Advanced Group Policy Management: Introduction

This is the first in a two part series about the MDOP Advanced Group Policy Manager. The Microsoft Desktop Optimization Pack is part of the Software Assurance license. This includes a larger set of tools such as App-V, DaRT, MBAM.

AGPM brings change control and auditing to group policy. Administrators attempting to modify a GPO must first check it out, then modify it, then check it back in. AGPM records all the changes and the user account of the changer. This is all viewable in reports within the system. It also brings version control, providing administrators the ability to roll-back a GPO to a previous version. Administrators can also go back in time and compare the current version of the GPO with any previous version, as well as see who changed a particular setting.


The system functions by using a service account to actually modify the GPO’s. The idea is to add this service account to all GPO’s (thus “importing” them into AGPM), and let this account make all of the changes. There is a trust issue here between domain admins, because you also do not want to remove them from GPO’s in case something happens. Domain admins have to be trusted to go through AGPM to make modifications.

Once the service account is added to your GPO’s, all management is done through the AGPM snap-in. This snap-in is installed and creates another option, called “Change Control” in your traditional Group Policy Management console.


To modify a GPO, you have to first check it out. You do this by right clicking the GPO, then selecting “Check Out…”. Now you can right-click again and select “Edit”. From here, you can make your changes as you would before implementing AGPM. After you make your changes, you can check your GPO back in and provide comments on the changes you made. After checking it in, you must deploy it back to the environment by right-clicking the GPO and selecting “Deploy…”.

AGPM also keeps track of GPO links. It keeps of record of where GPO’s are linked, as well as where they were linked. This can be beneficial to administrators to determine why something changed on a box at a particular time.

Finally, AGPM provides a group policy “Recycle Bin” where administrators can go and recover deleted GPO’s. Administrators can also look at settings reports for the deleted GPO. Only GPO’s that are controlled by APGM are kept in the recycle bin after deletion.


Linking GPO’s works the same as it does within a normal group policy environment. Administrators link GPO’s by right-clicking the OU and linking the GPO there. Normal Active Directory permissions apply. The APGM service account does not actually do any linking of GPO’s. It can keep track of it, but it does not actually perform the task.

Come back next week for a post about installing and configuring AGPM.



Contact Us

On Key

More Posts

Mastering Azure AD Connect - A Comprehensive Guide by WME
Active Directory

Mastering Azure AD Connect – A Comprehensive Guide

Modern businesses are fast moving toward cloud-based infrastructure. In fact, cloud-based business is not just a trend anymore but a strategic necessity. Microsoft’s Azure Active Directory (Azure AD) has become a frontrunner in this domain. It

Read More »
Security Best Practices in SharePoint
Office 365

Security Best Practices in SharePoint

Microsoft SharePoint is an online collaboration platform that integrates with Microsoft Office. You can use it to store, organize, share, and access information online. SharePoint enables collaboration and content management and ultimately allows your teams to

Read More »
The Ultimate Guide to Microsoft Intune - Article by WME
Active Directory

The Ultimate Guide to Microsoft Intune

The corporate world is evolving fast. And with that, mobile devices are spreading everywhere. As we venture into the year 2024, they have already claimed a substantial 55% share of the total corporate device ecosystem. You

Read More »
Protecting Microsoft 365 from on-Premises Attacks
Cloud Security

How to Protect Microsoft 365 from On-Premises Attacks?

Microsoft 365 is diverse enough to enrich the capabilities of many types of private businesses. It complements users, applications, networks, devices, and whatnot. However, Microsoft 365 cybersecurity is often compromised and there are countless ways that

Read More »
Be assured of everything

Get WME Services

Stay ahead of the competition with our Professional IT offerings.