By providing change
control, offline editing, and role-based delegation, Microsoft® Advanced Group Policy Management
(AGPM) can help you better manage Group Policy objects (GPOs) in your environment.
AGPM is a key component of the Microsoft Desktop Optimization Pack (MDOP). AGPM
4.0 introduces support for searching, cross-forest management, and the latest
Windows® operating systems. This white paper
offers an overview of AGPM: its benefits, how it works, and how to evaluate it.
Contents
Imagine a tool that could help you take control of Group
Policy. What would this tool do? It could help you delegate who can review,
edit, approve, and deploy Group Policy objects (GPOs). It might help prevent
widespread failures that can result from editing GPOs in production
environments. You could use it to track each version of each GPO, just as developers
use version control to track source code. Any tool that provided these
capabilities, cost little, and was easy to deploy would certainly be worth a
closer look.
Such a tool indeed exists, and it is an integral part of the
Microsoft®
Desktop Optimization Pack (MDOP) for Software Assurance. MDOP can help
organizations reduce the cost of deploying applications, deliver applications
as services, and better manage desktop configurations. Together, the MDOP applications
shown in Figure 1 can give Software Assurance customers a highly cost-effective
and flexible solution for managing desktop computers.
Figure 1. MDOP applications
Microsoft Advanced Group Policy Management (AGPM) is the MDOP
application that can help customers overcome the challenges that can affect
Group Policy management in any organization, particularly those with complex
information technology (IT) environments. A robust delegation model, role-based
administration, and change-request approval provide granular administrative
control. For example, you can delegate Reviewer, Editor, and Approver roles to
other users—even users who do not typically have access to production GPOs. (Editors
can edit GPOs but cannot deploy them; Approvers can deploy GPO changes.)
AGPM can also help reduce the risk of widespread failures.
You can use AGPM to edit GPOs offline, outside of the production environment,
and then audit changes and easily find differences between GPO versions. In
addition, AGPM supports effective change control by providing version tracking,
history capture, and quick rollback of deployed GPO changes. It even supports a
management workflow by allowing you to create GPO template libraries and send
GPO change e-mail notifications.
This white paper describes the key features of AGPM, such as
change control and role-based delegation. The paper then describes how Software
Assurance customers can begin evaluating AGPM today.
The AGPM archive provides offline storage for GPOs. As
Figure 2 shows, changes that you make to GPOs in the archive do not affect the
production environment until you deploy the GPOs. By limiting changes to the
archive, you can edit GPOs and test them in a safe environment, without
affecting the production environment. After reviewing and approving the
changes, you can then deploy them with the knowledge that you can quickly roll
them back if they have an undesired effect.
Figure 2. Offline editing
AGPM has a server component (the AGPM Service) and a client
component (the AGPM snap-in), each of which you install separately. First, you
install Microsoft Advanced Group Policy Management - Server on a system that
has access to the policies that you want to manage. Then, you install the Microsoft
Advanced Group Policy Management - Client on any system from which Group Policy
administrators will review, edit, and deploy GPOs.
The AGPM snap-in integrates completely with the Group Policy
Management Console (GPMC), as Figure 3 shows. Click Change Control in the console tree to open AGPM in the details pane
and to manage the AGPM archive on the Contents
tab. Here, you can review, edit, and deploy controlled GPOs (that is, GPOs in
the archive). You can also take control of uncontrolled GPOs (that is, GPOs that
are not in the archive), approve pending changes, and manage GPO templates. On
the Domain Delegation tab, AGPM
Administrators (Full Control) delegate roles to AGPM users and configure e-mail
notifications. Configure the AGPM Server connection on the AGPM Server tab. AGPM 3.0 introduced the Production Delegation tab, which AGPM Administrators can use to
delegate permission to edit GPOs in the production environment.
Figure 3. AGPM integration with the GPMC
AGPM provides advanced change control features that can help
you manage the lifecycle of GPOs. Many of the AGPM change control concepts will
be familiar to administrators who have experience using common version-control
tools, such as the version control feature in Microsoft Office SharePoint®
Server 2007. The following steps are necessary to change and deploy a GPO:
1.
Check out the GPO from the archive.
2.
Edit the GPO as necessary.
3.
Check in the GPO to the archive.
4.
Deploy the GPO to production.
Change control means more than locking a GPO to prevent multiple
users from changing it at the same time. AGPM keeps a history of changes for
each GPO, as shown in Figure 4. You can deploy any version of a GPO to
production, so you can quickly roll back a GPO to an earlier version if necessary.
AGPM can also compare different versions of a GPO, showing added, changed, or
deleted settings. Therefore, you can easily review changes before approving and
deploying them to the production environment. In addition, a complete history
of each GPO enables you to audit not only changes but also all activities
related to that GPO.
Figure 4. GPO history
Group Policy already provides a rich delegation model that
allows you to delegate administration to regional and task-oriented administrators.
However, Group Policy also lets administrators approve their own changes. In
contrast, AGPM provides a role-based delegation model that adds a review and
approval step to the workflow, as shown in Figure 5.
Figure 5. Role-based delegation
An AGPM Administrator has full control of the AGPM archive.
In addition to the AGPM Administrator role, AGPM defines three special roles to
support its delegation model:
·
Reviewer.
Reviewers can view and compare GPOs. They cannot edit or deploy GPOs.
·
Editor. Editors
can view and compare GPOs. They can also check out GPOs from the archive, edit GPOs,
and check in GPOs to the archive. Editors can request deployment of a GPO.
·
Approver.
Approvers can approve the creation and deployment of GPOs. (When Approvers
create or deploy a GPO, approval is automatic.)
As an AGPM Administrator, you can delegate these roles to
users and groups for all controlled GPOs within the domain (domain delegation).
For example, you can delegate the Reviewer role to users, allowing them to
review any controlled GPO in the domain. You can also delegate these roles to
users for individual controlled GPOs. Rather than allow users to edit any
controlled GPO in the domain, for example, you can give them permission to edit
a specific controlled GPO by delegating the Editor role for that GPO only.
AGPM 4.0 introduces the ability to filter the list of GPOs that
it displays. For example, you can filter the list by name, status, or comment.
You can even filter the list to show GPOs that were changed by a particular
user or on a specific date. AGPM displays partial matches, and searches are not
case sensitive.
AGPM supports complex search strings using the format column: string, where column is
the name of the column by which to search and string is the string to match. For example, to display GPOs that
were checked in by Jerry, type state: “checked
in” changed by: Jerry in the Search
box. Figure 6 shows another example. You can also filter the list by GPO
attributes by using the format attribute:
string, where attribute is the name of the GPO attribute to match. To display all
GPOs that use the Windows®
Management Instrumentation (WMI) filter called MyWMIFilter, type wmi filter: mywmifilter in the Search
box.
Figure 6. Search example
When searching for GPOs, you can use special terms to search
by date, dynamically. These special terms are the same terms that you can use
when using Windows Explorer to search for files. For example, you can filter
the list to display GPOs that were changed today, yesterday, this week, last
week, and so on.
In addition to filtering, AGPM 4.0 also introduces
cross-forest management. You can use the following process to copy a controlled
GPO from a domain in one forest to a domain in a second forest:
1.
Export the GPO from a domain in the first forest
to a CAB file, by using AGPM (Figure 7).
Figure 7. GPO export
2.
On a computer in a domain in the first forest,
copy the CAB file to a portable storage device.
3.
Insert the portable storage device into a
computer in a domain in the second forest.
4.
Import the GPO into the archive in a domain in
the second forest, by using AGPM.
When you import the GPO into the second forest, you can
import it as a new controlled GPO. You can also import it to replace the
settings of an existing GPO that is checked out of the archive.
The obvious benefit of cross-forest management is testing.
Combined with offline editing and change control, cross-forest management enables
you to test GPOs in a controlled test environment (the first forest). After
verifying the GPO, you can move it into the production environment (the second
forest).
Three versions of AGPM are available: AGPM 2.5, AGPM 3.0,
and AGPM 4.0. Each is incompatible with the others and supports different
Windows operating systems. For more information about choosing the right
version of AGPM for your environment and about the Windows operating systems
that each supports, see
Choosing
Which Version of AGPM to Install.
AGPM 4.0 introduces support for Windows 7 and Windows Server® 2008 R2. Additionally, AGPM 4.0
still supports Windows Vista®
with Service Pack 1 (SP1) and Windows Server 2008. Table 1 describes
limitations in mixed environments that include newer and older Windows
operating systems.
Table 1.
Limitations in Mixed Environments
If the AGPM Server 4.0 runs on:
|
And the AGPM Client 4.0 runs on:
|
AGPM 4.0 is:
|
Windows Server 2008 R2 or Windows
7
|
Windows Server 2008 R2 or Windows
7
|
Supported
|
Windows Server 2008 R2 or Windows 7
|
Windows Server 2008 or
Windows Vista with SP1
|
Supported, but cannot edit policy settings or preference
items that exist only in Windows Server 2008 R2 or Windows 7
|
Windows Server 2008 or
Windows Vista with SP1
|
Windows Server 2008 R2 or Windows
7
|
Unsupported
|
Windows Server 2008 or
Windows Vista with SP1
|
Windows Server 2008 or
Windows Vista with SP1
|
Supported, but cannot report or edit policy settings or preference
items that exist only in Windows Server 2008 R2 or Windows 7
|
Forsyth County covers the Winston-Salem, North Carolina,
metropolitan area. The county’s population of nearly 325,000 is located in a
410-square-mile area. The
county’s IT department supports approximately 1,400 users and 1,650 desktop
computers.
Forsyth County needed a solution for managing desktop
computers—a solution that did not compromise server security, helped the County
nimbly update desktop computer configurations, and provided a rich history of
changes. Michael Wilcox, MIS client services supervisor, said, “I attended a
seminar on Group Policy and learned about Microsoft Advanced Group Policy
Management. I was impressed with how it could enhance the delegation
capabilities for administrators.” Forsyth County went on to implement AGPM.
After deploying AGPM, Forsyth County immediately began
realizing benefits. “It’s amazing. Managing our desktop configurations is so
much easier. We’d be floundering without it,” Wilcox said. Using AGPM, the
county can easily and safely build GPOs. It can create and change GPOs without
affecting the production environment. Importantly, administrators at Forsyth
County don’t need to manually document their changes, because AGPM keeps a rich
history of such changes. According to Wilcox, “Advanced Group Policy Management
has been like a magic bullet for us. Its automated change management and
workflow-enabled delegation capabilities are impressive. I wouldn’t be able to
manage GPOs without it.”
AGPM is an add-on license available only to Software
Assurance customers. Begin your evaluation today:
·
Download
and evaluate AGPM as part of MDOP
MDOP is available to Volume Licensing customers, Microsoft
Development Network (MSDN®)
subscribers, and Microsoft TechNet subscribers. The evaluation includes a
step-by-step guide that walks you through most AGPM capabilities.
·
See Microsoft
Desktop Optimization Pack on Microsoft.com
To learn how AGPM and MDOP for Software Assurance can help
you better manage GPOs, see
http://go.microsoft.com/fwlink/?LinkId=160297.
·
See Microsoft
Desktop Optimization Pack on TechNet
For technical information about AGPM and MDOP for Software
Assurance, see
http://www.microsoft.com/technet/mdop
on TechNet.