No replies to this topic

[t-zwck]

Microsoft Advanced Group Policy Management is a component of the Microsoft Desktop Optimization Pack for Software Assurance (MDOP SA).

The Advanced Group Policy Management (AGPM) increases the capabilities of the Group Policy Management Console (GPMC), providing:

Standard roles for delegating permissions to manage Group Policy objects (GPOs) to multiple Group Policy administrators.
An archive to enable Group Policy administrators to create and modify GPOs offline before deploying them to a production environment.
The ability to roll back to any previous version of a GPO.
Check-in/check-out capability for GPOs to ensure that Group Policy administrators do not overwrite each other's work.
If you want to more information about what it brings, have a look at the Advanced Group Policy Management datasheet.
Some features include:

• Offline editing of GPOs
• Difference reporting and audit logging
• Recovery of a deleted GPO (Recycle Bin)
• Repair of live GPOs
• Creation of GPO template libraries
• Subscription to policy change e-mail notifications
• Version tracking, history capture, and quick rollback of deployed changes
• Role-based administration (Editor, Reviewer, Approver)
• Change request approval


 1image04.png   139.86K   112 downloads

AGPM is built out of a client and server component, which need to be installed.

AGPM Server will host the "AGPM Service" and manages the GPO archive.  All AGPM operations are managed through this Windows service and are executed with the service's credentials.  AGPM stores all versions of each controlled Group Policy object (GPO) - which is a GPO for which AGPM provides change control - in a central archive, so that Group Policy administrators can view and modify GPOs offline without immediately impacting the deployed version of each GPO.
Each Group Policy administrator - anyone who creates, edits, deploys, reviews or deletes GPOs - must have the AGPM Client installed on computers that they use to manage GPOs.

Installation Requirements

AGPM Client requires Windows Vista (32-bit version) or Microsoft Windows Server 2003 (32-bit version) as well as the Group Policy Management Console (GPMC).  AGPM Client can be installed on the same computer running the AGPM Server.

AGPM Server requires Windows Vista (32-bit version) or Microsoft Windows Server 2003 (32-bit version) as well as the Group Policy Management Console (GPMC).  Additionally, you must be a member of the Domain Admins group to install AGPM Server.  The AGPM Server component can be installed on a member server or domain controller.

1. AGPM Server Installation Process
In the Welcome dialog box, click Next.


 2image0.png   108.88K   114 downloads

In the Application Path dialog box, select a location in which to install AGPM Server.  The computer on which AGPM Server is installed will host the AGPM Service and manage the archive.  Click Next.

 3image021.png   45.11K   113 downloads

In the Archive Path dialog box, select a location for the archive relative to the AGPM Server. The archive path can point to a folder on the AGPM Server or elsewhere, but you should select a location with sufficient space to store all GPOs and history data managed by this AGPM Server. Click Next.

 4image03.png   48.7K   109 downloads

In the AGPM Service Account dialog box, select a service account under which the AGPM Service will run and then click Next.

 5image041.png   48.94K   108 downloads

In the Archive Owner dialog box, select an account or group to which to initially assign the AGPM Administrator (Full Control) role. This AGPM Administrator can assign AGPM roles and permissions to other Group Policy administrators (including the role of AGPM Administrator). Click Next.

 6image05.png   47.28K   107 downloads

Click Install, and then click Finish to exit the Setup Wizard.

2. AGPM Client Installation Process

In the Welcome dialog box, click Next.

 7image01.png   101.75K   109 downloads

In the Application Path dialog box, select a location in which to install AGPM Client. Click Next.

 8image0211.png   43.4K   108 downloads

In the AGPM Server dialog box, type the fully-qualified computer name and the port for the AGPM Server to which to connect. The default port for the AGPM Service is 4600. Click Next.

 9image031.png   42.56K   115 downloads

Click Install, and then click Finish to exit the Setup Wizard.


GPMC User Interface changes

Advanced Group Policy Management (AGPM) adds a Change Control node to each domain displayed in the Group Policy Management Console (GPMC).  In an environment where multiple domains are managed with the GPMC, each domain is listed under the Domains node in the console tree.  

Within the details pane there are 3 primary tabs, providing access to both GPO-level settings and domain-level settings for AGPM.

Contents Tab: GPO settings and commands and GPO-level delegation
Domain Delegation Tab: AGPM e-mail notification settings and domain-level delegation
AGPM Server Tab: Domain-level archive connection settings

 10image018.png   51.78K   121 downloads

AGPM adds a History tab to all Group Policy objects (GPOs) and Group Policy links displayed in the GPMC.  The features of the History tab in the details pane of a GPO are the same as those of the History window displayed through the Change Control tab (by double-clicking a "controlled/uncontrolled GPO").

 11image014.png   41.23K   120 downloads

In the Microsoft Windows Server 2003 operating system (only!), AGPM adds an Extensions tab to all GPOs and Group Policy links displayed in the GPMC.  This tab lists all extensions that contain settings in the GPO (or all registered extensions if "Show all registered extensions" is checked) and identifies them as part of the user or computer context

 12image010.png   43.67K   114 downloads

AGPM Administrative Template

AGPM is shipped with an administrative template (AGPM.ADM located in the %windir%inf) containing settings for Advanced Group Policy Management (AGPM) to enable you to centrally configure logging and tracing options for AGPM clients and servers to which a Group Policy object (GPO) with these settings is applied.  Similarly, these settings enable you to centrally configure archive locations and the visibility of the Change Control node and History tab for Group Policy administrators to whom a GPO with these settings is applied.

 13image026.png   28.1K   110 downloads

Role based administration
In an environment where multiple people build/edit Group Policy objects (GPOs), you can delegate specific tasks to specific people for specific GPOs based on a role model (Reviewer, Editor, Approver, Administrator).

AGPM Administrators can delegate permissions to "Editors" who make changes to GPOs and to "Approvers" who deploy GPOs to the production environment.  AGPM Administrators can configure permissions to meet the needs of your organization, since the "AGPM Administrator" role includes the permissions for all other roles and thus can perform the tasks normally associated with any other role.

Approvers can perform "Approver Tasks", such as creating, deploying, or deleting GPOs
Editors can perform "Editor Tasks", such as editing, renaming, labeling, or importing GPOs, creating templates, or setting a default template
Reviewers can perform "Reviewer Tasks", such as reviewing settings and comparing GPOs

 14image039.png   14.17K   108 downloads

 15image040.png   15.24K   105 downloads

NOTE:

To delegate (read) access to Group Policy administrators who use AGPM, you must grant them "List Contents" as well as "Read Settings" permissions (Reviewers role).  This enables them to view GPOs on the Contents tab of AGPM.  Set the permission to apply to This object and nested objects.