• Insights

You Should Be Using Microsoft’s Advanced Group Policy Management (AGPM)

Kraft Kennedy

2 min read

All Insights


Microsoft’s Advanced Group Policy Management (AGPM) gives you the ability to manage GPOs much more closely.  For example, with AGPM, you have to check out a GPO to make edits, which prevents anyone from accidentally making changes while another person is editing. You have the ability to require approval for a proposed change; that’s built-in change management. AGPM also allows you to roll back to a previous version of a GPO if a change you made is causing problems.

AGPM is part of the Microsoft Desktop Optimization Pack (MDOP), which is an add-on to an Enterprise Agreement with SA.  Most firms with Windows Enterprise already have access to MDOP and its components like AGPM.



How to Set It Up

AGPM is relatively easy to setup.  All you need are two accounts, a server, and clients.

The server doesn’t need to be dedicated to AGPM; you simply need one with the Group Policy Management Console feature installed.  In fact, on Server 2008 R2 or newer, the GPMC and required .NET features will be installed by the AGPM installer if necessary. The two accounts are an AGPM Admin account and an AGPM Service account.  You need to grant the service account access to all your existing GPOs prior to setting up AGPM.  This can be done with the following script: GrantPermissionOnAllGPOs.wsf  (This is part of the sample of GPMC scripts in the TechNet Code Gallery: https://gallery.technet.microsoft.com/group-policy-management-17a5f840).

Then all you need to do is setup the Server AGPM software and the Client. The client software can be installed on the same server as the Server software if you want one place to manage it. If you want to manage GPOs from other workstations, the client software requires Windows RSAT to be installed. Once you setup the Server software it locks down all existing GPO permissions so that only Domain Admins can right-click and edit GPO Objects from the standard GPMC.  Any other users will have to use the AGPM client to check out and then edit a GPO.

You can further lock it down to prevent Domain Admins from editing outside AGPM by denying the Domain Administrators group the right to edit GPOs explicitly.  This effectively forces everyone to use AGPM so that you can manage and approve changes in a controlled manner.

Based on the ease of implementation and the features AGPM provides, I see more firms implementing it for Group Policy management down the road.