Advanced Group Policy Management: Introduction

This is the first in a two part series about the MDOP Advanced Group Policy Manager. The Microsoft Desktop Optimization Pack is part of the Software Assurance license. This includes a larger set of tools such as App-V, DaRT, MBAM.

AGPM brings change control and auditing to group policy. Administrators attempting to modify a GPO must first check it out, then modify it, then check it back in. AGPM records all the changes and the user account of the changer. This is all viewable in reports within the system. It also brings version control, providing administrators the ability to roll-back a GPO to a previous version. Administrators can also go back in time and compare the current version of the GPO with any previous version, as well as see who changed a particular setting.


The system functions by using a service account to actually modify the GPO’s. The idea is to add this service account to all GPO’s (thus “importing” them into AGPM), and let this account make all of the changes. There is a trust issue here between domain admins, because you also do not want to remove them from GPO’s in case something happens. Domain admins have to be trusted to go through AGPM to make modifications.

Once the service account is added to your GPO’s, all management is done through the AGPM snap-in. This snap-in is installed and creates another option, called “Change Control” in your traditional Group Policy Management console.


To modify a GPO, you have to first check it out. You do this by right clicking the GPO, then selecting “Check Out…”. Now you can right-click again and select “Edit”. From here, you can make your changes as you would before implementing AGPM. After you make your changes, you can check your GPO back in and provide comments on the changes you made. After checking it in, you must deploy it back to the environment by right-clicking the GPO and selecting “Deploy…”.

AGPM also keeps track of GPO links. It keeps of record of where GPO’s are linked, as well as where they were linked. This can be beneficial to administrators to determine why something changed on a box at a particular time.

Finally, AGPM provides a group policy “Recycle Bin” where administrators can go and recover deleted GPO’s. Administrators can also look at settings reports for the deleted GPO. Only GPO’s that are controlled by APGM are kept in the recycle bin after deletion.


Linking GPO’s works the same as it does within a normal group policy environment. Administrators link GPO’s by right-clicking the OU and linking the GPO there. Normal Active Directory permissions apply. The APGM service account does not actually do any linking of GPO’s. It can keep track of it, but it does not actually perform the task.

Come back next week for a post about installing and configuring AGPM.



Contact Us

On Key

More Posts

WME Security Briefing 27 May 2024

Kinsing Hacker Group Exploits Docker Vulnerabilities Overview Recent investigations have shown that the hacker group Kinsing is actively exploiting Docker vulnerabilities to gain unauthorized access to systems. The modified hacker group targets misconfigured Docker API ports deployed with cryptocurrency mining malware.

Read More »
WME Cybersecurity Briefings No. 010
Cyber Security

WME Security Briefing 20 May 2024

Advanced Persistent Threats: North Korean Hackers Launch Golang Malware Overview A new malware strain, called Titan Stealer, is currently actively circulating in the threat landscape, targeting a variety of personal data and linked to North Korean state-sponsored cyber espionage

Read More »
WME Cybersecurity Briefings No. 009
Cyber Security

WME Security Briefing 08 May 2024

Exploitable vulnerability in Microsoft Internet Explorer, used to deploy VBA Malware Overview Cybersecurity researchers discovered a severe exploitation targeting a bug that had already been patched in the Microsoft Internet Explorer browser. Their report added that

Read More »
Be assured of everything

Get WME Services

Stay ahead of the competition with our Professional IT offerings.