AGPM Configuration and Use

chdelay

AGPM Provisioning

There are 4 Roles within AGPM:

AGPM Administrator: The AGPM Administrator has full control of AGPM including the AGPM archive.

Reviewer: The reviewer simply has the ability to view GPOs, they can also run comparisons on GPOs.

Editor: In addition to the reviewer permission, Editors also have the ability to Check In GPOS, Check Out GPOs, Edit GPOS, and request creation of a GPO.

Approver: In addition to Reviewer and Editor capabilities, the Approver can approve the GPO Creation, GPO Deployment.  Approvers can also Create GPOs and Deploy GPOs of their own creation without approval.

Provisioning Decision Point

There really are two options for provisioning access.  The first is to create Active Directory security group and grant those groups access to a role within AGPM.  For example, you could create an AGPM Admins group in AD and then provision that group Full Control within AGPM.  Then to provision access to the AGPM Administrator role you would simply add users to the AGPM Admins group. The alternative approach is that you just provision access to users within AGPM.  From a security perspective, I prefer the second method as it reduces the number of users or groups that will have the permissions necessary to provision access to AGPM. In the examples below I will be demonstrating the second technique for granting access, specifically using AGPM to directly provision access to user.

Creating AGPM Administrator

Temporarily add the user account that you would like to add as the first AGPM Administrator to the group that is the AGPM Archive Owner.  You will need to do remove this user once provisioning of the AGPM Administrator account is complete.

To provision permissions:

  1. Open GPMC.msc
  2. Expand Forest, then Domain, then “Domain Name”. 
  3. Click on Change Control.
  4. In the right-hand pane of AGPM ensure that you have navigated to the Domain Delegation tab.
  5. Click Add…

Enter the name of the user for which you are provisioning access, then click the Check Names button.

Once the name of the user or group has been resolved, click OK.

If creating and Administrator select Full Control as the role.  Otherwise, select Editor, Approver, or Reviewer as appropriate. Then click OK.

Controlling Existing GPOs

Prior to using AGPM with GPOs that already exist in your environment, you will need to give the AGPM Service Account full control of exiting GPOS.  There is a script that can be used to automate much of the configuration of AGPM.  It is located here: https://gallery.technet.microsoft.com/scriptcenter/AGPM-Quick-Configuration-a7f42d46.  To give the AGPM Service Account permissions to existing GPOS, you can use the following portion of the aforementioned script:

import-module activedirectory

$agpmserviceaccountname=”svcAGPM”

get-gpo -all | foreach { Set-GPPermissions -Guid $_.id -PermissionLevel GpoEditDeleteModifySecurity -TargetType User -TargetName $agpmserviceaccountname }

Once you have given the AGPM Service Account access to the GPOs, you can put them under Control of AGPM.  Once the GPOs are under the control of AGPM, all group policy management can be done via AGPM.  The following steps can be followed to take control of existing GPOs:

  1. Open GPMC.msc
  2. Expand Forest, then Domain, then “Domain Name”. 
  3. Click on Change Control.
  4. In the right-hand pane of AGPM ensure that you have navigated to the Contents tab.
  5. Then within the Contents Tab, navigate to the Uncontrolled Tab.
  6. Select or Multi-Select GPOs that you want AGPM to Control.
  7. Right-click and then select Control… from the context menu.

You will then be prompted for a comment.  Type an appropriate comment and click OK.

Then you will see the progress of taking control.  When the actions have completed, click Close.

You will now see the GPOs showed up under the Controlled tab.

Implementing Least Privilege

To ensure that the ability to modify GPOs is restricted to those that are provisioned access through AGPM, new GPOs that are created must have their permissions restricted. You will want to restrict the Production Delegation. To do this you will want to ensure that just the AGPM Service Account and System have the permissions: Edit settings, delete, modify security. All other accounts will need to either be removed or have their permissions changed to Read.

To add the AGPM Service account to the Production Delegation navigate to the Production Delegation tab. Enter the name of the Service Account.  Then click Check Names to validate the account name.  Then click OK.

Then when the Add Group or User dialog box opens, ensure that the Role is configured to Edit Settings, delete, modify security. Then click OK.

For Domain Admins, Enterprise Admins and any other accounts aside from System and the AGPM Service Account that have Edit settings or Edit settings, delete, modify security settings you will need to change the permission to Read.

To change permissions to read, right-click on the security principal and the select Read from the context menu.

When prompted with Do you want to change the permission on this group or user to Read?, click OK.

Below is a screenshot of the Production Delegation tab after it is locked down.

This locked down configuration will apply to existing GPOs once they are controlled by AGPM.

Group Policy Retention

AGPM allows you to control how much of the GPO history is retained.  If you wish to limit how much of that history is retained you can navigate to the AGPM Server tab. Next, Check the option Delete old versions of each GPO from the archive. Retain only the current version and the preceding.  Then enter a number for how many of the preceding GPOs you would like to maintain in the archive and click Apply.

AGPM Client Settings

You can configure what AGPM Server the AGPM Client connects to when you install the AGPM Client.  However, you can also control which AGP Server the client connects. Navigate to \User Configuration\Policies\Administrative Templates\Windows Components\AGPM. 

Open the setting AGPM: Specify default AGPM Server (all domains). Change the configuration Enabled.  For the setting Default AGPM Server for all domains, enter the DNS Alias for the AGPM Server and the port number in the format <DNS Alias>:<Port Number>.

Basic Administrative Tasks

AGPM provides several useful tools for getting additional information about GPOs.

History

If you right-click on a GPO you can you choose History from the context menu.

You can then view the entire history of the GPO, including Creations, Check Outs, Check Ins and Deployments.

On the Unique Version tab you can view a less cluttered view that only displays unique version of the GPO.

Also, you can right-click on any version of the GPO and have the ability to view Settings, perform Comparisons, Deploy, and more.

Viewing Settings

Within AGPM it is simple to view a settings report.  If you right-click on the GPO, you can select the Settings from the context menu.  You then have the option to view:

HTML Report: HTML Report of all settings.  This is the most user-friendly view of the settings.

XML Report: An XML output of the report which may be useful if you somehow wish to convert or manipulate the output of the report.

GPO Links: Lets you view where the GPO is linked.

Below is an example of an HTML report.

Comparing GPOs

One of the more useful features of AGPM is the ability to compare two GPOs. 

To Compare two GPOs, multi-select two GPOs.  Right-click and then from context menu select Differences.  Then you have the option to view an HTML Report or an XML Report.

Below is an example of an HTML Report, highlighting the differences between the two GPOs.

Creating New GPO

The walkthrough below, shows how an Editor can send a request to create a new GPO.

Editor would right-click under Controlled GPOs and select New Controlled GPO… from the context menu.

The Editor would then be prompted to Submit New Controlled GPO Request. The Editor would then fill out the form.  The Editor has the option to Create in archive and production or Create in archive only. Also, the user can create the GPO from a Template. The Editor would click Submit to submit the request to the approver.

The Editor will view the progress of the submission and then click Close when complete.

Below is an example of an email that the approver will receive.

The GPO will then go into the Pending state.

The Approver would then right-click on the GPO and the select Approve… from the context menu.

The approver will then be prompted for a comment, and then choose whether or not to approve the request.

Once the approval is complete the Approver clicks Close.

Editing and Deploying a GPO

An Editor can Edit and Deploy a new GPO as long as the Approver approves the Editors actions.  Below are the steps required by the Editor and Approver to edit an existing GPO and deploy it to production.

Editing

The Editor would right-click on the GPO they wish to edit and select Check Out… from the context menu.

Then the Editor would add a comment and Click OK.

When the Check Out is completed the Editor would click Close.

Then the Editor would right-click on the checked out GPO and select Edit from the context menu.

The Editor can the modify the GPO.  The screenshot below is just an example of an Editor modifying an existing GPO.

Once the Editor has completed the edits, they would then right-click on the GPO and select Check In… from the context menu.

The Editor would then add a comment in the Check in GPO dialog box and click OK.

Finally, when the Check In is complete the Editor would click Close.

To Deploy the GPO, the Editor would then right-click on the GPO and click Deploy…

The Editor would then complete the Submit Deploy GPO form, in part to notify the Approver. Upon completion of the form the Editor would click the Submit button.

Upon completion of the submission, the Editor would click Close.

Approval

Once the Approver receives notification the approver would navigate to the Pending Tab.  The Approver would then right-click on the pending GPO and click Approve… if the approver wishes to approve the GPO.

The Approver would then add a comment to the Approve Pending Operations dialog box, and click Yes.

Upon completion of the approval the Approver would click Close.

Deletion and Recovery of GPOs

AGPM uses a familiar concept called a Recycle Bin.  If a GPO is deleted accidentely or if a deleted GPO needs to be restored it can be un-deleted from the Recycle Bin.

Deleting a GPO

To Delete a GPO simply right-click on the GPO and from the context menu click on Delete…

Then decide whether you want to delete the GPO from the archive or the archive and production.  Based on your decision select either Delete GPO form archive only or Delete GPO from archive and production.  You would then add a comment and click OK.

You will then be asked Are you sure you want to delete the selected GPO?.  Click OK to complete the deletion.

Recovering a GPO

To recover a deleted GPO, navigate to Recycle Bit tab.  Right-click on the GPO you wish to restore and choose Restore… from the context menu.

Enter a Comment and click OK to complete the restore.

Once the restore completes, click Close.

I hope this is userful.

-Chris