This is the first in a two part series about the MDOP Advanced Group Policy Manager. The Microsoft Desktop Optimization Pack is part of the Software Assurance license. This includes a larger set of tools such as App-V, DaRT, MBAM.
AGPM brings change control and auditing to group policy. Administrators attempting to modify a GPO must first check it out, then modify it, then check it back in. AGPM records all the changes and the user account of the changer. This is all viewable in reports within the system. It also brings version control, providing administrators the ability to roll-back a GPO to a previous version. Administrators can also go back in time and compare the current version of the GPO with any previous version, as well as see who changed a particular setting.
Features
The system functions by using a service account to actually modify the GPO’s. The idea is to add this service account to all GPO’s (thus “importing” them into AGPM), and let this account make all of the changes. There is a trust issue here between domain admins, because you also do not want to remove them from GPO’s in case something happens. Domain admins have to be trusted to go through AGPM to make modifications.
Once the service account is added to your GPO’s, all management is done through the AGPM snap-in. This snap-in is installed and creates another option, called “Change Control” in your traditional Group Policy Management console.
To modify a GPO, you have to first check it out. You do this by right clicking the GPO, then selecting “Check Out…”. Now you can right-click again and select “Edit”. From here, you can make your changes as you would before implementing AGPM. After you make your changes, you can check your GPO back in and provide comments on the changes you made. After checking it in, you must deploy it back to the environment by right-clicking the GPO and selecting “Deploy…”.
AGPM also keeps track of GPO links. It keeps of record of where GPO’s are linked, as well as where they were linked. This can be beneficial to administrators to determine why something changed on a box at a particular time.
Finally, AGPM provides a group policy “Recycle Bin” where administrators can go and recover deleted GPO’s. Administrators can also look at settings reports for the deleted GPO. Only GPO’s that are controlled by APGM are kept in the recycle bin after deletion.
Linking
Linking GPO’s works the same as it does within a normal group policy environment. Administrators link GPO’s by right-clicking the OU and linking the GPO there. Normal Active Directory permissions apply. The APGM service account does not actually do any linking of GPO’s. It can keep track of it, but it does not actually perform the task.
Come back next week for a post about installing and configuring AGPM.
