Microsoft Desktop Optimization Pack (MDOP): Advanced Group Policy Management (AGPM)

• Author
• Recent Posts

Joseph Moody

Joseph Moody is a network admin for a public school system and helps manage 5,500 PCs. He is a Microsoft Most Valuable Professional (MVP) in Cloud and Datacenter Management and blogs at DeployHappiness.com.

Latest posts by Joseph Moody (see all)

• SmartDeploy: Rethinking software deployment to remote workers in times of a pandemic - Thu, Jul 30 2020
• Outlook attachments now blocked in Office 365 - Tue, Nov 19 2019
• PolicyPak MDM Edition: Group Policy and more for BYOD - Tue, Oct 29 2019

In terms of desktop management, Group Policy is the cornerstone of a Windows administrator’s arsenal. With Group Policy, you can deploy software, printers and drive mappings. You can configure default settings and manage client behavior. But how do you manage Group Policy? The built-in mechanics for managing Group Policy are simply inadequate for most organizations. Windows administrators either have complete access or no access by their addition and removal from the Group Policy Creator Owners Security Group. Further, Group Policy Object (GPO) management lacks in terms of change control, automated backups, and role based delegation. Microsoft’s Advanced Group Policy Management (AGPM) addresses all of these issues.

AGPM is comprised of a server side component and a client. The component will add a Change Control Node to the Group Policy Management Console (GPMC) on the AGPM server.

The Change Control node within the GPMC

When configuring the server side component, you will need to configure a Group Policy service account. This Active Directory account is placed in the Group Policy Creator Owners Security Group and acts as a middle-man between you and the GPOs. When your GPMC makes a request to edit a policy, the AGPM server checks to make sure your AD account has the correct permission to do so. Those changes are then made by the AGPM service account. These permissions are specified in the Domain Delegation tab within Change Control and are divided into four roles.

The Domain Delegation tab allows for the granular delegation of Group Policy Permissions.

These roles are: Full Control, Approver, Editor, and Reviewer.

The table outlines the permissions each role has.

By separating GPO management into distinct roles, IT administrators can properly delegate permissions accordingly. For example, a first level support personal would probably be granted the reviewer role. Second tier level support or Organizational Unit administrators would probably be given the Editor role, Approver role, or both. While only a few trusted individuals would have full control. The approval request field (under the Domain Delegation tab) even allows for automated requests to be sent to a group of approvers or administrators.

To make the GPMC easier to navigate, you can use the Production Delegation tab to give all helpdesk personal read. To ensure that Editors/Administrators cannot edit GPOs outside of the Change Control node, you should remove them from Group Policy Creator Owners and remove their ability to edit settings, delete, and modify security from the Production Delegation tab. Existing GPOs will need to have their Delegation permissions modified as well to ensure a consistent environment. To make this task easier, use the GrantPermissionOnAllGPOs script which is in the Group Policy script pack.

Once your GPOs have the correct Delegation permissions and your environment is setup according to the roles above, you can begin managing GPOs. One of the first tasks is to take Control of existing GPOs. In Change Control, under the Contents tab, exist all GPOs that AGPM is aware of. By default, all GPOs are left in the Uncontrolled node. To import a GPO (or multiple GPOs), highlight the object – right click – and select Control. This will move the GPO to the Controlled node.

Importing an Uncontrolled GPO

Once a GPO is in the Controlled node, you can then have a proper change control management of policies. The process of deploying a GPO is:

1. Creation

1. To create a new GPO, right click on Change Control and select “New Controlled GPO” where you will be prompted for a name and to add a comment.
2. If you are using anything beside the default empty GPO template, select it now.

The New Controlled GPO prompt allows for the creation of controlled policies.

2. Checking-Out

1. Before a policy is checked out, it is wise to import it from production. This ensures that any changes made to the live GPO in the past, such as linking to OUs, are kept when the GPO is deployed again.
2. This ensures that changes are documented and only one person is changing the policy at one time.
3. To check out a policy, right click the GPO and select Check Out.
4. An offline copy (beginning with AGPM) is created for editing. You can view this GPO under the Group Policy Objects Container.
   
   A checked out GPO under Group Policy Objects
5. If changes aren’t made, select Undo Check Out. This will delete the offline copy.

3. Applying security filtering/WMI filtering to the GPO

1. If you need to make a WMI filtering change, you can select the GPO under Group Policy Objects and set the WMI filter.
2. Security Filtering Scope options should be modified by going to Action and then properties (within the Group Policy Management Editor).

4. Editing the GPO: This is the same process without AGPM.

5. Checking-In

1. After editing, check back in the policy to merge changes. To do so, right click on the policy and select Check in.
2. Checking-In the policy allows for reports to be ran and for the GPO to be edited by another technician.

6. Request for Approval/Approval

7. Deployment

The Advanced Group Policy Management console solves many of the problems IT administrators have with Group Policy such as tracking changes, automatically backing up/restoring GPOs, and granular delegation of GPO management. Although it does require additional effort in configuration, the results are well worth it!