Advanced Group Policy Management (AGPM) is a powerful tool that enhances the capabilities of the Group Policy Management Console (GPMC), providing robust change control and management features for your Group Policy environment. In this comprehensive guide, we’ll explore the step-by-step process of installing, configuring, and leveraging AGPM 3.0 to streamline your Group Policy management.

Installing and Configuring AGPM

Step 1: Install AGPM Server

To get started, you’ll need to install the AGPM Server on a member server or domain controller that will host the AGPM Service. This Windows service will manage all AGPM operations, executed with the service’s credentials. The archive managed by the AGPM Server can be hosted on that server or on another server in the same forest.

  1. Log on with an account that is a member of the Domain Admins group.
  2. Start the Microsoft Desktop Optimization Pack CD and select Advanced Group Policy Management - Server.
  3. Follow the on-screen instructions, including selecting the installation path, archive path, service account, and initial AGPM Administrator.
  4. Complete the installation and exit the Setup Wizard.

Step 2: Install AGPM Client

Each Group Policy administrator who creates, edits, deploys, reviews, or deletes GPOs must have the AGPM Client installed on their management computers. This allows them to connect to the AGPM Server and perform their respective roles.

  1. Start the Microsoft Desktop Optimization Pack CD and select Advanced Group Policy Management - Client.
  2. Follow the on-screen instructions, including specifying the fully-qualified AGPM Server name and port.
  3. Complete the installation and exit the Setup Wizard.

Step 3: Configure an AGPM Server Connection

AGPM stores all versions of each controlled Group Policy object (GPO) in a central archive, enabling administrators to view and modify GPOs offline. In this step, you’ll configure the AGPM Server connection to ensure all administrators connect to the same server.

  1. Log on with the AGPM Administrator (Full Control) account.
  2. Open the Group Policy Management Console and edit a GPO applied to all Group Policy administrators.
  3. In the Group Policy Management Editor, configure the ‘AGPM: Specify default AGPM Server (all domains)’ policy, specifying the AGPM Server’s fully-qualified name and port.

Step 4: Configure Email Notification

As an AGPM Administrator, you’ll designate the email addresses of Approvers and other AGPM Administrators to receive notifications when Editors request changes to GPOs.

  1. In the Group Policy Management Console, select the Domain Delegation tab.
  2. Configure the ‘From email address’, ‘To email address’, SMTP server, and authentication credentials.

Step 5: Delegate Access

The final step in configuring AGPM is to delegate access to GPOs, assigning the appropriate roles (AGPM Administrator, Approver, Editor, Reviewer) to the relevant user accounts.

  1. On the Domain Delegation tab, use the ‘Add’ button to assign roles to the necessary user accounts.
  2. Ensure the ‘Link GPOs’ permission is assigned to the AGPM Administrator, Approver, and (optionally) Editor roles.

Managing GPOs with AGPM

Now that AGPM is installed and configured, let’s explore the key steps for managing GPOs using this advanced tool.

Step 1: Create a GPO

In an AGPM environment, Editors can request the creation of new GPOs, but the request must be approved by an Approver before the GPO is created.

  1. As an Editor, request the creation of a new GPO named ‘MyGPO’.
  2. As an Approver, review the request and approve the creation of the new GPO.

Step 2: Edit a GPO

Editors can check out GPOs from the archive, make changes offline, and check the GPO back in. In this step, you’ll configure a setting to require a minimum password length of 8 characters.

  1. As an Editor, check out ‘MyGPO’ from the archive.
  2. Edit the GPO offline, configuring the minimum password length.
  3. Check the GPO back into the archive and request deployment.

Step 3: Review and Deploy a GPO

Approvers can review the settings and changes in a GPO, then deploy it to the production environment.

  1. As an Approver, review the settings and changes in the latest version of ‘MyGPO’.
  2. Approve the deployment of ‘MyGPO’ to the production environment.
  3. Link the deployed GPO to the appropriate domain or OU.

Step 4: Use a Template to Create a GPO

AGPM allows Editors to create templates, which are static versions of GPOs that can be used as a starting point for creating new GPOs.

  1. As an Editor, create a template ‘MyTemplate’ based on ‘MyGPO’.
  2. Request the creation of a new GPO ‘MyOtherGPO’ using the ‘MyTemplate’ template.
  3. As an Approver, approve the creation of ‘MyOtherGPO’.

Step 5: Delete and Restore a GPO

Approvers can delete GPOs, and later restore them if needed.

  1. As an Approver, delete ‘MyGPO’.
  2. On the Recycle Bin tab, restore the deleted ‘MyGPO’.

AGPM provides a powerful set of features to help you effectively manage your Group Policy environment. By following these step-by-step instructions, you’ll be well on your way to mastering advanced Group Policy management with AGPM 3.0.

For more information, refer to the original guide: Step-by-Step Guide for Microsoft Advanced Group Policy Management 3.0.