Manage Group Policy with Microsoft Advanced Group Policy Management (AGPM) 4.0
description
Transcript of Manage Group Policy with Microsoft Advanced Group Policy Management (AGPM) 4.0
![Page 1: Manage Group Policy with Microsoft Advanced Group Policy Management (AGPM) 4.0](https://reader036.fdocuments.net/reader036/viewer/2022081503/568150a5550346895dbeac9b/html5/thumbnails/1.jpg)
Manage Group Policy with Microsoft Advanced Group Policy Management (AGPM) 4.0
Jeremy Moskowitz, Group Policy MVPChief Propeller-HeadGPanswers.com@jeremymoskowitz
WCL308
![Page 2: Manage Group Policy with Microsoft Advanced Group Policy Management (AGPM) 4.0](https://reader036.fdocuments.net/reader036/viewer/2022081503/568150a5550346895dbeac9b/html5/thumbnails/2.jpg)
(While you’re sitting there, sign up for the GPanswers.com Tip of the Week … (Scan a tag .. Fill out the little form…)and enter to win a copy my (Jeremy’s) book !)
![Page 3: Manage Group Policy with Microsoft Advanced Group Policy Management (AGPM) 4.0](https://reader036.fdocuments.net/reader036/viewer/2022081503/568150a5550346895dbeac9b/html5/thumbnails/3.jpg)
AGPM: A Play in Three (plus 1) Acts
Act 0: The built-in delegation modelAnd definition of the problem
Act I: Why you care, architecture and installationAct II: You’re an island
ie: Get to know the features
Act III: You are not alone.Work with “other” admins
3
![Page 4: Manage Group Policy with Microsoft Advanced Group Policy Management (AGPM) 4.0](https://reader036.fdocuments.net/reader036/viewer/2022081503/568150a5550346895dbeac9b/html5/thumbnails/4.jpg)
Life Without AGPM
No “Are you sure”Not when creating GPONot when editing GPONot when linking GPO
Not “awesome” granular managementNo way to “roll back” if problems detectedNo history of changes to GPOs
4
![Page 5: Manage Group Policy with Microsoft Advanced Group Policy Management (AGPM) 4.0](https://reader036.fdocuments.net/reader036/viewer/2022081503/568150a5550346895dbeac9b/html5/thumbnails/5.jpg)
demo
Built-in Delegation Model
![Page 6: Manage Group Policy with Microsoft Advanced Group Policy Management (AGPM) 4.0](https://reader036.fdocuments.net/reader036/viewer/2022081503/568150a5550346895dbeac9b/html5/thumbnails/6.jpg)
Life with AGPM (…or “Why you should care”)
Check-out/ Check-in Workflow managementVersion control (ie: Rollback)Difference reporting and historyRole based delegationOffline EditingExtra bonus: “Templates”
6
![Page 7: Manage Group Policy with Microsoft Advanced Group Policy Management (AGPM) 4.0](https://reader036.fdocuments.net/reader036/viewer/2022081503/568150a5550346895dbeac9b/html5/thumbnails/7.jpg)
The General Philosophy
Create new GPOs – offlinePossible to create them online too
Newly created GPOs are “controlled”Can also control “existing” GPOS
Check out GPOCan’t be edited by anyone else
Edit the GPOIt’s offline still, remember?
7
Check in GPOOthers could now edit, but it’s still not live
Review the changes
Approve changes
Deploy GPO
![Page 8: Manage Group Policy with Microsoft Advanced Group Policy Management (AGPM) 4.0](https://reader036.fdocuments.net/reader036/viewer/2022081503/568150a5550346895dbeac9b/html5/thumbnails/8.jpg)
What about existing GPOs?
No problem. Like “wild horses” they need to be “Controlled.”Find original GPOs in “Uncontrolled” tab then right-click over all of them and select “Control.”
8
![Page 9: Manage Group Policy with Microsoft Advanced Group Policy Management (AGPM) 4.0](https://reader036.fdocuments.net/reader036/viewer/2022081503/568150a5550346895dbeac9b/html5/thumbnails/9.jpg)
demo
Quick AGPM Control and Creation Demo
![Page 10: Manage Group Policy with Microsoft Advanced Group Policy Management (AGPM) 4.0](https://reader036.fdocuments.net/reader036/viewer/2022081503/568150a5550346895dbeac9b/html5/thumbnails/10.jpg)
Architecture
AGPM ServiceDC, Member ServerActs as “proxy” to live GPOs
AGPM “client” run on your (ie: Mr. and Ms. Admin’s) management stationsNot your client systems (ie: The Boss, or the worker-bee.
Big Need: AGPM 4.0 requiresWindows Server 2008 R2 (Server) Windows 7 (clients)
Neat Fact: AGPM built upon GPMC APIs
10
![Page 11: Manage Group Policy with Microsoft Advanced Group Policy Management (AGPM) 4.0](https://reader036.fdocuments.net/reader036/viewer/2022081503/568150a5550346895dbeac9b/html5/thumbnails/11.jpg)
Server Installation – Not hard. Some tips:
Service account“Broker” for all actionsLocalSystem for DCsDomain Admin account if not on Domain Controller
Archive ownerNT or single groupsuggest: AGPM-OWNERS group
![Page 12: Manage Group Policy with Microsoft Advanced Group Policy Management (AGPM) 4.0](https://reader036.fdocuments.net/reader036/viewer/2022081503/568150a5550346895dbeac9b/html5/thumbnails/12.jpg)
Client Installation – Not hard. Some tips:
Open up firewall port 4600Use Group Policy to do it globally for your admins
Common mistake #1:Not installing the client on all your management stations
Common mistake #2:Installing it anywhere except your management station (and maybe your DCs if you use them for admin.)
![Page 13: Manage Group Policy with Microsoft Advanced Group Policy Management (AGPM) 4.0](https://reader036.fdocuments.net/reader036/viewer/2022081503/568150a5550346895dbeac9b/html5/thumbnails/13.jpg)
demo
AGPM Installation Demo
![Page 14: Manage Group Policy with Microsoft Advanced Group Policy Management (AGPM) 4.0](https://reader036.fdocuments.net/reader036/viewer/2022081503/568150a5550346895dbeac9b/html5/thumbnails/14.jpg)
Right after loading server – Don’t panic !
Clicking in AGPM = thisBut, you still have direct edit rights on GPOs you ownUse the AGPM-OWNER account to grant right to admins
![Page 15: Manage Group Policy with Microsoft Advanced Group Policy Management (AGPM) 4.0](https://reader036.fdocuments.net/reader036/viewer/2022081503/568150a5550346895dbeac9b/html5/thumbnails/15.jpg)
Act II: General Features
“Go with the flow”…Controlling of uncontrolled GPOsCreating new controlled GPOs (live and in offline)Check-out of a GPOOffline edit a Checked-out GPOSee reports of Checked-out GPOCheck-in a GPODeploy a checked-in GPO
![Page 16: Manage Group Policy with Microsoft Advanced Group Policy Management (AGPM) 4.0](https://reader036.fdocuments.net/reader036/viewer/2022081503/568150a5550346895dbeac9b/html5/thumbnails/16.jpg)
History, Differences and Rollback
History report on any (controlled) GPO over time Differences between ANY GPO and anything else:
Live GPO, controlled GPO, old history
Can choose a history item and deploy (to recover)
![Page 17: Manage Group Policy with Microsoft Advanced Group Policy Management (AGPM) 4.0](https://reader036.fdocuments.net/reader036/viewer/2022081503/568150a5550346895dbeac9b/html5/thumbnails/17.jpg)
demo
AGPM Features Demo
![Page 18: Manage Group Policy with Microsoft Advanced Group Policy Management (AGPM) 4.0](https://reader036.fdocuments.net/reader036/viewer/2022081503/568150a5550346895dbeac9b/html5/thumbnails/18.jpg)
Act III: Working with others
![Page 19: Manage Group Policy with Microsoft Advanced Group Policy Management (AGPM) 4.0](https://reader036.fdocuments.net/reader036/viewer/2022081503/568150a5550346895dbeac9b/html5/thumbnails/19.jpg)
Roles
Full Control: Whatever they want. Can affect live environment.Assigns who gets other rolesDefault account set at installation time
Reviewer“Read only” copy to GPO (and history)
Approver:Ability to make GPOs go “live.”Think “Approver / Reviewer”, because you also get Reviewer permissions
Editor“Requests stuff”Makes offline changesRequests changes for live environment change
Special PermissionsSome blend (see next page)
19
![Page 20: Manage Group Policy with Microsoft Advanced Group Policy Management (AGPM) 4.0](https://reader036.fdocuments.net/reader036/viewer/2022081503/568150a5550346895dbeac9b/html5/thumbnails/20.jpg)
Roles vs. Permissions
Roles are really wrapped up “permissions”Basics listed hereMore in downloadable eChapter
20
![Page 21: Manage Group Policy with Microsoft Advanced Group Policy Management (AGPM) 4.0](https://reader036.fdocuments.net/reader036/viewer/2022081503/568150a5550346895dbeac9b/html5/thumbnails/21.jpg)
The story at Company.com
Three admins, with different levels of abilityEddie:
Branch Office Admin. New-ish to GPOs.
Regis:The IT Manager. Knows about GPOs enough to be dangerous. If there’s a problem, it’s his butt on the line.
April:IT Goddess. Knows the company inside and out. Really knows Group Policy too.
![Page 22: Manage Group Policy with Microsoft Advanced Group Policy Management (AGPM) 4.0](https://reader036.fdocuments.net/reader036/viewer/2022081503/568150a5550346895dbeac9b/html5/thumbnails/22.jpg)
Reviewing Roles
Full Control (AGPM-OWNER): Whatever they want. Can affect live environment.Assigns who gets other rolesDefault account set at installation time
Editor (Eddie)Requests new GPOS Makes offline changesRequest for live deploy
Approver (April):Ability to make GPOs go “live.”
Reviewer (Regis)“Read only” copy to GPO (and history)
22
![Page 23: Manage Group Policy with Microsoft Advanced Group Policy Management (AGPM) 4.0](https://reader036.fdocuments.net/reader036/viewer/2022081503/568150a5550346895dbeac9b/html5/thumbnails/23.jpg)
AGPM is all about Workflow via Email
If you use Exchange:Must make Exchange talk “SMTP”
Else, use 3rd party SMTP toolEveryone gets emailed during “requests”
![Page 24: Manage Group Policy with Microsoft Advanced Group Policy Management (AGPM) 4.0](https://reader036.fdocuments.net/reader036/viewer/2022081503/568150a5550346895dbeac9b/html5/thumbnails/24.jpg)
When do Requests occur?
Request occur upon:Control / CreationDeployDeleteRestore
Approvers get:Emails“Pending” tab item
Approver must:Accept or Reject
Requester can:Withdraw requestEmail doesn’t magically get recalled !
![Page 25: Manage Group Policy with Microsoft Advanced Group Policy Management (AGPM) 4.0](https://reader036.fdocuments.net/reader036/viewer/2022081503/568150a5550346895dbeac9b/html5/thumbnails/25.jpg)
A decent story
Eddie:Requests a live GPODoesn’t get it
April:Approves his offline GPO request
Eddie:Edits the GPO.Checks it in. Requests deployment by selecting “Deploy.” (He can’t deploy.)
Regis:Reviews the GPO. Comments.
April:Approves or rejects the deployment
![Page 26: Manage Group Policy with Microsoft Advanced Group Policy Management (AGPM) 4.0](https://reader036.fdocuments.net/reader036/viewer/2022081503/568150a5550346895dbeac9b/html5/thumbnails/26.jpg)
demo
AGPM Workflow Demo
![Page 27: Manage Group Policy with Microsoft Advanced Group Policy Management (AGPM) 4.0](https://reader036.fdocuments.net/reader036/viewer/2022081503/568150a5550346895dbeac9b/html5/thumbnails/27.jpg)
Bonus: AGPM Templates
Any controlled GPO can be a template
Then create new live / offline GPO from template
![Page 28: Manage Group Policy with Microsoft Advanced Group Policy Management (AGPM) 4.0](https://reader036.fdocuments.net/reader036/viewer/2022081503/568150a5550346895dbeac9b/html5/thumbnails/28.jpg)
Misc Stuff: Recycling + Deleting GPOs
![Page 29: Manage Group Policy with Microsoft Advanced Group Policy Management (AGPM) 4.0](https://reader036.fdocuments.net/reader036/viewer/2022081503/568150a5550346895dbeac9b/html5/thumbnails/29.jpg)
Misc Stuff: Searching on GPOs
![Page 30: Manage Group Policy with Microsoft Advanced Group Policy Management (AGPM) 4.0](https://reader036.fdocuments.net/reader036/viewer/2022081503/568150a5550346895dbeac9b/html5/thumbnails/30.jpg)
Advanced Stuff: Auto-delete versions
Keep X copies in the archive
![Page 31: Manage Group Policy with Microsoft Advanced Group Policy Management (AGPM) 4.0](https://reader036.fdocuments.net/reader036/viewer/2022081503/568150a5550346895dbeac9b/html5/thumbnails/31.jpg)
Advanced Stuff: Permissions on a GPO itself
![Page 32: Manage Group Policy with Microsoft Advanced Group Policy Management (AGPM) 4.0](https://reader036.fdocuments.net/reader036/viewer/2022081503/568150a5550346895dbeac9b/html5/thumbnails/32.jpg)
Advanced Stuff: Production Delegation
![Page 33: Manage Group Policy with Microsoft Advanced Group Policy Management (AGPM) 4.0](https://reader036.fdocuments.net/reader036/viewer/2022081503/568150a5550346895dbeac9b/html5/thumbnails/33.jpg)
Advanced Stuff: “Import / Production” aka Catching up”
Catch-up / Import from production when…AGPM goes offline and you know you made a “live edit.”
![Page 34: Manage Group Policy with Microsoft Advanced Group Policy Management (AGPM) 4.0](https://reader036.fdocuments.net/reader036/viewer/2022081503/568150a5550346895dbeac9b/html5/thumbnails/34.jpg)
Advanced Stuff: “Importing / File”
Backup and Import between domains scenarioOverwrites archive GPO
![Page 35: Manage Group Policy with Microsoft Advanced Group Policy Management (AGPM) 4.0](https://reader036.fdocuments.net/reader036/viewer/2022081503/568150a5550346895dbeac9b/html5/thumbnails/35.jpg)
Advanced Stuff: “Importing File”
Alternate way to do same thingBut with new GPOs
![Page 36: Manage Group Policy with Microsoft Advanced Group Policy Management (AGPM) 4.0](https://reader036.fdocuments.net/reader036/viewer/2022081503/568150a5550346895dbeac9b/html5/thumbnails/36.jpg)
Parting Thoughts…
AGPM is not hard to deployHave a big “group hug”Biggest issue:
Not having everyone on board.
![Page 37: Manage Group Policy with Microsoft Advanced Group Policy Management (AGPM) 4.0](https://reader036.fdocuments.net/reader036/viewer/2022081503/568150a5550346895dbeac9b/html5/thumbnails/37.jpg)
Everyone who scans will get emailed the PDF chapter from my book !
Instantly lock down your OS and applications’ settings using Group Policy Fully AGPM compatible !…and AppV compatible!
Group Policy Tips!Live TrainingOnline Training
![Page 38: Manage Group Policy with Microsoft Advanced Group Policy Management (AGPM) 4.0](https://reader036.fdocuments.net/reader036/viewer/2022081503/568150a5550346895dbeac9b/html5/thumbnails/38.jpg)
Related Content
WCL376-HOL | Managing a Domain Environment More Effectively
WCL311 | Solving Common IT Pro Pain Points with the Microsoft Desktop Optimization Pack (MDOP)
Find Me Later At… “Secret GPanswers.com Tweet-Up” @jeremymoskowitz
![Page 39: Manage Group Policy with Microsoft Advanced Group Policy Management (AGPM) 4.0](https://reader036.fdocuments.net/reader036/viewer/2022081503/568150a5550346895dbeac9b/html5/thumbnails/39.jpg)
Track Resources
Don’t forget to visit the Cloud Power area within the TLC (Blue Section) to see product demos and speak with experts about the Server & Cloud Platform solutions that help drive your business forward.
You can also find the latest information about our products at the following links:
Windows Azure - http://www.microsoft.com/windowsazure/
Microsoft System Center - http://www.microsoft.com/systemcenter/
Microsoft Forefront - http://www.microsoft.com/forefront/
Windows Server - http://www.microsoft.com/windowsserver/
Cloud Power - http://www.microsoft.com/cloud/
Private Cloud - http://www.microsoft.com/privatecloud/
![Page 40: Manage Group Policy with Microsoft Advanced Group Policy Management (AGPM) 4.0](https://reader036.fdocuments.net/reader036/viewer/2022081503/568150a5550346895dbeac9b/html5/thumbnails/40.jpg)
Resources
www.microsoft.com/teched
Sessions On-Demand & Community Microsoft Certification & Training Resources
Resources for IT Professionals Resources for Developers
www.microsoft.com/learning
http://microsoft.com/technet http://microsoft.com/msdn
Learning
http://northamerica.msteched.com
Connect. Share. Discuss.
![Page 41: Manage Group Policy with Microsoft Advanced Group Policy Management (AGPM) 4.0](https://reader036.fdocuments.net/reader036/viewer/2022081503/568150a5550346895dbeac9b/html5/thumbnails/41.jpg)
Complete an evaluation on CommNet and enter to win!
![Page 42: Manage Group Policy with Microsoft Advanced Group Policy Management (AGPM) 4.0](https://reader036.fdocuments.net/reader036/viewer/2022081503/568150a5550346895dbeac9b/html5/thumbnails/42.jpg)
Scan the Tag to evaluate this session now on myTech•Ed Mobile
![Page 43: Manage Group Policy with Microsoft Advanced Group Policy Management (AGPM) 4.0](https://reader036.fdocuments.net/reader036/viewer/2022081503/568150a5550346895dbeac9b/html5/thumbnails/43.jpg)
![Page 44: Manage Group Policy with Microsoft Advanced Group Policy Management (AGPM) 4.0](https://reader036.fdocuments.net/reader036/viewer/2022081503/568150a5550346895dbeac9b/html5/thumbnails/44.jpg)