Wednesday, July 30, 2014

Overview of Advanced Group Policy Management

Abstract
By providing change control, offline editing, and role-based delegation, Microsoft® Advanced Group Policy Management (AGPM) can help you better manage Group Policy objects (GPOs) in your environment. AGPM is a key component of the Microsoft Desktop Optimization Pack (MDOP). AGPM 4.0 introduces support for searching, cross-forest management, and the latest Windows® operating systems. This white paper offers an overview of AGPM: its benefits, how it works, and how to evaluate it.

Contents

Imagine a tool that could help you take control of Group Policy. What would this tool do? It could help you delegate who can review, edit, approve, and deploy Group Policy objects (GPOs). It might help prevent widespread failures that can result from editing GPOs in production environments. You could use it to track each version of each GPO, just as developers use version control to track source code. Any tool that provided these capabilities, cost little, and was easy to deploy would certainly be worth a closer look.
Such a tool indeed exists, and it is an integral part of the Microsoft® Desktop Optimization Pack (MDOP) for Software Assurance. MDOP can help organizations reduce the cost of deploying applications, deliver applications as services, and better manage desktop configurations. Together, the MDOP applications shown in Figure 1 can give Software Assurance customers a highly cost-effective and flexible solution for managing desktop computers.
Figure 1. MDOP applications
Microsoft Advanced Group Policy Management (AGPM) is the MDOP application that can help customers overcome the challenges that can affect Group Policy management in any organization, particularly those with complex information technology (IT) environments. A robust delegation model, role-based administration, and change-request approval provide granular administrative control. For example, you can delegate Reviewer, Editor, and Approver roles to other users—even users who do not typically have access to production GPOs. (Editors can edit GPOs but cannot deploy them; Approvers can deploy GPO changes.)
AGPM can also help reduce the risk of widespread failures. You can use AGPM to edit GPOs offline, outside of the production environment, and then audit changes and easily find differences between GPO versions. In addition, AGPM supports effective change control by providing version tracking, history capture, and quick rollback of deployed GPO changes. It even supports a management workflow by allowing you to create GPO template libraries and send GPO change e-mail notifications.
This white paper describes the key features of AGPM, such as change control and role-based delegation. The paper then describes how Software Assurance customers can begin evaluating AGPM today.
The AGPM archive provides offline storage for GPOs. As Figure 2 shows, changes that you make to GPOs in the archive do not affect the production environment until you deploy the GPOs. By limiting changes to the archive, you can edit GPOs and test them in a safe environment, without affecting the production environment. After reviewing and approving the changes, you can then deploy them with the knowledge that you can quickly roll them back if they have an undesired effect.
Figure 2. Offline editing
AGPM has a server component (the AGPM Service) and a client component (the AGPM snap-in), each of which you install separately. First, you install Microsoft Advanced Group Policy Management - Server on a system that has access to the policies that you want to manage. Then, you install the Microsoft Advanced Group Policy Management - Client on any system from which Group Policy administrators will review, edit, and deploy GPOs.
The AGPM snap-in integrates completely with the Group Policy Management Console (GPMC), as Figure 3 shows. Click Change Control in the console tree to open AGPM in the details pane and to manage the AGPM archive on the Contents tab. Here, you can review, edit, and deploy controlled GPOs (that is, GPOs in the archive). You can also take control of uncontrolled GPOs (that is, GPOs that are not in the archive), approve pending changes, and manage GPO templates. On the Domain Delegation tab, AGPM Administrators (Full Control) delegate roles to AGPM users and configure e-mail notifications. Configure the AGPM Server connection on the AGPM Server tab. AGPM 3.0 introduced the Production Delegation tab, which AGPM Administrators can use to delegate permission to edit GPOs in the production environment.
Figure 3. AGPM integration with the GPMC
AGPM provides advanced change control features that can help you manage the lifecycle of GPOs. Many of the AGPM change control concepts will be familiar to administrators who have experience using common version-control tools, such as the version control feature in Microsoft Office SharePoint® Server 2007. The following steps are necessary to change and deploy a GPO:
1.      Check out the GPO from the archive.
2.      Edit the GPO as necessary.
3.      Check in the GPO to the archive.
4.      Deploy the GPO to production.
Change control means more than locking a GPO to prevent multiple users from changing it at the same time. AGPM keeps a history of changes for each GPO, as shown in Figure 4. You can deploy any version of a GPO to production, so you can quickly roll back a GPO to an earlier version if necessary. AGPM can also compare different versions of a GPO, showing added, changed, or deleted settings. Therefore, you can easily review changes before approving and deploying them to the production environment. In addition, a complete history of each GPO enables you to audit not only changes but also all activities related to that GPO.
Figure 4. GPO history
Group Policy already provides a rich delegation model that allows you to delegate administration to regional and task-oriented administrators. However, Group Policy also lets administrators approve their own changes. In contrast, AGPM provides a role-based delegation model that adds a review and approval step to the workflow, as shown in Figure 5.
Figure 5. Role-based delegation
An AGPM Administrator has full control of the AGPM archive. In addition to the AGPM Administrator role, AGPM defines three special roles to support its delegation model:
·        Reviewer. Reviewers can view and compare GPOs. They cannot edit or deploy GPOs.
·        Editor. Editors can view and compare GPOs. They can also check out GPOs from the archive, edit GPOs, and check in GPOs to the archive. Editors can request deployment of a GPO.
·        Approver. Approvers can approve the creation and deployment of GPOs. (When Approvers create or deploy a GPO, approval is automatic.)
As an AGPM Administrator, you can delegate these roles to users and groups for all controlled GPOs within the domain (domain delegation). For example, you can delegate the Reviewer role to users, allowing them to review any controlled GPO in the domain. You can also delegate these roles to users for individual controlled GPOs. Rather than allow users to edit any controlled GPO in the domain, for example, you can give them permission to edit a specific controlled GPO by delegating the Editor role for that GPO only.
AGPM 4.0 introduces the ability to filter the list of GPOs that it displays. For example, you can filter the list by name, status, or comment. You can even filter the list to show GPOs that were changed by a particular user or on a specific date. AGPM displays partial matches, and searches are not case sensitive.
AGPM supports complex search strings using the format column: string, where column is the name of the column by which to search and string is the string to match. For example, to display GPOs that were checked in by Jerry, type state: “checked in” changed by: Jerry in the Search box. Figure 6 shows another example. You can also filter the list by GPO attributes by using the format attribute: string, where attribute is the name of the GPO attribute to match. To display all GPOs that use the Windows® Management Instrumentation (WMI) filter called MyWMIFilter, type wmi filter: mywmifilter in the Search box.
Figure 6. Search example
When searching for GPOs, you can use special terms to search by date, dynamically. These special terms are the same terms that you can use when using Windows Explorer to search for files. For example, you can filter the list to display GPOs that were changed today, yesterday, this week, last week, and so on.
In addition to filtering, AGPM 4.0 also introduces cross-forest management. You can use the following process to copy a controlled GPO from a domain in one forest to a domain in a second forest:
1.      Export the GPO from a domain in the first forest to a CAB file, by using AGPM (Figure 7).
Figure 7. GPO export
2.      On a computer in a domain in the first forest, copy the CAB file to a portable storage device.
3.      Insert the portable storage device into a computer in a domain in the second forest.
4.      Import the GPO into the archive in a domain in the second forest, by using AGPM.
When you import the GPO into the second forest, you can import it as a new controlled GPO. You can also import it to replace the settings of an existing GPO that is checked out of the archive.
The obvious benefit of cross-forest management is testing. Combined with offline editing and change control, cross-forest management enables you to test GPOs in a controlled test environment (the first forest). After verifying the GPO, you can move it into the production environment (the second forest).
Three versions of AGPM are available: AGPM 2.5, AGPM 3.0, and AGPM 4.0. Each is incompatible with the others and supports different Windows operating systems. For more information about choosing the right version of AGPM for your environment and about the Windows operating systems that each supports, see Choosing Which Version of AGPM to Install.
AGPM 4.0 introduces support for Windows 7 and Windows Server® 2008 R2. Additionally, AGPM 4.0 still supports Windows Vista® with Service Pack 1 (SP1) and Windows Server 2008. Table 1 describes limitations in mixed environments that include newer and older Windows operating systems.
Table 1. Limitations in Mixed Environments
If the AGPM Server 4.0 runs on:
And the AGPM Client 4.0 runs on:
AGPM 4.0 is:
Windows Server 2008 R2 or Windows 7
Windows Server 2008 R2 or Windows 7
Supported
Windows Server 2008 R2 or Windows 7
Windows Server 2008 or
Windows Vista with SP1
Supported, but cannot edit policy settings or preference items that exist only in Windows Server 2008 R2 or Windows 7
Windows Server 2008 or
Windows Vista with SP1
Windows Server 2008 R2 or Windows 7
Unsupported
Windows Server 2008 or
Windows Vista with SP1
Windows Server 2008 or
Windows Vista with SP1
Supported, but cannot report or edit policy settings or preference items that exist only in Windows Server 2008 R2 or Windows 7
Forsyth County covers the Winston-Salem, North Carolina, metropolitan area. The county’s population of nearly 325,000 is located in a 410-square-mile area. The county’s IT department supports approximately 1,400 users and 1,650 desktop computers.
Forsyth County needed a solution for managing desktop computers—a solution that did not compromise server security, helped the County nimbly update desktop computer configurations, and provided a rich history of changes. Michael Wilcox, MIS client services supervisor, said, “I attended a seminar on Group Policy and learned about Microsoft Advanced Group Policy Management. I was impressed with how it could enhance the delegation capabilities for administrators.” Forsyth County went on to implement AGPM.
After deploying AGPM, Forsyth County immediately began realizing benefits. “It’s amazing. Managing our desktop configurations is so much easier. We’d be floundering without it,” Wilcox said. Using AGPM, the county can easily and safely build GPOs. It can create and change GPOs without affecting the production environment. Importantly, administrators at Forsyth County don’t need to manually document their changes, because AGPM keeps a rich history of such changes. According to Wilcox, “Advanced Group Policy Management has been like a magic bullet for us. Its automated change management and workflow-enabled delegation capabilities are impressive. I wouldn’t be able to manage GPOs without it.”
AGPM is an add-on license available only to Software Assurance customers. Begin your evaluation today:
·        Download and evaluate AGPM as part of MDOP
MDOP is available to Volume Licensing customers, Microsoft Development Network (MSDN®) subscribers, and Microsoft TechNet subscribers. The evaluation includes a step-by-step guide that walks you through most AGPM capabilities.
·        See Microsoft Desktop Optimization Pack on Microsoft.com
To learn how AGPM and MDOP for Software Assurance can help you better manage GPOs, see http://go.microsoft.com/fwlink/?LinkId=160297.
·        See Microsoft Desktop Optimization Pack on TechNet

For technical information about AGPM and MDOP for Software Assurance, see http://www.microsoft.com/technet/mdop on TechNet.

No comments:

Post a Comment