Executive Summary:

Group Policy Management Console (GPMC) can't manage, control, and track the changes made by multiple administrators. This is where Microsoft Advanced Group Policy Management (AGPM), previously DesktopStandard's GPOVault Enterprise, comes in. AGPM is now part of the Microsoft Desktop Optimization Pack (MDOP), which is available at no extra cost to Windows Software Assurance (SA) customers. Essentially an extension for GPMC, AGPM provides features such as the ability to check GPOs in and out for editing and the ability to compare two versions of a GPO.

Few would disagree that Group Policy is one of the killer features of Active Directory (AD). However, one of the problems with Group Policy since it was introduced as part of Windows 2000 Server has been how to configure and manage it effectively. Microsoft addressed many management concerns with the introduction of the Group Policy Management Console (GPMC), which was a welcome relief for administrators who are heavily involved in the maintenance of Group Policy.

Although GPMC is an effective tool, it has some limitations. GPMC is useful when only a few Group Policy Objects (GPOs), changes, and administrators are required. In more complex environments, where changes are being made frequently and/or many administrators are involved in the maintenance of GPOs, GPMC falls short because it can't manage, control, and track the changes made by multiple administrators. The result is an increased risk of unwanted changes and difficulty in tracking what has been modified and by whom.

This is where Microsoft Advanced Group Policy Management (AGPM), previously DesktopStandard's GPOVault Enterprise, comes to the rescue. AGPM is now part of the Microsoft Desktop Optimization Pack (MDOP), which is available at no extra cost to Windows Software Assurance (SA) customers only. Essentially an extension for GPMC, AGPM provides additional features such as the ability to check GPOs in and out for editing and the ability to compare two versions of a GPO. Let's take a brief look at the other MDOP components, then focus on how to use AGPM to work more effectively with Group Policy.

MDOP Components
MDOP contains five components that are designed to help manage Windows XP and Windows Vista desktops. The pack contains the following features:

Microsoft SoftGrid Application Virtualization 4.2. Acquired by Microsoft in July 2006 from Softricity, SoftGrid lets you turn Windows applications into virtualized services to ease deployment.

Microsoft Asset Inventory Service (beta). This is a hosted software inventory service.

Microsoft Diagnostics and Recovery Toolset 5.0. Previously the Winternals Administrator's Pack, this well-known toolset was acquired along with Winternals and Sysinternals in July 2006.

Microsoft System Center Desktop Error Monitoring 3.0. This tool analyzes and reports on application and system crashes for Windows desktops.

AGPM 2.5. Available since July, AGPM adds the following key features to GPMC:

  • The ability to check GPOs out for editing, then check them back in
  • Comparison of two GPOs
  • GPO versioning and archiving, including the ability to roll back to a previous GPO version
  • Template-based creation of new GPOs
  • An advanced delegation model for GPO security

Installing AGPM
AGPM uses a client/server model in which a Windows service installed on a domain controller (DC) or member server interacts with an extension to GPMC. AGPM provides a protected editing environment for making offline modifications to GPOs and uses an archive to store offline and old versions of GPOs. AGPM stores GPOs in the same format that GPMC uses for backups. Users who have edited GPOs can submit the modifications to the AGPM service for approval by designated administrators. Once the changes are approved, AGPM passes the change requests to AD. No AD schema modifications are required to use AGPM.

The AGPM service can be installed on a Windows Server 2003 DC or member server. Before running the installer, open the Microsoft Management Console (MMC) Active Directory Users and Computers snap-in and create a service account called AGPM_svc that has full access to the GPOs that you want to manage and the Log on as a Service right. To install the AGPM service, log on to a member server as a domain administrator, run agpmserver.msi, then follow the simple instructions. Leave the Archive Path set to the default, and on the AGPM Service Account screen, browse for AGPM_svc , enter the password, and click Next to continue. Select an account (or group) to take on the AGPM Administrator (Full Control) role, and click Next.

The AGPM client can be installed on Windows Vista or Windows 2003. Run agpmclient.msi, leave the application path for the client at the default value, and click Next. The AGPM Server screen appears. Enter the Fully Qualified Domain Name (FQDN) of the AGPM server and leave the port set to the default value of 4600.

Granting Access to AGPM
AGPM uses a role-based delegation model. When you installed the AGPM server, you assigned an AD user account the Administrator (Full Control) role. This user can assign the four main AGPM roles (Full Control, Reviewer, Editor, and Approver) to other AD user accounts.

Log on to the AGPM server using the account that you assigned the Administrator (Full Control) role. Open GPMC. Expand Forest: myforest.com\Domains\mydomain.com, and click the new Change Control node. In the right-hand GPMC pane titled Change Control for mydomain.com, click the Domain Delegation tab. On this tab, you can configure email notifications and additional access to the AGPM offline archive.

To add a user, click Add at the bottom of the Domain Delegation tab and type the name of an AD user—for example, Bill@ad.com. Click OK, and you’ll see the new user appear under the Administrator entry in the bottom half of the Domain Delegation tab (as Figure 1 shows). By default, the user is granted Reviewer and Editor permissions only.

Now add another user by going through the same process again. Once the new user is displayed on the Domain Delegation tab, click Advanced. Select the user’s name (in this case, Jim@ad.com) from the list on the Security tab, and under Allow, select Approver, as Figure 2 shows . Click Apply.

Creating Controlled GPOs
Now that you have some default delegation permissions in place, your delegates need some GPOs to manage. You can bring existing GPOs under the control of AGPM by clicking the Change Control node, selecting the Contents tab in the Change Control for mydomain.com pane, selecting the Uncontrolled tab, right-clicking a GPO, and selecting Control from the menu. Of course, you can also create a new controlled GPO. To do so, follow these steps:

  1. Right-click the Change Control node and select New Controlled GPO. Give the GPO a name, select Create offline, and click OK, as Figure 3 shows.
  2. The first time you run AGPM, an information dialog box will be displayed stating that an empty GPO template will be temporarily created on which to base this new GPO. Click OK.
  3. A progress window will be displayed as Windows creates the GPO. Once the process has completed, click Close.
  4. Select the Contents tab in the Change Control for mydomain.com pane, and on the Controlled tab, you’ll see the new GPO. In order to configure this GPO, you need to check it out of the archive. Right-click the GPO, and select Check Out. At this point, you can add a comment if you wish and press OK. Wait for the progress window to complete and click Close. When a GPO is checked out, a temporary copy is created in the production environment and marked as \[Checked Out\]. This temporary copy isn't linked to any containers in AD so your changes to it won't inadvertently affect any users or computers in production.
  5. You can now right-click the GPO on the Controlled tab, select Edit, and configure the required settings in Group Policy Editor (GPE) as usual.
  6. Close GPE, and back in GPMC on the Controlled tab, right-click the GPO and select Check In. Add a comment if required, click OK, wait for the progress window to finish, and click Close.

It’s important to note that when a controlled GPO is checked out by an admin on a machine with AGPM, he or she will be the only person who can edit it. This is different from the default behavior of GPMC in which multiple admins can edit a GPO and the last changes win. An admin with full permissions to a GPO might be able to edit it by using GPMC on a server on which AGPM hasn’t been installed. However, you can change default AD delegation permissions on GPOs so that only AGPM users can modify GPOs in a domain.

If you check a GPO in and out several times, you can then right-click it on the Controlled tab and click History. On the Show All tab, you'll see all the check-in and check-out operations with information about when and by whom. My favorite feature, however, is the ability to highlight any two versions of a GPO at a point in time a see a list of the differences between them. Simply highlight two versions of the GPO (you’ll need to press Ctrl on the keyboard and click to highlight the second one) and click Differences, as Figure 4 shows. This feature can save hours of painstaking investigative work.

Now that you’ve created a new controlled GPO and modified it offline, you need to deploy it to the live environment. (Of course in practice, you should always test new or modified GPOs in a preproduction environment before deployment to your live environment.) If you have Approver or AGPM Administrator permission:

  1. Right-click the GPO on the Controlled tab and select Deploy.
  2. In the Deploy GPO dialog box, click Yes.
  3. Expand the Group Policy Objects node in GPMC to see the GPO listed, and work with it in the normal way—for example, link it to an organizational unit (OU).

If you don’t have permission to deploy a GPO, the request-for-deployment procedure is still steps 1 and 2 above, but the GPO will be placed on the Pending tab until the GPO is approved. Approvers and AGPM Administrators can deploy pending GPOs by going to Change Control for mydomain.com, Contents, Pending and right-clicking a GPO. Select Approve or Reject as appropriate.

GPO Templates
With AGPM, it’s possible to turn a previously created GPO into a template on which to base new GPOs. Let’s turn the previously created GPO into a new template to make the creation of new GPOs faster:

  1. Go to Change Control for mydomain.com, Contents, Controlled; right-click the GPO under Group Policy Objects; and select Save as Template.
  2. Add a name and comment and click OK. Click Close on the progress screen.
  3. Now right-click the Change Control node in the left-hand pane of GPMC and select New Controlled GPO.
  4. Give the GPO a name, select Create offline, select the previously created template from the From GPO template drop-down menu, and click OK.

Using the AGPM Recycle Bin
A useful feature of AGPM is the ability to delete a GPO either from the archive or from both the archive and the live environment, thereby sending the GPO to the AGPM Recycle Bin. This feature means that you don’t have to restore a GPO from a backup should it be required at some point in the future—you can restore it from the Recycle Bin. Let’s go through the delete/restore process:

  1. Go to Change Control, Contents, Controlled, Group Policy Objects; right-click a GPO; and select Delete.
  2. If the GPO is deployed to the live environment, you’ll have the option to delete the GPO from the archive only or to delete both the archived and deployed versions. Let’s choose Delete archive and deployed versions, and click OK, as Figure 5 shows. Wait for the progress screen to finish, and click Close.
  3. Now go to Change Control, Contents, Recycle Bin, and you should see the deleted GPO under Group Policy Objects. Right-click the GPO, and you have the option to Destroy (i.e., purge the GPO from the Recycle Bin) or to Restore. Choose Restore, add a comment if desired, and click OK.
  4. Go back to the Controlled tab and you’ll see the restored GPO, including history and links, under Group Policy Objects. You should note that if you restore a GPO that was previously deployed, you’ll have to redeploy the GPO by following the AGPM procedure outlined above.

AGPM is a simple and elegant extension for GPMC that feels like it was part of the original product. It’s easy to install and work with, doesn’t require a backend database for archiving, and is scalable for large environments. Even if you have only a handful of administrators managing Group Policy, AGPM's change control features make the process more reliable, help you track down problems related to Group Policy configuration, and might even prevent them. In my opinion, it’s a pity that Microsoft is forcing customers to take the SA route in order to utilize AGPM. In the future, I’d like to see this technology built into Windows Server so that everyone can benefit from it. Even in the smallest enterprises, poor configuration management is a problem that often causes unplanned downtime.

For those who don’t have SA, NetPro Computing's GPOADmin offers similar features to AGPM and Group Policy Manager from Quest offers features over and above AGPM, such as advanced Resultant Set of Policy (RSoP) reporting. AGPM might not be able to replace the paper forms and corporate change control procedures in your organization but is a valuable addition to GPMC for maintaining well managed and well documented systems.