AGPM 4 SP1 Deployment Guide

Deployment Guide
Published February 2013
Microsoft Advanced Group Policy Management v4.0 SP1 Deployment Guide
Important Notice
Copyright
The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication. This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. Unless otherwise noted, the companies, organizations, products, domain names, email addresses, logos, people, places, and events depicted in examples herein are fictitious. No association with any real company, organization, product, domain name, email address, logo, person, place, or event is intended or should be inferred. 2013 Microsoft Corporation. All rights reserved. Microsoft, Active Directory, ActiveX, Excel, SoftGrid, SQL Server, Windows, Windows PowerShell, and Windows Vista are trademarks of the Microsoft group of companies. All other trademarks are property of their respective owners.
Page | 2
Table of Contents
IMPORTANT NOTICE .............................................................................................................................................. 2 COPYRIGHT....................................................................................................................................................................2 INTRODUCTION TO THE DEPLOYMENT GUIDE ....................................................................................................... 5 AUDIENCE FOR THIS GUIDE...............................................................................................................................................5 PRODUCT DOCUMENTATION ................................................................................................................................. 5 OVERVIEW OF MICROSOFT AGPM ......................................................................................................................... 6 Microsoft AGPM Server Requirements ..................................................................................................................6 Microsoft AGPM Client Requirements ...................................................................................................................7 Mixed Environments ..............................................................................................................................................8 Microsoft AGPM User Account Requirements .......................................................................................................9 PLANNING AGPM DEPLOYMENT .......................................................................................................................... 11 CENTRALIZED CONFIGURATION ........................................................................................................................................11 DECENTRALIZED CONFIGURATION ....................................................................................................................................13 MANAGE GROUP POLICY IN EXTRANETS ............................................................................................................................15 COLLECT NECESSARY INFORMATION ABOUT THE EXISTING AD DS INFRASTRUCTURE AND GPOS .................................................16 DETERMINE THE NUMBER OF AGPM SERVERS REQUIRED ....................................................................................................16 DETERMINE THE NUMBER OF AGPM CLIENTS REQUIRED .....................................................................................................17 DETERMINE THE E-MAIL INFRASTRUCTURE REQUIREMENTS...................................................................................................17 DETERMINE THE AGPM ARCHIVE LOCATION AND STORAGE REQUIREMENTS ...........................................................................17 INSTALLING AND CONFIGURING AGPM 4.0 SP1 ................................................................................................... 19 STEPS FOR INSTALLING AGPM 4.0 SP1............................................................................................................................19 Step 1: Step 2: Step 3: Step 4: Step 5: Page | 3 Install AGPM Server .............................................................................................................................19 Install AGPM Client ..............................................................................................................................21 Configure an AGPM Server Connection ...............................................................................................22 Configure Email Notification ................................................................................................................23 Delegate Access ...................................................................................................................................24
Step 6:
Secure AGPM .......................................................................................................................................25
Assign the Appropriate Security Roles to Group Policy Administrators: ..............................................................26 Secure the AGPM Service Account: ......................................................................................................................30 Secure the AGPM Archive: ...................................................................................................................................30 Securing Communication Between the AGPM Clients and the AGPM Servers: ...................................................31 Hardening of Computers Running AGPM Server: ................................................................................................33 Configuring AGPM-only Group Policy Management: ..........................................................................................34 STEPS FOR MANAGING GPOS .........................................................................................................................................36 Step 1: Step 2: Step 3: Step 4: Step 5: Create a GPO:.......................................................................................................................................36 Edit a GPO: ...........................................................................................................................................37 Review and Deploy a GPO: ...................................................................................................................39 Use a Template to Create a GPO: ........................................................................................................40 Delete and Restore a GPO: ...................................................................................................................41
SUMMARY ........................................................................................................................................................... 45
Page | 4
Introduction to the Deployment Guide

This deployment guide is designed to help you evaluate and set up Microsoft Advanced Group Policy Management (AGPM). This guide provides details of the steps necessary to install and configure AGPM components, including AGPM Server and AGPM Client components, configuring an AGPM Server connection, configuring notifications, delegating access, and securing AGPM.
Audience for This Guide

This guide was written for Microsoft Windows Group Policy administrators. As an information technology (IT) professional, you should have sufficient knowledge and experience to accomplish the following tasks: Set up operating systems and install applications. Add computers to domains. Set up and work comfortably with Active Directory Domain Services and Microsoft Domain Name System (DNS). Have a working knowledge of Active Directory Group Policies
Product Documentation
Additional documentation for AGPM is available from TechNet at: http://technet.microsoft.com/library/dd420466.aspx.
Page | 5
Overview of Microsoft AGPM

AGPM increases the capabilities of the Group Policy Management Console (GPMC) by providing the following benefits:
An archive to enable Group Policy administrators to create and modify Group Policy objects (GPOs) offline before deploying them to a production environment. The ability to roll back to any previous version of a GPO in the archive and to limit the number of versions stored in the archive. Check-in/check-out capability for GPOs to ensure that Group Policy administrators do not inadvertently overwrite each other's work. Manage Group Policies across different domain forests, allowing the ability to copy GPOs from one domain forest to another. GPO tracking is easier with the new Search and Filter capabilities. Allows the ability to search for GPOs that were last changed by a specific administrator, on a particular date, or other criteria. Standard roles for delegating permissions to manage GPOs to multiple Group Policy administrators, as well as the ability to delegate access to GPOs in the production environment.
Note: For a table of the standard permissions that can be assigned to Group Policy administrators, and
the rights associated with each role, please see the Securing AGPM section later in this guide.
To help this process flow as smoothly as possible, we recommend that you read this guide carefully before installing the Microsoft AGPM Console. Microsoft AGPM Server Requirements AGPM Server 4.0 Service Pack 1 (SP1) requires Windows Server 2012, Windows Server 2008 R2, Windows Server 2008, Windows 8, Windows 7, or Windows Vista with SP1, and the Group Policy Management Console from the Remote Server Administration Tools (RSAT) installed. Both 32-bit and 64bit versions are supported. Before you install the AGPM Server, you must be a member of the Domain Admins group, and the following Windows features must be preset, unless otherwise noted: GPMC
Page | 6
Windows Server 2012, Windows Server 2008 R2, or Windows Server 2008: The GPMC is automatically installed by AGPM if not already present. Windows 8: You must install the GPMC from RSAT before you install AGPM. For more information, see Remote Server Administration Tools for Windows 8 (http://www.microsoft.com/en-us/download/details.aspx?id=28972).
Windows 7: You must install the GPMC from RSAT before you install AGPM. For more information, see Remote Server Administration Tools for Windows 7 (http://go.microsoft.com/fwlink/?LinkID=131280).
Windows Vista with SP1: You must install the GPMC from RSAT before you install AGPM. For more information, see Remote Server Administration Tools for Windows Vista with Service Pack 1 (http://go.microsoft.com/fwlink/?LinkID=116179).
.NET Framework 3.5
The following Windows features are required by AGPM Server and will be automatically installed if not present: WCF Activation: Non-HTTP Activation Windows Process Activation Service Process Model .NET Environment Configuration APIs
Microsoft AGPM Client Requirements AGPM Client refers to any computer that will be managing GPOs using AGPM. AGPM Client 4.0 SP1 requires Windows Server 2012, Windows Server 2008 R2, Windows Server 2008, Windows 8, Windows 7, or Windows Vista SP1 and the GPMC from RSAT installed. Both the 32-bit and the 64-bit versions are supported. AGPM Client can be installed on a computer running AGPM Server.
Note: While you must use one of the operating systems list above you can manage clients on any
version of Windows from Windows XP forward.
Page | 7
The following Windows features are required by AGPM Client and will be automatically installed by AGPM if not present: GPMC Windows Server 2012, Windows Server 2008 R2, or Windows Server 2008: The GPMC is automatically installed by AGPM if not already present. Windows 8: You must install the GPMC from RSAT before you install AGPM. For more information, see Remote Server Administration Tools for Windows 8 (http://www.microsoft.com/en-us/download/details.aspx?id=28972). Windows 7: You must install the GPMC from RSAT before you install AGPM. For more information, see Remote Server Administration Tools for Windows 7 (http://go.microsoft.com/fwlink/?LinkID=131280). Windows Vista with SP1: You must install the GPMC from RSAT before you install AGPM. For more information, see Remote Server Administration Tools for Windows Vista with Service Pack 1 (http://go.microsoft.com/fwlink/?LinkID=116179). .NET Framework 3.0 Windows Server 2012, Windows Server 2008 R2, Windows 8, or Windows 7: If the .NET Framework 3.0 or later version is not present, the .NET Framework 3.5 is automatically installed by AGPM. Windows Server 2008 or Windows Vista SP1: If the .NET Framework 3.0 or later version is not present, the .NET Framework 3.0 is automatically installed by AGPM. Mixed Environments Many companies today operate in a mixed environment; that is, the computer running the AGPM Server and the computer running the AGPM Client may be running different operating systems. In the following table, the AGPM Server is the computer that is running the AGPM service. The AGPM Client is the computer that has the AGPM Console installed for managing GPOs. In a mixed environment that includes newer and older operating systems, there are some limitations to functionality, as indicated in the following table: NOTE: This table refers to compatibility with the AGPM Client used for administrating AGPM. AGPM 4.0 SP1 can manage GPOs on Windows XP, Windows Vista, Windows 7, Windows 8, and Windows Server versions.
Page | 8
AGPM Server Operating System Windows Server 2012 or Windows 8 Windows Server 2008 R2 or Windows 7
AGPM Client Operating System Windows Server 2012 or Windows 8 Windows Server 2008 R2 or Windows 7
Status of AGPM Support
Supported
Supported, but cannot edit policy settings or preference items that exist only in Windows Server 2012 or Windows 8
Windows Server 2012, Windows Server 2008 R2, Windows 8, or Windows 7 Windows Server 2008 or Windows Vista SP1
Windows Server 2008 or Windows Vista SP1
Supported, but cannot edit policy settings or preference items that exist only in Windows Server 2012, Windows Server 2008 R2, Windows 8, or Windows 7
Windows Server 2012, Windows Server 2008 R2, Windows 8, or Windows 7
Unsupported
Supported, but cannot report or edit policy settings or preference items that exist only in Windows Server 2012, Windows Server 2008 R2, Windows 8 or Windows 7
Microsoft AGPM User Account Requirements With AGPM, you can assign roles to different users, or groups of users, delegating permissions for viewing, creating, and approving GPOs. The following bullet points and flow chart offer a high-level summary of the assigned roles: Using an account that is a member of the Domain Admins group, install AGPM Server and assign the AGPM Administrator role to an account or group. Using accounts to which you will assign AGPM roles, install AGPM Client. Using an account with the AGPM Administrator role, configure AGPM and delegate access to GPOs by assigning roles to other accounts. Page | 9
Using an account with the Editor role, request the creation of a GPO, which you then approve using an account with the Approver role. With the Editor account, check the GPO out of the archive, edit the GPO, check the GPO into the archive, and request deployment.
Using an account with the Approver role, review the GPO and deploy it to your production environment. Using an account with the Editor role, create a GPO template and use it as a starting point to create a new GPO. Using an account with the Approver role, delete and restore a GPO.
Figure 1: AGPM 4.0 SP1 Roles and their functions
Page | 10
Planning AGPM Deployment

AGPM can be deployed to serve the needs of any size organization, any network infrastructure, and any security model. This planning guide presents common deployment configurations. Even though these scenarios are presented as discrete units, your implementation of AGPM may consist of a combination of these scenarios. For example, you might have data centers that use one configuration but branch offices that use a different one. Note: The level of management centralization in AGPM can be influenced by your corporate structure and network performance issues between domains. The number of GPOs that AGPM manages is typically not a factor in the level of management centralization.
Centralized Configuration
The centralized configuration assumes a single computer running AGPM Server and one or more client computers running the AGPM Client. Figure 2 provides an example of the centralized configuration, in which one AGPM Server is serving multiple domains.
Page | 11
Figure 2. Example of the centralized configuration
Select the centralized configuration when: The Active Directory Domain Services (AD DS) infrastructure includes a single forest. Availability and scalability do not require more than one computer running AGPM Server. Note: One AGPM Server can support large workloads and is sufficient for most scenarios if the other centralized configuration selection criteria are met. You are unlikely to need more than one AGPM Server to meet scaling requirements. High-speed and reliable network connectivity exists between domains, the AGPM Server, and the AGPM Clients.
Page | 12
Decentralized Configuration
The decentralized configuration assumes that more than one computer is running AGPM Server. Figure 3 provides an example of the decentralized configuration, in which some AGPM Servers are serving multiple domains while other AGPM Servers each serve only one domain, respectively.
Note: Ensure that each domain is served by only one AGPM Server. Do not allow multiple AGPM Servers to serve the same domain.
Page | 13
Figure 3. Example of the decentralized configuration
Select the decentralized configuration when: The AD DS infrastructure includes multiple forests.
Page | 14
Note: An AGPM Server can only serve multiple domains within a forest. An AGPM Server cannot serve multiple domains in different forests. Availability and scalability require more than one computer running AGPM Server. Note: One AGPM Server can support large workloads and is sufficient for most scenarios if the other centralized configuration selection criteria are met. You are unlikely to need more than one AGPM Server to meet scaling requirements. The network connectivity between sites is slow or erratic, which requires an AGPM Server to be placed in each site.
Manage Group Policy in Extranets

Most organizations have extranets as a part of their network infrastructure. These extranets are also known as perimeter networks or demilitarized zones (DMZs). In some extranets, organizations deploy an AD DS forest dedicated to managing the identities and computers in the extranet. These domains also have the same Group Policy management issues. These extranet forests are intentionally isolated from the private forests in the intranet for security reasons. Because the extranet forests are isolated, you must deploy at least one AGPM Server and AGPM Client to manage the Group Policy settings in the extranet forest. You deploy AGPM Server on at least one member server or domain controller in the extranet. You deploy the AGPM Client on the computers that are currently used to manage the extranet forest, which can be in the extranet or within the intranet. If you deploy the AGPM Client on a computer in the intranet, you must enable intermediary firewall ports for AGPM. By default, the AGPM Server and AGPM Client communicate by using TCP port 4600. You must enable TCP port 4600 on any intermediary firewalls between the AGPM Server and AGPM Client. The firewall rule should allow the traffic to originate in the internal network to the AGPM Server, and then allow the AGPM Server to reply to the return port based on a stateful rule. Note: If you change the default TCP port that AGPM communications use during the installation process, enable that TCP port instead of the default TCP port 4600.
Page | 15
Collect Necessary Information About the Existing AD DS Infrastructure and GPOs

As the first step in planning your AGPM deployment, collect all the pertinent information about your existing AD DS infrastructure and the GPOs. In some instances, this information already exists as a part of your documentation. If the information does not exist, gather this information for the planning process. The required information is listed in Table 1.
Table 1. Information to Collect About the Existing AD DS Infrastructure and GPOs Information collected: Number of AD DS forests. Whether network connectivity issues exist between some domains. Level of centralization of administration. GPOs in each domain. IT pros who: Helps you determine the: Number of AGPM Servers. Number of AGPM Servers. Number of AGPM Servers. Number of GPOs to manage using AGPM. AGPM roles to be assigned to each user and who requires AGPM Client.
Manage access to GPOs. Edit GPOs. Approve GPO creation, deployment, and deletion. Require read-only access to information about GPOs.
Determine the Number of AGPM Servers Required

In the single-server scenario, only one AGPM Server is deployed, which means the one AGPM Server manages the GPOs for all the domains in a single forest. In the multiple-server scenario, you deploy two or more computers running AGPM Server in your environment. You can deploy AGPM Server on a member server or a domain controller. Installing AGPM Server installs the AGPM Service on the computer. For information on the AGPM Server installation requirements, see Microsoft AGPM Server Requirements. In the multiple-server scenario, deploy a separate AGPM Server for: Each forest in your AD DS infrastructure. Each site that is isolated by network connectivity issues. Each site that your organizations structure requires to be managed separately.
Page | 16
Note: At this step in the planning process, you are concerned only with the number of AGPM Servers required to support your environment. Deploying additional AGPM Servers for availability and scalability is discussed later in this guide.
Determine the Number of AGPM Clients Required

In either the single-server or multiple-server scenario, you deploy one or more AGPM Clients. Deploy the AGPM Client on every computer used to administer GPOs. For information on the AGPM Client installation requirements, see Microsoft AGPM Client Requirements.
Determine the E-mail Infrastructure Requirements

During configuration of the AGPM Server connection, you should specify the fully qualified domain name (FQDN) of a computer running SMTP. This computer can be the SMTP service running on the same computer as Microsoft Exchange Server, or it can be an SMTP relay that forwards e-mail messages to your messaging infrastructure. Additional e-mail infrastructure planning considerations exist: If the SMTP servers restrict message relaying to a specific list of computers or IP addresses, you must add each AGPM Server to the list of approved computers or IP addresses. If there are intervening firewalls between the AGPM Servers and the SMTP servers, you may need to modify the firewall rules to allow SMTP traffic from the AGPM Servers.
Determine the AGPM Archive Location and Storage Requirements

AGPM stores the current and previous versions of GPOs in the AGPM archive. The default path for the AGPM archive is %ProgramData%\Microsoft\AGPM on the AGPM Server. Beneath this folder is a subfolder for each GPO stored in the archive. You can configure the AGPM Service to store the archive in a different path, even on another computer. For example, you may want to store the archive on a volume that is located on a Storage Area Network (SAN) logical unit (LUN) or on a local disk that has greater capacity than the system disk. To calculate the storage requirements for the AGPM archive, use the following calculation:
Storage_Requrements=Avg_GPO_Size * Num_GPO * Num_Ver
Page | 17
Table 2 lists the variables in the equation listed above and provides a brief description of each. Perform this calculation for each AGPM Server in your plan.
Table 2. Variables for Calculating AGPM Archive Storage Requirements Variable Avg_GPO_Size Num_GPO Num_Ver Description The average size of the GPOs in your environment; for most GPOs, you can use a value of 64 kilobytes (KB). The number of GPOs in your current production environment that this AGPM Server will manage. The number of GPO versions retained in the archive; you can configure the maximum number of versions to retain in the archive (by default, AGPM retains all GPO versions).
For most modern computers, the storage requirements for the AGPM archive are negligible. However, you can reduce the storage requirements by limiting the number of GPO versions retained. You can specify a range of 0999 versions. If you specify a value of 0, only the current GPO version is retained in the archive. Although each organization will vary, retaining the last 10 versions in the AGPM archive is a recommended initial configuration value. Then, you can adjust the number of versions retained in the archive based on your experience in your organization. For more information on how to limit the number of GPO versions stored, see Limit the GPO Versions Stored in Microsoft Advanced Group Policy Management Help.
Page | 18
Installing and Configuring AGPM 4.0 SP1

Before you install AGPM 4.0 SP1, create four user accounts: AGPM Administrator (granted Full Control to AGPM), AGPM Approver, AGPM Editor, and AGPM Reviewer. Ensure these accounts have the appropriate rights and capabilities to send email messages. You also must assign the Link GPOs permission to the accounts created, which will be used as AGPM Administrator, Approver, and (optionally) AGPM Editor roles.
Note: Link GPOs permission is assigned to members of Domain Administrators and Enterprise
Administrators by default. To assign Link GPOs permission to additional users or groups (such as accounts with the roles of AGPM Administrator or Approver), from GPMC select the domain and then click the Delegation tab, select Link GPOs, click Add, and select users or groups to which to assign the permission.
Steps for Installing AGPM 4.0 SP1

You must complete the following steps to install and configure AGPM 4.0 SP1 Step 1: Install AGPM Server Step 2: Install AGPM Client Step 3: Configure an AGPM Server connection Step 4: Configure email notification Step 5: Delegate Access Step 6: Secure AGPM
Step 1: Install AGPM Server AGPM Server 4.0 SP1 can be installed on either a Domain Controller or a Member Server, although installing on a domain controller is not recommended. The server that you install the AGPM Server on will run the AGPM Service, and will be used to configure the AGPM archive. All AGPM operations are managed through this Windows service and are executed using the services credentials. The AGPM Page | 19
archive can be hosted on this server, or any other server within the same Active Directory Domain Services forest. To install the AGPM Server on the computer that will host the AGPM Service: 1. Logon to the server with an account that is a member of the Domain Admins group. 2. Insert the Microsoft Desktop Optimization Pack (MDOP) CD in the CD-ROM drive of the server. If autoplay is enabled, the CD will start automatically. Otherwise, browse to the CD using File Explorer or Windows Explorer, open the Launcher directory, and then launch Launcher.hta. 3. On the Microsoft Desktop Optimization Pack for Software Assurance splash screen, select Microsoft Advanced Group Policy Management. 4. On the Microsoft Advanced Group Policy Management page, select the appropriate server to install by selecting Install Server (32-bit) or Install Server (64-bit). The installation wizard will launch. 5. On the Welcome to the Setup Wizard for Microsoft Advanced Group Policy Management Server screen, click Next. 6. On the Microsoft Software License Terms page, read the license, and then click I accept the license terms and then click Next. 7. On the Application Path page, accept the default location to install AGPM Server, or type a custom location and then click Next. 8. On the Archive Path page, accept the default location to place the AGPM archive directory, or type a custom path and then click Next. 9. On the AGPM Service Account page, type the username and password of the domain account which will be used as the AGPM Service account and then click Next. Note that if you are in a single Active Directory Domain Services domain, or will only be managing GPOs in a single domain, and are installing AGPM Server on a domain controller, you can use the Local System Account as the AGPM Service account. 10. On the Archive Owner page, type the user account which will be assigned the AGPM Administrator (Full Control) role and then click Next. Once assigned, the AGPM Administrator can then delegate roles to other GPO administrators. 11. On the Port Configuration page, accept the default port on which the AGPM Service should listen, or type in a custom port and then click Next. You should not clear the Add port exception to firewall checkbox unless you plan to manually configure the port exceptions.
Page | 20
12. On the Languages page, select the appropriate display languages for your organization to install AGPM Server and then click Next. 13. On the Ready to Install Microsoft Advanced Group Policy Management Server page, click the Details button to see which prerequisite Windows features are required for AGPM Server and then in the Details box click OK. Note that if the required Windows features are not already present, they will be installed by AGPM Server installation. Click Install. 14. On the Completed the Microsoft Advanced Group Policy Management Server Setup Wizard page, click Finish.
Caution: Do not modify settings for the AGPM Service through Administrative Tools and Services in the
operating system. Doing so can prevent the AGPM Service from starting. For information on how to modify settings for the service, see Help for Advanced Group Policy Management.
Step 2: Install AGPM Client Each Group Policy administrator, that is anyone who will create, edit, review, deploy or delete GPOs, must have the AGPM Client installed on his workstation that is used for managing GPOs. AGPM Client does not need to be installed on end-user workstations, if those users do not administer GPOs. To install AGPM Client on the computer that will be used to administer GPOs: 1. Logon to the computer with an account that is a member of the local Administrators group. 2. Insert the Microsoft Desktop Optimization Pack (MDOP) DVD in the DVD-ROM drive of the server. If autoplay is enabled, the CD will start automatically. Otherwise, browse to the CD using File Explorer or Windows Explorer, open the Launcher directory, and then launch Launcher.hta. 3. On the Microsoft Desktop Optimization Pack for Software Assurance splash screen, select Microsoft Advanced Group Policy Management. 4. On the Microsoft Advanced Group Policy Management page, select the appropriate client to install by selecting Install Client (32-bit) or Install Client (64-bit). The installation wizard will launch. 5. On the Welcome to the Setup Wizard for Microsoft Advanced Group Policy Management Client screen, click Next. 6. On the Microsoft Software License Terms page, read the license, and then click I accept the license terms and then click Next. Page | 21
7. On the Application Path page, accept the default location to install AGPM Client, or type a custom location and then click Next. 8. On the AGPM Server page, type the DNS Name or IP Address of the AGPM Server and the port configured when installing the AGPM Server, and then click Next. You should not clear the Allow Microsoft Management Console through the firewall unless you plan to manually configure the firewall exceptions. 9. On the Languages page, select the appropriate display languages for your organization to install AGPM Client and then click Next. 10. On the Ready to Install Microsoft Advanced Group Policy Management Client page, click the Details button to see which prerequisite Windows features are required for AGPM Server and then in the Details box click OK. Note that if the required Windows features are not already present, they will be installed by AGPM Client installation. Click Install. 11. On the Completed the Microsoft Advanced Group Policy Management Client Setup Wizard page, click Finish. Step 3: Configure an AGPM Server Connection AGPM stores all versions of each controlled Group Policy Object, which is all GPOs for which AGPM provides change control, in a central archive, so that all Group Policy administrators can view or modify GPOs offline without immediately impacting the deployed version of each GPO. The AGPM Server connection ensures that all Group Policy Administrators connect to the same AGPM Server. For information about configuring multiple AGPM Servers, see Help for Advanced Group Policy Management. To configure an AGPM Server connection for all Group Policy Administrators: 1. Logon to the computer with the AGPM Client as the user assigned the AGPM Administrator (Full Control) role. This is the user designated as the Archive owner during the installation of AGPM Server. 2. Click Start, point to Administrative Tools, and then click Group Policy Management. This will open GPMC. 3. Expand the Console Tree until you can click the Group Policy Objects container. 4. Right-click any GPO which is applied to all Group Policy Administrators, for example the Default Domain Policy, and then click Edit. 5. In the Group Policy Management Editor window, expand User Configuration, Policies, Administrative Templates, Windows Components, and then click AGPM. Page | 22
6. In the Details pane, double-click AGPM: Specify default AGPM Server (all domains). 7. In the AGPM: Specify default AGPM Server (all domains) Properties window, select Enabled and type the fully-qualified-domain-name (FQDN) and port of the server hosting the AGPM Archive, for example AGPMServer.contoso.com:4600, and then click OK. 8. Close the Group Policy Management Editor window.
Note: At the next Group Policy refresh, typically 90 minutes on client computers, this policy setting will
take effect. Depending on your Active Directory Domain Services design, it could be several hours for the policy setting to take effect on all computers.
Step 4: Configure Email Notification When an Editor or a Reviewer attempts to create, deploy, or delete a GPO, a request for this action is sent to a designated email address (or addresses) so that an Approver can evaluate the request and either implement or deny the action. An AGPM Administrator (Full Control) can designate the email address (or addresses) of Approvers and AGPM Administrators, and configure the alias from which the emails are sent. To configure email notification for AGPM: 1. Logon to the computer with the AGPM Client as the user assigned the AGPM Administrator (Full Control) role. This is the user designated as the Archive owner during the installation of AGPM Server. 2. Click Start, point to Administrative Tools, and then click Group Policy Management. This will open GPMC. 3. Expand the Console Tree until you can click the Change Control container. 4. In the Details pane, click the Domain Delegation tab. 5. In the From email address field, type the email alias for AGPM from which notifications should be sent. 6. In the To email address field, type the email address (or addresses, separated by commas) of the Approvers who should receive the request for approval. The email address can be that of a user or a distribution list. 7. In the SMTP server field, type the FQDN of a valid SMTP Server. Page | 23
8. In the User name and Password fields, type the credentials of a user with access to the SMTP service and then click Apply.
Note: By default, email messages sent as a result of actions in Advanced Group Policy Management
are not encrypted. However, you can configure email security for AGPM using registry settings to specify whether to use Secure Sockets Layer (SSL) encryption and which SMTP port to use. For more information, go to the Secure AGPM section later in this guide.
Step 5: Delegate Access Set up delegation for your environment so that Group Policy Administrators have the appropriate access to, and control over, GPOs in the archive. There are baseline permissions you can apply to make operations more efficient. You can grant permissions in any manner that meets the needs of your organization. Before you delegate permissions to manage GPOs, here are some points to consider: By default, you must be an AGPM Administrator (Full Control) to perform this procedure. Specifically, you must have Modify Security permission for the domain. To delegate read access to Group Policy Administrators who use AGPM, you must grant List Contents as well as Read Settings permissions. This enables the Group Policy Administrators the ability to view GPOs on the Contents tab of AGPM. Other permissions must be explicitly delegated. Editors must be granted Read permission for the deployed copy of a GPO to make full use of Group Policy Software Installation. Membership of the Group Policy Creator Owners group should be restricted, so that members do not circumvent AGPM management access to GPOs. To delegate access to all GPOs throughout the domain: 1. Logon to the computer with the AGPM Client as the user assigned the AGPM Administrator (Full Control) role. This is the user designated as the Archive owner during the installation of AGPM Server. 2. Click Start, point to Administrative Tools, and then click Group Policy Management. This will open GPMC. 3. Expand the Console Tree until you can click the Change Control container. Page | 24
4. On the Domain Delegation tab, click the Add button. 5. In the Select User, Computer, or Group dialog box, select the user account of the Group Policy Administrator to which you wish to assign the Approver role, and then click OK. 6. In the Add Group or User box, in the Role drop-down list, select Approver. This will assign the Approver role to this user or group account. The Approver role includes the Reviewer role. 7. In the Select User, Computer, or Group dialog box, select the user account of the Group Policy Administrator to which you wish to assign the Editor role, and then click OK. 8. In the Add Group or User box, in the Role drop-down list, select Editor. This will assign the Editor role to this user or group account. The Editor role includes the Reviewer role. 9. In the Select User, Computer, or Group dialog box, select the user account of the Group Policy administrator to which you wish to assign the Reviewer role, and then click OK. 10. In the Add Group or User box, in the Role drop-down list, select Reviewer. This will assign the Reviewer role to this user or group account.
Step 6: Secure AGPM As you plan the configuration of your AGPM deployment, include the appropriate security decisions that will ensure AGPM stays secure. These decisions include: Assigning the appropriate security roles to Group Policy Administrators (those users in your organization whose responsibilities include Group Policy management and administration). Securing the service account used by the AGPM service running on each AGPM server. Securing the AGPM archive. Securing communication between the AGPM clients and the AGPM servers. Hardening of computers running AGPM Server. Configuring AGPM only Group Policy Management.
As discussed earlier in this guide, email notifications sent because of actions in AGPM are not encrypted, and are sent through SMTP port 25. However, you can configure email security for AGPM by using the Windows registry, and modifying settings to specify whether to use SSL encryption, and which SMTP port to use. By encrypting AGPM email notifications, you can better protect those emails that could reveal sensitive information about your organizations security. Encrypting email is recommended when the email is being relayed through remote servers, and may be required by some compliance regulations. Page | 25
Caution: Incorrectly editing the Windows Registry may severely damage your system. Before making
any changes to the Windows Registry, make a backup copy of the Windows registry, and back up any data on the computer.
Assign the Appropriate Security Roles to Group Policy Administrators: AGPM provides comprehensive, easy-to-use, role-based delegation. It includes domain-level permissions that allow you to provide access to all GPOs throughout a domain, and GPO-level delegation that allows you to configure access to specific GPOs. The following table lists the roles in AGPM, with a brief description of each role: Role AGPM Administrator (Full Control) Description The role has full control of the AGPM environment. An AGPM Administrator can assign any role to other Group Policy Administrators, including assigning the AGPM Administrator role. By default, the Archive owner, specified during AGPM server installation, is assigned this role. Approver This role approves changes to the GPOs by users who have been assigned the Editor role. This role also has the ability to deploy the GPOs to the production environment. Editor This role modifies the GPOs. Any modifications made by Group Policy Administrators assigned this role must be approved and deployed by the Group Policy Administrator assigned the Approver role. Reviewer This role views the GPOs, and reviews the settings in reports. All other roles include this role.
As a best practice, create Security Groups in Active Directory Directory Services and assign the AGPM roles to the groups. Then add Group Policy Administrators into the appropriate Security Groups. This will Page | 26
reduce the complexity of AGPM administration. Additional recommendations when planning the security roles include: Use the principle of least privilege: When planning which AGPM roles or permissions to assign to users or groups, assign the lowest permissions set possible required to perform an AGPM task. Limit the numbers of users assigned the AGPM Administrator (Full Control) role: This highlyprivileged role should only be assigned to a few users. Perform regular security audits of AGPM roles: Auditing the roles and the group membership of the groups assigned the roles, ensures that only authorized users are assigned the roles. These roles and permissions should be tightly controlled. The following table lists the permissions assigned: Permission Full Control Create GPO List Contents Read Settings Edit Settings Delete GPO Modify Security Description Includes all other permissions Create GPOs in the domain (this is a domain-wide group) Lists the GPOs in the domain Read the GPO settings within a specific GPO Modify the GPO settings within a specific GPO Delete a specific GPO Delegate domain-level access, access to a specific GPO, and access to the production environment Deploy GPO Deploy a GPO from the AGPM archive into the production environment Create Template Modify Options Create an AGPM template Configure AGPM email notification and limit the GPO versions stored in the archive
Page | 27
The following table lists the AGPM Roles, and the permissions assigned to these roles: Role AGPM Administrator (Full Control) Read Settings Edit Settings Create GPO Deploy GPO Delete GPO Modify Options Modify Security Create Template Approver List Contents Read Settings Create GPO Deploy GPO Delete GPO Editor List Contents Read Settings Edit Settings Create Template Reviewer Page | 28 List Contents Includes these AGPM Permissions List Contents
Read Settings
AGPM roles and permissions can be assigned at a domain-level or to individual GPOs. AGPM roles and permissions assigned at the domain-level are automatically inherited by all GPOs in the domain. AGPM roles or permissions assigned to individual GPOs override domain-level GPOs. To assign domain-level roles and permissions: 1. Logon to the computer with the AGPM Client as the user assigned the AGPM Administrator (Full Control) role. This is the user designated as the Archive owner during the installation of AGPM Server. 2. Click Start, point to Administrative Tools, and then click Group Policy Management. This will open GPMC. 3. Expand the Console Tree until you can click the Change Control container. 4. Click the Domain Delegation tab and then click Add. 5. In the Select User, Computer, or Group dialog box, enter the user or group to which you wish to assign an AGPM role, click Check Names and then click OK. 6. In the Add Group or User box, click the Role drop-down arrow to select the appropriate role, and then click OK. To assign GPO-level roles and permissions: 1. Logon to the computer with the AGPM Client as the user assigned the AGPM Administrator (Full Control) role. This is the user designated as the Archive owner during the installation of AGPM Server. 2. Click Start, point to Administrative Tools, and then click Group Policy Management. This will open GPMC. 3. Expand the Console Tree until you can click the Change Control container. 4. Click the Contents tab, and then select the GPO that you wish to assign the GPO-level permission, and then click Add. 5. In the Select User, Computer, or Group dialog box, enter the user or group to which you wish to assign an AGPM role, click Check Names and then click OK. 6. In the Add Group or User box, click the Role drop-down arrow to select the appropriate role, and then click OK. Page | 29
Secure the AGPM Service Account: The AGPM service runs on any computer on which the AGPM Server is installed. During the installation process, you must provide an account to be used as the AGPM Service account. The minimum set of permissions required by the account specified as the AGPM service account include: Membership in the Group Policy Creator Owners group in each domain that is managed by AGPM. Membership in the Backup Operators group in each domain that is managed by AGPM. Full Control permission on the AGPM Server archive folder. This permission is automatically granted if the archive folder resides on the same local hard drive as the AGPM Server. Otherwise, the permission must be manually assigned. Full Control permission on the local system Temp folder typically %windir%\temp. Full Control permission on any existing GPOs that will be managed by AGPM.
Additional recommendations on this account include: Use strong passwords, increasing the length and complexity of the password. Users should never interactively log on using the AGPM Service account. This account should be restricted to only log on as a service. This right can be restricted by using Group Policy by configuring the following setting: Computer Configuration\policies\Windows Settings\Security Settings\Local Policies\User Rights Assignments\Logon as a service, and Computer Configuration\policies\Windows Settings\Security Settings\Local Policies\User Rights Assignments\Deny log on locally. Use fine-grained password policies if your domain is at Windows Server 2008 domain function level. For more information on fine-grained password policies, see http://technet.microsoft.com/en-
us/library/cc770394.aspx.
Secure the AGPM Archive: By default, the AGPM Archive folder is stored on a local hard disk of the AGPM Server. However, this can be stored on any computer other than the AGPM Server. The default installation of AGPM Server allows file system access to the AGPM Service account, SYSTEM, and the local Administrators group on the AGPM Server. The AGPM console allows you to control access to the archive. By default, AGPM Administrators (Full Control) is the only role that has full control to the archive. Recommendations to secure the AGPM archive include: Page | 30
Limit the number of users in the local Administrators group on the AGPM Server. Periodically audit the permissions of the archive and remove unauthorized permissions.
Securing Communication Between the AGPM Clients and the AGPM Servers: The AGPM Server communicates with AGPM Clients, Active Directory Domain Services domain controllers, Domain Name System (DNS) Servers, and the SMTP Server that delivers email notifications. To help prevent unauthorized users from viewing the communication, encrypt all communications among the AGPM Server, AGPM Clients, domain controllers, DNS servers, and the SMPT server. Encrypt AGPM communication by using: Internet Protocol Security (IPSec): IPSec encrypts all traffic and is transparent to higher-level protocols. Secure SMTP: Secure SMTP only requires a certificate for the encryption, which can come from your organizations public key infrastructure (PKI) or from a public certificate company. Configure email security for AGPM: By default, email messages sent as a result of actions in Advanced Group Policy Management are not encrypted. However, you can configure email security for AGPM using registry settings to specify whether to use SSL encryption and which SMTP port to use. o To configure email security for AGPM by using Group Policy Preferences:
1. Logon to the computer with the AGPM Client as the user assigned the AGPM Administrator (Full Control) role. This is the user designated as the Archive owner during the installation of AGPM Server. 2. Click Start, point to Administrative Tools, and then click Group Policy Management. This will open GPMC. 3. Expand the Console Tree until you can click the Group Policy Objects container. 4. Edit a GPO which is applied to all AGPM Servers for which you wish to configure email security, or create a new GPO which will be applied to all AGPM Servers for which you wish to configure email security. 5. In the Group Policy Management Editor window, expand to Computer Configuration, Preferences, Windows Settings, Registry. 6. In the Console Tree, right-click Registry, point to New and then click Collection Item. Name the New Collection Item AGPM Email Security. 7. In the Console tree, right-click AGPM Email Security, point to New and then click Registry Item. Page | 31
8. In the New Registry Properties box, fill in the properties using the values in the following table and then click OK. Field Action Hive Key Path Value Name Value Type Value Data Value Update HKEY_LOCAL_MACHINE SOFTWARE\Microsoft\AGPM EncryptSmtp REG_DWORD 1 (to use SSL) or 0 (to send email without encryption) Base Decimal
9. In the Console tree, right-click AGPM Email Security, point to New and then click Registry Item. 10. In the New Registry Properties box, fill in the properties using the values in the following table and then click OK. Field Action Hive Key Path Value Name Value Type Value Data Value Update HKEY_LOCAL_MACHINE SOFTWARE\Microsoft\AGPM SmtpPort REG_DWORD 587 (to use SSL) or 25 (to send e-mail without encryption)
Page | 32
Base
Decimal
11. Close the Group Policy Management Editor window. Hardening of Computers Running AGPM Server: The default installation of AGPM Server installs AGPM Server in as secure a configuration as possible. The following table describes the security footprint for the AGPM Server: Installation Change Services Description Service Name: AGPM Service Display Name: AGPM Service Path to Executable: %programfiles%\Microsoft\AGPM\Server\AGPM.exe Startup: Automatic (Delayed Start) Logon as: Account specified during installation Windows Firewall The AGPM Server installation creates an inbound Windows Firewall rule with the following configuration: Name: AGPM Service Action: Allow the connection Protocol type: TCP Local Port: 4600 Remote Port: All ports Local IP Address: Any Remote IP Address: Any File System The AGPM Server installation process creates folders and files on the local file system. The default installation folder for AGPM is %ProgramFiles%\Microsoft\AGPM. There is a subfolder beneath the AGPM folder for the AGPM Client and the AGPM Server, each with several files. By default, AGPM Administrator is granted rights to this folder during installation, but the AGPM Console can be used to grant and remove permissions.
Page | 33
Other recommendations for hardening the AGPM Server and the AGPM Archive computer (if different) include: Dedicate a computer to AGPM Server: This will help reduce the attack surface of the AGPM Server. Installing additional roles, services, and applications on this server, which are not required by AGPM, increases the attack surface of the computer. If the AGPM Archive is stored on a different computer than the AGPM Server, consider dedicating that computer to only storing the AGPM Archive. Physically secure the AGPM Server: If unauthorized users have physical access to the server, they may execute several attacks against the AGPM Server. Some recommended actions to perform to physically secure the AGPM Server include: o o o o Place the computer in a locked (or lockable) server rack. Place the computer in a secured data center, or a locked computer closet or wiring closet, depending on your organizations size and layout. Disable the DVD or CD-ROM drive in the computer to prevent installation of unauthorized software. Disable USB ports to prevent connection of removable devices.
Enable Windows BitLockertm Drive Encryption: Encrypting local hard disks on the AGPM Server and AGPM Archive computer prevents unauthorized access to AGPM information in the event that a hard disk or the entire computer is stolen. Windows BitLocker Drive Encryption keys are necessary to start the computer and access the information on the local hard disk.
Configuring AGPM-only Group Policy Management: After implementing AGPM in the environment, steps should be taken to restrict Group Policy management to only AGPM. This will prevent administrators from utilizing the GPMC to create new or edit existing GPOs. GPMC is a pre-requisite to AGPM, so once AGPM is installed Group Policy administration can be handled with either GPMC or AGPM. Because of the lack of change control, and the inability to service GPOs offline, Group Policy administrators should only use AGPM for Group Policy creation, management, and administration. The following tasks can be completed to ensure that AGPM is the only option for Group Policy Management: 1. Restrict GPO creation to AGPM 2. Restrict GPO management to AGPM
Page | 34
Restrict GPO Creation to AGPM Restricting GPOs to only AGPM requires modifying the existing Active Directory permissions that give administrators that capability. Administrators can use GPMC to select the Group Policy Objects node, click on the Delegation tab, and modify the permissions to eliminate creation of GPOs from GPMC. AGPM performs all GPO administrative tasks through the AGPM Service account. Ensure that the service account still has sufficient privileges to perform creation when removing or restricting permissions of GPO creation. Note: A limited number of administrators should still have access to manage Group Policy with GPMC to circumvent the change management processing in exception scenarios. Note: Modification of the Group Policy Creator Owners and Domain Admins groups may be necessary if those groups were used to assign permissions. Restrict GPO Management to AGPM In the previous task it is recommended to restrict access for creating GPOs to only the service account. However, since environments already have GPOs in production, restriction of management tasks for existing GPOs must be considered carefully. It is recommended to bring GPOs into AGPM management by making them Controlled GPOs. By default, AGPM changes the permissions within the Active Directory using the settings in the Production Delegation tab. As GPOs are controlled by AGPM the underlying Active Directory permissions are modified with the permissions defined in the production delegation tab. Select the Change Control node within the GPMC and the Production Delegation tab to modify what permissions are placed on the GPOs and restrict to ensure that management of Controlled GPOs is only allowed from AGPM. Note: A limited number of administrators should still have access to manage Group Policy with GPMC to circumvent the change management processing in exception scenario. Note: Modification of the Group Policy Creator Owners and Domain Admins groups may be necessary if those groups were used to assign permissions.
Page | 35
Steps for Managing GPOs

You must complete the following steps to create, edit, review, and deploy GPOs using AGPM. Additionally, follow these next steps to create a template, delete a GPO and restore a GPO. Step 1: Create a GPO Step 2: Edit a GPO Step 3: Review and Deploy a GPO Step 4: Use a Template to Create a GPO Step 5: Delete and Restore a GPO
Step 1: Create a GPO: AGPM divides roles and responsibilities relating to GPO administration. Only those with the Administrator (Full Control) or the Approver role have the ability to create a GPO. An Editor can request the creation of a GPO, and can then edit the settings within the GPO, but an editor cannot create the GPO. This is because the creation of a GPO impacts the production environment, and therefore must be approved by someone with the Approver role. To request the creation of a New Managed GPO through AGPM: 1. Logon to the computer with the AGPM Client as the user assigned the AGPM Editor role. 2. Click Start, point to Administrative Tools, and then click Group Policy Management. This will open GPMC. 3. Expand the Console Tree until you can click the Change Control container. 4. Right-click the Change Control node and then select New Controlled GPO. 5. Fill in the Submit New Controlled GPO Request box using the values in the following table, and then click Submit: Field Cc: Value <Your e-mail address>. Fill this in only if you wish to receive a copy of the request.
Page | 36
GPO Name
Name you wish to be assigned to the GPO you are requesting to be created.
Comment
This field is optional, but should be used to describe what settings will be applied to the GPO.
Create in Archive and Production Create in Archive Only
Click Create in archive and production so that the GPO will be immediately available upon approval. This is the default setting.
From GPO Template
If the new Controlled GPO will be created from a template, select the template here.
To Approve the pending request to create the GPO: 1. Logon to the computer with the AGPM Client as the user assigned the AGPM Approver role. 2. Open your email program. You will see an email message from the AGPM alias with the Editors request to create a GPO. 3. Click Start, point to Administrative Tools, and then click Group Policy Management. This will open GPMC. 4. Expand the Console Tree until you can click the Change Control container. 5. Click the Change Control folder and then click the Pending tab. 6. Right-click the Pending GPO, and then click Approve. 7. In the Approve Pending Operation dialog box, type an optional comment and then click Yes. 8. In the AGPM Progress box, once the status displays as completed click Close.
Step 2: Edit a GPO: Any user with the AGPM Editor or Administrator (Full Control) roles can edit a GPO. Before editing a GPO, you must first check out the GPO from the AGPM Archive. Once it has been checked out, you can
Page | 37
edit the GPO settings offline, check the GPO back into the Archive, and finally request the edited GPO be deployed into production. To check the GPO out from the Archive for editing: 1. Logon to the computer with the AGPM Client as the user assigned the AGPM Editor role. 2. Click Start, point to Administrative Tools, and then click Group Policy Management. This will open GPMC. 3. Expand the Console Tree until you can click the Change Control container. 4. Click the Change Control node and then click the Contents and Controlled tabs, if necessary, to display all of the controlled GPOs. 5. Right-click the GPO you wish to edit and then select Check Out. 6. In the Check Out GPO dialog box, enter an optional Comment to be displayed in the history of the GPO while it is checked out and then click Check Out. 7. In the AGPM Progress box, once the status displays as completed click Close.
To edit the GPO offline: 1. On the Controlled tab, notice the State of the GPO is displayed as Checked Out. Right-click the GPO and select Edit. 2. In the Group Policy Management Editor make the necessary settings changes to the controlled GPO, and then close the Group Policy Management Editor window.
To check the GPO into the Archive: 1. On the Controlled tab, notice the State of the GPO is still displayed as Checked Out. Right-click the GPO and select Check In. 2. In the Check In GPO dialog box, enter an optional Comment, and then click OK.
3. In the AGPM Progress box, once the status displays as completed click Close. Notice the state of
the GPO is now Checked In.
To request the deployment of the GPO to the production environment: Page | 38
Because the account with the Editor role does not have Approver permissions, you must submit a request for deployment of the GPO. To request the deployment of the GPO: 1. On the Controlled tab, right-click the GPO you wish to have deployed, and then click Deploy. 2. In the Submit Deploy Request dialog box, in the Cc: field, enter your email address, if you wish to be sent a copy of the submit request, and then enter an optional comment, and then click Submit.
3. In the AGPM Progress box, once the status displays as completed click Close.
Step 3: Review and Deploy a GPO: In the last step, the Group Policy Administrator assigned the Editor role checked out a GPO from the AGPM Archive, edited the GPO, and then checked it back into the AGPM Archive. Now an Approver must review, approve, and deploy the GPO. Before approving the GPO, the Approver should create reports and analyze the settings changes in the GPO to determine whether or not it should be approved and deployed into the production environment. When it gets deployed, it must be linked to an Organizational Unit (OU), the domain, or the Active Directory site, so that it goes into effect immediately after the computers refresh their Group Policies. To review settings in the GPO: 1. Logon to the computer with the AGPM Client as the user assigned the AGPM Approver role. Note any GPO Administrator assigned the role of Reviewer, Editor, Approver, or Administrator (Full Control) and run this step. For the purposes of this paper, you are using the Approver role, so that the GPO can be deployed in the following steps. 2. Open your email program. You will see an email message from the AGPM alias with the Editors request to deploy a GPO. 3. Click Start, point to Administrative Tools, and then click Group Policy Management. This will open GPMC. 4. Expand the Console Tree until you can click the Change Control container. 5. Click the Change Control folder and then click the Pending tab. 6. Right-click the Pending GPO, and then click History. 7. In the History for GPO Name Request window, right-click the line with the most recent timestamp, click Settings and then click HTML Report to display a summary of the GPOs settings.
Page | 39
8. In the Internet Explorer window, if necessary click the yellow bar at the top of the window to allow the Active X control to run, and then click the Show All link. 9. When you are done reviewing the settings, close the Internet Explorer window. To compare the most recent version of the GPO to the first version checked into the archive: 1. In the History for GPO Name Request window, click the line with the most recent timestamp, press CTRL and click the oldest version of the GPO for which the Computer Version is not * (an asterisk) and then click Differences. 2. In the Internet Explorer window, if necessary click the yellow bar at the top of the window to allow the Active X control to run, and then click the Show All link. 3. When you are done reviewing the differences (highlighted in green), close the Internet Explorer window. 4. Close the History of GPO Name Request window. To deploy the GPO to the production environment: 1. On the Pending tab, right-click the Pending GPO which you want deployed in the production environment, and then click Approve. 2. In the Approve Pending Operation dialog box, type an option Comment, and then click Yes. 3. In the AGPM Progress box, once the status displays as completed click Close. To link the GPO to the domain or an existing OU: 1. In the Group Policy Management console, right-click the domain or the OU to which you wish to link the GPO, and then select Link an Existing GPO. 2. In the Select GPO dialog box, select the GPO that you wish to link, and then click OK. Step 4: Use a Template to Create a GPO: A GPO Template is a static, uneditable version of a GPO which is used as a starting point for the creation of other GPOs. Templates are useful for quickly creating multiple GPOs that include many of the same settings. Any GPO Administrator who has been assigned the Editor role or Administrator (Full Control) can create a Template. To create a Template based on an existing GPO: 1. Logon to the computer with the AGPM Client as the user assigned the AGPM Editor role. Page | 40
2. Click Start, point to Administrative Tools, and then click Group Policy Management. This will open GPMC. 3. Expand the Console Tree until you can click the Change Control container. 4. Click the Change Control node and then click the Contents and Controlled tabs, if necessary, to display all of the controlled GPOs. 5. Right-click the GPO you wish to edit and then select Save as Template. 6. In the Create New GPO Template dialog box, type a name for the Template and an optional Comment, and then click OK. 7. In the AGPM Progress box, once the status displays as completed click Close.
Note: In Step 1 of this section, you learned how to create a Managed GPO. Follow those steps to
create a new Managed GPO that gets created by using this Template. The GPO will get created, but will still need to be checked out of the archive, edited, checked into the archive, approved, and deployed. You can follow Steps 2 and 3 of this section to edit the new GPO and review the differences between the new Managed GPO and the Template, and to deploy the GPO into the production environment.
Step 5: Delete and Restore a GPO: When you delete a Managed GPO, you have a choice of deleting the GPO from the archive while leaving the deployed version of the GPO untouched in the production environment, or deleting the GPO from the archive and the production environment. When you delete a GPO, the GPO gets moved into the Recycle Bin in the AGPM console. A Group Policy Administrator with the Approver role or the Administrator role has the permission to delete a GPO. Specifically, any Group Policy Administrator with the List Contents and Delete GPO permissions has the ability to delete a controlled GPO. To delete a GPO: 1. Logon to the computer with the AGPM Client as the user assigned the AGPM Approver role. 2. Click Start, point to Administrative Tools, and then click Group Policy Management. This will open GPMC. 3. Expand the Console Tree until you can click the Change Control container.
Page | 41
4. Click the Change Control node and then click the Contents and Controlled tabs, if necessary, to display all of the controlled GPOs. 5. Right-click the GPO you wish to delete and then select Delete. In the Delete dialog box select the appropriate option, enter an optional Comment, and then click OK. a. Delete GPO from archive only: Select this option to delete the GPO from the AGPM Archive, but leave the GPO in the production environment deployed and untouched. b. Delete GPO from archive and production: Select this option to delete the GPO from the AGPM archive and from the production environment. 6. In the AGPM Progress box, once the status displays as completed click Close. The GPO is removed from the Controlled tab and is displayed on the Recycle Bin tab where it can be restored or destroyed. You may discover a GPO which has been accidentally deleted, or a GPO which has been deleted at the request of an Editor, but is still needed in the production environment. Any Group Policy Administrator with the Approver role or Administrator (Full Control) role can restore a GPO. Specifically, any Group Policy Administrator with List Contents and Deploy GPO permissions has the ability to restore a controlled GPO. To restore a deleted GPO: 1. Logon to the computer with the AGPM Client as the user assigned the AGPM Approver role. 2. Click Start, point to Administrative Tools, and then click Group Policy Management. This will open GPMC. 3. Expand the Console Tree until you can click the Change Control container. 4. Click the Change Control node and then click the Contents and Recycle Bin tabs, to display all of the deleted controlled GPOs. 5. Right-click the GPO you wish to restore and then select Restore. 6. In the Restore GPO dialog box, type an optional Comment and then click OK. 7. In the AGPM Progress box, once the status displays as completed click Close. The GPO is removed from the Recycle Bin tab and is displayed on the Controlled tab where it can be reviewed, edited, approved, and re-deployed.
Page | 42
Note: If a GPO was deleted from the production environment, restoring the GPO to the archive does not automatically redeploy the GPO to the production environment.
You may discover a GPO that is causing problems in the production environment. Once you delete the GPO, you may want to ensure that the GPO never gets restored and redeployed to the production environment. Any Group Policy Administrator with the Approver role or the Administrator (Full Control) role can destroy a GPO. Specifically, any Group Policy Administrator with the List Contents and Delete GPO permissions can destroy a GPO. To destroy a deleted GPO: 1. Logon to the computer with the AGPM Client as the user assigned the AGPM Approver role. 2. Click Start, point to Administrative Tools, and then click Group Policy Management. This will open GPMC. 3. Expand the Console Tree until you can click the Change Control container. 4. Click the Change Control node and then click the Contents and Recycle Bin tabs, to display all of the deleted controlled GPOs. 5. Right-click the GPO you wish to destroy and then select Destroy. 6. In the Destroy GPO message box, read the message warning and then click OK. 7. In the AGPM Progress box, once the status displays as completed click Close.
Note: If a GPO was deleted from the archive, but remained deployed to the production environment, when you destroy the GPO, the GPO remains in the production environment, but all backups of the GPO, as well as the controlled GPO itself, are destroyed.
After editing and deploying a GPO, you may discover that recent changes to the GPO are causing a problem in the production environment. Deploying an earlier version of the GPO overwrites the version of the GPO currently in production. Any Group Policy Administrator with the Approver role or Administrator (Full Control) role can roll a GPO back to an earlier version of the GPO from the GPO history. Specifically, any Group Policy Administrator with List Contents and Deploy GPO can deploy an earlier version of a controlled GPO. Page | 43
To roll back a GPO to an earlier version: 1. Logon to the computer with the AGPM Client as the user assigned the AGPM Approver role. 2. Click Start, point to Administrative Tools, and then click Group Policy Management. This will open GPMC. 3. Expand the Console Tree until you can click the Change Control container. 4. Click the Change Control node and then click the Contents and Controlled tabs, if necessary, to display all of the controlled GPOs. 5. Right-click the GPO you wish to roll back and then select History. 6. Right-click the earlier version you wish to deploy, and then click Deploy. 7. In the Deploy GPO dialog box, click Yes. 8. In the AGPM Progress box, once the status displays as completed click Close.
Note: To verify that the version which has been redeployed matches the version intended, run a differences report for the two versions. In the History window for the GPO, select the two versions by clicking each while pressing the CTRL key, right-click the selection, point to Differences, and then click HTML Report.
Page | 44
Summary
AGPM can help any size organization manage GPOs more securely and efficiently than by using only the GPMC. AGPM allows you to delegate Group Policy administration based on roles for the tasks that Group Policy administrators perform. AGPM also allows you to delegate Group Policy administration at a domain level and at a GPO level so that you can allow different administrators to manage different GPOs. In addition, AGPM allows you to control the version of GPOs deployed from the GPO archive to your production environment. This level of control allows you to keep a record of changes to each GPO and to revert a current GPO to a previous GPO in the event of a problem with a change to a Group Policy setting. With AGPM, you reduce the risks associated with deploying GPOs as well as the ongoing support costs for managing GPOs. This helps your organization focus on managing the mission-critical applications and services in your production environment instead of focusing on GPO change-management processes and security.
Page | 45

AGPM 4 SP1 Deployment Guide

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

AGPM 4 SP1 Deployment Guide

Uploaded by

Copyright:

Available Formats

Deployment Guide

Published February 2013

Microsoft Advanced Group Policy Management v4.0 SP1 Deployment Guide

Microsoft Advanced Group Policy Management v4.0 SP1 Deployment Guide

Microsoft Advanced Group Policy Management v4.0 SP1 Deployment Guide

Secure AGPM .......................................................................................................................................25

Microsoft Advanced Group Policy Management v4.0 SP1 Deployment Guide

Introduction to the Deployment Guide

Audience for This Guide

Microsoft Advanced Group Policy Management v4.0 SP1 Deployment Guide

Overview of Microsoft AGPM

Microsoft Advanced Group Policy Management v4.0 SP1 Deployment Guide

.NET Framework 3.5

Microsoft Advanced Group Policy Management v4.0 SP1 Deployment Guide

Microsoft Advanced Group Policy Management v4.0 SP1 Deployment Guide

Status of AGPM Support

Windows Server 2008 or Windows Vista SP1

Windows Server 2012, Windows Server 2008 R2, Windows 8, or Windows 7

Windows Server 2008 or Windows Vista SP1

Windows Server 2008 or Windows Vista SP1

Microsoft Advanced Group Policy Management v4.0 SP1 Deployment Guide

Figure 1: AGPM 4.0 SP1 Roles and their functions

Microsoft Advanced Group Policy Management v4.0 SP1 Deployment Guide

Planning AGPM Deployment

Microsoft Advanced Group Policy Management v4.0 SP1 Deployment Guide

Figure 2. Example of the centralized configuration

Microsoft Advanced Group Policy Management v4.0 SP1 Deployment Guide

Microsoft Advanced Group Policy Management v4.0 SP1 Deployment Guide

Figure 3. Example of the decentralized configuration

Microsoft Advanced Group Policy Management v4.0 SP1 Deployment Guide

Manage Group Policy in Extranets

Microsoft Advanced Group Policy Management v4.0 SP1 Deployment Guide

Collect Necessary Information About the Existing AD DS Infrastructure and GPOs

Determine the Number of AGPM Servers Required

Microsoft Advanced Group Policy Management v4.0 SP1 Deployment Guide

Determine the Number of AGPM Clients Required

Determine the E-mail Infrastructure Requirements

Determine the AGPM Archive Location and Storage Requirements

Storage_Requrements=Avg_GPO_Size * Num_GPO * Num_Ver

Microsoft Advanced Group Policy Management v4.0 SP1 Deployment Guide

Microsoft Advanced Group Policy Management v4.0 SP1 Deployment Guide

Installing and Configuring AGPM 4.0 SP1

Steps for Installing AGPM 4.0 SP1

Microsoft Advanced Group Policy Management v4.0 SP1 Deployment Guide

Microsoft Advanced Group Policy Management v4.0 SP1 Deployment Guide

Microsoft Advanced Group Policy Management v4.0 SP1 Deployment Guide

Microsoft Advanced Group Policy Management v4.0 SP1 Deployment Guide

Microsoft Advanced Group Policy Management v4.0 SP1 Deployment Guide

Microsoft Advanced Group Policy Management v4.0 SP1 Deployment Guide

Microsoft Advanced Group Policy Management v4.0 SP1 Deployment Guide

Microsoft Advanced Group Policy Management v4.0 SP1 Deployment Guide

Microsoft Advanced Group Policy Management v4.0 SP1 Deployment Guide

Microsoft Advanced Group Policy Management v4.0 SP1 Deployment Guide

Microsoft Advanced Group Policy Management v4.0 SP1 Deployment Guide

Microsoft Advanced Group Policy Management v4.0 SP1 Deployment Guide

Microsoft Advanced Group Policy Management v4.0 SP1 Deployment Guide

Microsoft Advanced Group Policy Management v4.0 SP1 Deployment Guide

Microsoft Advanced Group Policy Management v4.0 SP1 Deployment Guide

Microsoft Advanced Group Policy Management v4.0 SP1 Deployment Guide

Microsoft Advanced Group Policy Management v4.0 SP1 Deployment Guide

Steps for Managing GPOs

Microsoft Advanced Group Policy Management v4.0 SP1 Deployment Guide

Create in Archive and Production Create in Archive Only