There are 4 Roles within AGPM:

AGPM Administrator: The AGPM Administrator has full control of AGPM including the AGPM archive.

Reviewer: The reviewer simply has the ability to view GPOs, they can also run comparisons on GPOs.

Editor: In addition to the reviewer permission, Editors also have the ability to Check In GPOS, Check Out GPOs, Edit GPOS, and request creation of a GPO.

Approver: In addition to Reviewer and Editor capabilities, the Approver can approve the GPO Creation, GPO Deployment. Approvers can also Create GPOs and Deploy GPOs of their own creation without approval.

Provisioning Decision Point

There really are two options for provisioning access. The first is to create Active Directory security group and grant those groups access to a role within AGPM. For example, you could create an AGPM Admins group in AD and then provision that group Full Control within AGPM. Then to provision access to the AGPM Administrator role you would simply add users to the AGPM Admins group. The alternative approach is that you just provision access to users within AGPM. From a security perspective, I prefer the second method as it reduces the number of users or groups that will have the permissions necessary to provision access to AGPM. In the examples below I will be demonstrating the second technique for granting access, specifically using AGPM to directly provision access to user.

Creating AGPM Administrator

Temporarily add the user account that you would like to add as the first AGPM Administrator to the group that is the AGPM Archive Owner. You will need to do remove this user once provisioning of the AGPM Administrator account is complete.

To provision permissions:

Open GPMC.msc
Expand Forest, then Domain, then “Domain Name”.
Click on Change Control.
In the right-hand pane of AGPM ensure that you have navigated to the Domain Delegation tab.
Click Add…

Enter the name of the user for which you are provisioning access, then click the Check Names button.

Once the name of the user or group has been resolved, click OK.

If creating and Administrator select Full Control as the role. Otherwise, select Editor, Approver, or Reviewer as appropriate. Then click OK.

Controlling Existing GPOs

Prior to using AGPM with GPOs that already exist in your environment, you will need to give the AGPM Service Account full control of exiting GPOS. There is a script that can be used to automate much of the configuration of AGPM. It is located here: https://gallery.technet.microsoft.com/scriptcenter/AGPM-Quick-Configuration-a7f42d46. To give the AGPM Service Account permissions to existing GPOS, you can use the following portion of the aforementioned script:

import-module activedirectory

$agpmserviceaccountname=”svcAGPM”

get-gpo -all | foreach { Set-GPPermissions -Guid $_.id -PermissionLevel GpoEditDeleteModifySecurity -TargetType User -TargetName $agpmserviceaccountname }

Once you have given the AGPM Service Account access to the GPOs, you can put them under Control of AGPM. Once the GPOs are under the control of AGPM, all group policy management can be done via AGPM. The following steps can be followed to take control of existing GPOs:

Open GPMC.msc
Expand Forest, then Domain, then “Domain Name”.
Click on Change Control.
In the right-hand pane of AGPM ensure that you have navigated to the Contents tab.
Then within the Contents Tab, navigate to the Uncontrolled Tab.
Select or Multi-Select GPOs that you want AGPM to Control.
Right-click and then select Control… from the context menu.

You will then be prompted for a comment. Type an appropriate comment and click OK.

Then you will see the progress of taking control. When the actions have completed, click Close.

You will now see the GPOs showed up under the Controlled tab.

Implementing Least Privilege

To ensure that the ability to modify GPOs is restricted to those that are provisioned access through AGPM, new GPOs that are created must have their permissions restricted. You will want to restrict the Production Delegation. To do this you will want to ensure that just the AGPM Service Account and System have the permissions: Edit settings, delete, modify security. All other accounts will need to either be removed or have their permissions changed to Read.

To add the AGPM Service account to the Production Delegation navigate to the Production Delegation tab. Enter the name of the Service Account. Then click Check Names to validate the account name. Then click OK.

Then when the Add Group or User dialog box opens, ensure that the Role is configured to Edit Settings, delete, modify security. Then click OK.

For Domain Admins, Enterprise Admins and any other accounts aside from System and the AGPM Service Account that have Edit settings or Edit settings, delete, modify security settings you will need to change the permission to Read.

To change permissions to read, right-click on the security principal and the select Read from the context menu.

When prompted with Do you want to change the permission on this group or user to Read?, click OK.

Below is a screenshot of the Production Delegation tab after it is locked down.

This locked down configuration will apply to existing GPOs once they are controlled by AGPM.

Group Policy Retention

AGPM allows you to control how much of the GPO history is retained. If you wish to limit how much of that history is retained you can navigate to the AGPM Server tab. Next, Check the option Delete old versions of each GPO from the archive. Retain only the current version and the preceding. Then enter a number for how many of the preceding GPOs you would like to maintain in the archive and click Apply.

AGPM Client Settings

You can configure what AGPM Server the AGPM Client connects to when you install the AGPM Client. However, you can also control which AGP Server the client connects. Navigate to \User Configuration\Policies\Administrative Templates\Windows Components\AGPM.

Open the setting AGPM: Specify default AGPM Server (all domains). Change the configuration Enabled. For the setting Default AGPM Server for all domains, enter the DNS Alias for the AGPM Server and the port number in the format <DNS Alias>:<Port Number>.

Basic Administrative Tasks

AGPM provides several useful tools for getting additional information about GPOs.

History

If you right-click on a GPO you can you choose History from the context menu.

You can then view the entire history of the GPO, including Creations, Check Outs, Check Ins and Deployments.

On the Unique Version tab you can view a less cluttered view that only displays unique version of the GPO.

Also, you can right-click on any version of the GPO and have the ability to view Settings, perform Comparisons, Deploy, and more.

Viewing Settings

Within AGPM it is simple to view a settings report. If you right-click on the GPO, you can select the Settings from the context menu. You then have the option to view:

HTML Report: HTML Report of all settings. This is the most user-friendly view of the settings.

XML Report: An XML output of the report which may be useful if you somehow wish to convert or manipulate the output of the report.

GPO Links: Lets you view where the GPO is linked.

Below is an example of an HTML report.

Comparing GPOs

One of the more useful features of AGPM is the ability to compare two GPOs.

To Compare two GPOs, multi-select two GPOs. Right-click and then from context menu select Differences. Then you have the option to view an HTML Report or an XML Report.

Below is an example of an HTML Report, highlighting the differences between the two GPOs.

Creating New GPO

The walkthrough below, shows how an Editor can send a request to create a new GPO.

Editor would right-click under Controlled GPOs and select New Controlled GPO… from the context menu.

The Editor would then be prompted to Submit New Controlled GPO Request. The Editor would then fill out the form. The Editor has the option to Create in archive and production or Create in archive only. Also, the user can create the GPO from a Template. The Editor would click Submit to submit the request to the approver.

The Editor will view the progress of the submission and then click Close when complete.

Below is an example of an email that the approver will receive.

The GPO will then go into the Pending state.

The Approver would then right-click on the GPO and the select Approve… from the context menu.

The approver will then be prompted for a comment, and then choose whether or not to approve the request.

Once the approval is complete the Approver clicks Close.

Editing and Deploying a GPO

An Editor can Edit and Deploy a new GPO as long as the Approver approves the Editors actions. Below are the steps required by the Editor and Approver to edit an existing GPO and deploy it to production.

Editing

The Editor would right-click on the GPO they wish to edit and select Check Out… from the context menu.

Then the Editor would add a comment and Click OK.

When the Check Out is completed the Editor would click Close.

Then the Editor would right-click on the checked out GPO and select Edit from the context menu.

The Editor can the modify the GPO. The screenshot below is just an example of an Editor modifying an existing GPO.

Once the Editor has completed the edits, they would then right-click on the GPO and select Check In… from the context menu.

The Editor would then add a comment in the Check in GPO dialog box and click OK.

Finally, when the Check In is complete the Editor would click Close.

To Deploy the GPO, the Editor would then right-click on the GPO and click Deploy…

The Editor would then complete the Submit Deploy GPO form, in part to notify the Approver. Upon completion of the form the Editor would click the Submit button.

Upon completion of the submission, the Editor would click Close.

Approval

Once the Approver receives notification the approver would navigate to the Pending Tab. The Approver would then right-click on the pending GPO and click Approve… if the approver wishes to approve the GPO.

The Approver would then add a comment to the Approve Pending Operations dialog box, and click Yes.

Upon completion of the approval the Approver would click Close.

Deletion and Recovery of GPOs

AGPM uses a familiar concept called a Recycle Bin. If a GPO is deleted accidentely or if a deleted GPO needs to be restored it can be un-deleted from the Recycle Bin.

Deleting a GPO

To Delete a GPO simply right-click on the GPO and from the context menu click on Delete…

Then decide whether you want to delete the GPO from the archive or the archive and production. Based on your decision select either Delete GPO form archive only or Delete GPO from archive and production. You would then add a comment and click OK.

You will then be asked Are you sure you want to delete the selected GPO?. Click OK to complete the deletion.

Recovering a GPO

To recover a deleted GPO, navigate to Recycle Bit tab. Right-click on the GPO you wish to restore and choose Restore… from the context menu.

Enter a Comment and click OK to complete the restore.

Once the restore completes, click Close.

I hope this is userful.

-Chris

Advanced Group Policy Management (AGPM) Installation

October 8, 2020October 8, 2020 chdelay

This article covers the installation of AGPM. The steps are for an older version of AGPM, but as far as I know they are accurate for current versions as the product has not changed much as far as I know. I will post a blog in the future that covers the configuration of AGPM.

DNS Configuration

The AGPM client will be configured to point to the AGPM Server. It is best to create an alias for the AGPM Server so that if the server name ever changes or is ever replaced you would not need to re-configure the clients.

To complete this task right-click on the appropriate DNS Zone. Select New Alias (CNAME)… from the context menu.

When the New Resource Record dialog box opens, enter the Alias Name and the Browse… to the A record for which you want to link the CNAME record. Then click OK.

AGPM Service Account

Creating the AGPM Service Account

Next you will need to create a service account for the AGPM Service. Locate the OU in which you would like to create the service Account. Right-click on the OU and from the context menu, select New, and then User.

At a minimum fill out Full Name and User logon name, and then click Next.

Enter and then confirm a password, then configure the appropriate account/password options and then click Next.

Click Finish to complete the creation of the AGPM service account.

Assigning Permission to AGPM Service Account

Group Policy Creator Owners Group

The Group Policy Creator Owners group has permissions to create Group Policies in the domain. From a security perspective, members of this group should be restricted. By default the domain Builtin Administrator account is a member of this group. You can leave that account in the group assuming you have locked down that account so that users do not have access to the group and that it has been secured as outlined in the Best Practices for Securing Active Directory (http://www.microsoft.com/en-us/download/details.aspx?id=38785).

The AGPM Service Account will need to be added to the Group Policy Creator Owners group in each domain that is being managed.

Backup Operators Group

The AGPM service account also needs to be added to the Backup Operators account in each domain that is being managed.

Temp Directory Permissions

The AGPM Service Account needs to be given Full Control permissions on the %Windir%\Temp directory on the “AGPM Server”.

Securing the AGPM Service Accounts

Creating Fine-grained Password Policy

Open the Active Directory Administrative Center. Under the domain in which the AGPM Server is located, navigate and then open the System container.

Locate and then select the Password Settings Container. In the Tasks pane click on New, then Password Settings.

Fill out the settings that are required to increase the security of the Password Policy. Configure the Directly Applies To section to include the AGPM Service Account. Then click OK.

Security Policy

Create a New OU for the AGPM Server(s). To do this right-click on the appropriate OU. Then from the context menu select New, then Organizational Unit.

Enter a Name for the new OU, and then click OK.

Open up Group Policy Management Console. From the context menu, select Create a GPO in this domain, and Link it here…

Give a Name to the GPO, and the click OK.

Right-click on the newly created GPO and select Edit from the context menu.

Navigate to \Computer Configuration\Policies\Windows Settings\User Rights Assignment.

Open the setting Log on as a service.

Select Define these policy settings, then add the AGPM Service Account and click OK.

Next, locate the setting Deny log on locally and open the setting.

Select Define these policy settings, then add the AGPM Service Account and click OK.

AGPM Archive Owner

The next step is to create a group that will later be used to give users the AGPM Archive Owner permission. Navigate to the OU or Container in which you would like to create the Group. Righ-clickon the OU or Container. Then from the context menu select New, then Group.

Enter a Group name, change the Group scope to Universal. Then click OK.

AGPM Server Installation

The AGPM installer installs most of the Windows Features that are required by AGPM. However, some features require access to the installation source files to complete installation. One such example is .Net Framework 3.5. So, to prevent any failures in the installation of AGPM you must install this feature prior to the installation of AGPM. To do this insert the Windows Server 2012 R2 Installation Media. Assuming the Installation Media is mounted on the D Drive, Run the following PowerShell command:

Install-WindowsFeature –Source D:\Sources\SxS WAS-NET_Environment

Next, insert the installation media for the Microsoft Desktop Optimization Pack. Assuming the media has been inserted into the D Drive and you are installing AGPM on an x64 platform, navigate to D:\AGPM\AGPM 4.0 SP3. Double-click on agpm_403_server_amd64.exe.

The Setup Wizard for Microsoft Advanced Group Policy Management – Server will then open. On the Welcome page, click Next.

If you agree with the terms of the EULA, check Accept the license terms., then click Next.

Choose the location where AGPM will be installed, then click Next.

Next you will choose where to install the AGPM Archive. Keep in mind that the size of the Archive will grow over time, so ensure the disk where the archive is located has adequate space. After choosing the Archive Path, click Next.

On the AGPM Service Account page of the wizard, enter the AGPM Service Account. Then enter and confirm the AGPM Service Account Password. When complete, click Next.

On the Archive Owner page, enter the group that you previously created for the AGPM Archive Owner. Then click Next.

On the Port Configuration page, click Next to accept the defaults.

On the Languages page of the wizard, click Next to accept the defaults. Otherwise de-select the languages you do not want to install and then click Next.

On the Ready to Install… page of the wizard, click Install.

After installation completes, click Finish.

AGPM Client Prerequisites

The AGPM Client requires that the Group Policy Management Console and .NET Framework 3.5 be installed on the client.

GPMC Install

In order to install the Group Policy Management Console the Remote Server Administration Tools (RSAT) must first be installed. The RSAT for Windows 8.1 can be downloaded from http://www.microsoft.com/en-us/download/details.aspx?id=39296

.NET Framework Install

Search for Programs and Features. Then double-click on Programs and Features in the search results.

In the Programs and Features window, click on Turn Windows features on or off.

In the Windows Features window, select .NET Framework 3.5 (includes .NET 2.0 and 3.0)

Next, click on Download files from Windows Update.

Once installation is complete, click Close

Installing AGPM Client

On the User Account Control dialog box, click Yes.

This will open the Setup Wizard for Microsoft Advanced Group Policy Management – Client. On the Welcome page, click Next.