "Pending Deploy," which gives the administrators a quick view into the status of each and every GPO that has had actions performed on it.

To deploy a GPO that is pending, an AGPM admin who has the deploy delegation can simply right-click on the GPO and select the Approve menu option. If the GPO needs to be deployed and is listed in the Controlled, rather than Pending, tab, the same admin needs only to right-click on the GPO and select Deploy. Since this delegated permission is granted already, the GPO will immediately be deployed to production.

AGPM GPO Settings Report and Comparisons

The GPMC interface has a powerful Settings dialog, accessed through a tab of the same name. This Settings dialog provides a thorough view of all settings that are configured in the GPO, helping you make sense of which of the almost 3000 group policy settings have been configured.

Since AGPM provides an archive of the modified GPOs, the Settings tab in the GPMC will not give you the ability to see the settings configured in edited GPOs. Instead, the AGPM interface provides an alternate solution to this feature, as well as much more.

To see the settings in any GPO, it is beneficial to first view the historical list of all changes. To get this view, double-click on any GPO within the Controlled tab in AGPM. From this interface, you can right-click on any GPO version and select the Settings Report. This will create a report of all settings that are configured in that version of the GPO. The report is a friendly HTML file, though it can also be created in an XML format.

Although this is useful, handier still is the ability to compare two versions of the same GPO. With this feature, you can see what has changed from one version to the other, or compare two completely different versions of the same GPO. (This is also very useful when you have a GPO that's pending deployment, since it lets you see the differences between the pending GPO and the production GPO.) To see this report, you highlight two different GPOs in the history view, then right-click on one of them.

The color coding in the difference report is extremely useful, especially when you want to verify what has changed in a pending GPO before you deploy it. Settings highlighted in red were deleted from the production GPO and are no longer available in the pending GPO. Blue settings were changed, and green settings are new changes that exist in the pending GPO, but not the production GPO.

This feature of AGPM can save many hours of laborious manual comparisons of GPO settings. It is also a perfect way to document the GPOs over time—every version can be reported and printed.

AGPM GPO Disaster Recovery

A single change to a GPO can create havoc for one or more computers on your network. With the default GPMC, this type of errant configuration can be corrected—if the proper manual measures were taken to make backups of the GPO both before and after the changes were made to the production GPO. If no backups were made, then recovering from this disaster is not as simple as one might think.

AGPM handles this easily. Since there are complete backups of all GPOs throughout the GPO history, you can easily open up the history of the GPO and select which GPO version you want to redeploy.

With AGPM, your management of Group Policy becomes quite seamless. For years, administrators have wanted the ability to control and manage GPOs offline. AGPM provides this feature with grace and elegance. AGPM also provides a very robust change management solution, which not only tracks the key areas of a changed GPO, but also provides for easy GPO comparisons and disaster recovery. The delegation model that is built into AGPM allows you to channel all administrators into the AGPM for all edits to GPOs, which provides automated backups of GPO changes and removes any production GPO mishaps. This service has so many features that it's impossible to discuss them all here, but the AGMP manual provides a great deal of information about templates, node link recovery, SMTP configuration, and much more.

Derek Melber is an independent consultant, trainer, and author. Derek educates and evangelizes Microsoft technology, focusing on Active Directory, Group Policy, security, and desktop management. Derek regularly contributes to online and print publications, and has written more than 10 technology books, including The Microsoft Windows Group Policy Guide (Microsoft Press, 2005). You can reach Derek at

© 2008 Microsoft Corporation and CMP Media, LLC. All rights reserved; reproduction in part or in whole without permission is prohibited.