Advanced Group Policy Management: Installation
This is part two of a series about AGPM. The first part introduced you to AGPM and how it generally functions. In this part, I will go through the installation of AGPM.
First, you must have MDOP. I would also recommend installing AGPM on Windows Server 2012 R2. AGPM follows your domain functional level, so the OS version is not as important. The current version of AGPM is 4.0 SP2, which will handle group policy objects for Windows 8.1 and Server 2012 R2. This is important, as earlier versions will not support new group policy settings.
You download MDOP for your Microsoft Volume License portal. After you have it downloaded, you can copy the AGPM setup files from the media. Copy these to your server. You should also enable the Group Policy Management console.
Next, you need to create a service account in your AD. This service account will run the AGPM service on the server, as well as be added to all controlled group policy objects. After you create your service account, run the AGPM server installation. You will be asked for your service account in two places. You can use the same account for the service account and archive account. I also suggest placing the archive on another drive.
The archive is essentially a copy of all controlled GPO’s. As I stated in last week’s article, administrators must check-out a GPO, modify it, check it back in, and deploy it. All of the checking out, modifying, and checking in is done with this archive copy. When the GPO is deployed, it takes the archive copy and replaces the production copy. It is vital that once a GPO is controlled, it is only modified from AGPM. Domain admins will still have the ability to modify the GPO outside of AGPM. If they do this and then the GPO is modified from AGPM later, all changes made by domain admins will be wiped away. The way around this is to import the GPO. If you right-click on it from the AGPM snap-in, there’s an option to import the GPO. This bring a copy of the production GPO back over to AGPM.
After installation is complete, AGPM is basically ready to go. Now you need to go through the “control” your GPOs. You do this by adding the AGPM service account to all of your GPO’s. Unfortunately, there isn’t a quick, easy way to do this. You have to go one by one and add the account. It also gives you a good opportunity to clean up permissions and remove anyone who has delegated access directly on the GPO. After the service account is added, you can go to the “Change Control” node of Group Policy Management, then click the “Uncontrolled” tab. You can mass select GPOs here, right-click, and select “Control”. This will add them to AGPM and they will show up under the “Controlled” tab. Now you are ready to go and begin to manage GPO’s through here.
Finally, AGPM can create group policies. If you right-click in the “Controlled” section and select “New Controlled GPO”, it will create a new one. To have it create it in both AGPM (labeled as “Archive”) and production, select the “Create in archive and production” option. For this to work, the AGPM service account must have GPO creator rights. The easiest way to do this is to add the service account to the “Group Policy Creator Owners” group in AD.
I hope this helps in your installation and configuration of AGPM.