AGPM Part 1: Introduction to Advanced Group Policy Management (a.k.a AGPM) v4
In this series of post I will show you how to install and user Advanced Group Policy Management (AGPM) v4 tool which part of the Microsoft Desktop Optimisation Pack (MDOP). You qualify to use AGPM (and all the MDOP) tools if you have a subscription advantage (SA) licence agreement with Microsoft. The whole suite of MDOP tools are very handy for any organisation wanting to streamline the management of their desktop SOE fleet. It is my intention that once you have read all these post your should be familiar enough specifically with AGPM to install and use it in your environment.
Both for your convenience and improved load times I have broken this article into it’s separate sections. You can jump to each section you want by simply clicking on the link’s below or you can just click on the link at the both of each posting to go to the next article in the series:
What is AGPM?
Advanced Group Policy Management (AGPM) allows organisation to implement change control and versioning to their Active Directory Group Policies. This allows multiple people to edit Group Policy Object (GPO) with their changes going live the instant the change is made. Any changes to a GPO needs to be check-in, deployed then approved before ever making it to production. This product effectively sits between Active Directory (AD) and Group Policy Administrator so that they never directly need to modify a GPO. To prevent circumventing AGPM a proper implementation should include the removal of all edit/modify permission from all GPO’s for everyone except say the service account and the built-in Administrator domain account.
We will now go through a scenario where an administrator (called Alan) will install the AGPM Client and Server. Alan will then delegate another administrator John Reviewer/Editor access in AGPM. John will then create a new Managed GPO and make a change to it and then deploy it for use in production. Alan will then review the GPO and Approve the change. Then Alan will also convert an existing unmanaged GPO to managed” status so it can be controlled via AGPM.