AGPM Installation

Advanced Group Policy Management: Installation

This is part two of a series about AGPM. The first part introduced you to AGPM and how it generally functions. In this part, I will go through the installation of AGPM.

First, you must have MDOP. I would also recommend installing AGPM on Windows Server 2012 R2. AGPM follows your domain functional level, so the OS version is not as important. The current version of AGPM is 4.0 SP2, which will handle group policy objects for Windows 8.1 and Server 2012 R2. This is important, as earlier versions will not support new group policy settings.


You download MDOP for your Microsoft Volume License portal. After you have it downloaded, you can copy the AGPM setup files from the media. Copy these to your server. You should also enable the Group Policy Management console.

Next, you need to create a service account in your AD. This service account will run the AGPM service on the server, as well as be added to all controlled group policy objects. After you create your service account, run the AGPM server installation. You will be asked for your service account in two places. You can use the same account for the service account and archive account. I also suggest placing the archive on another drive.

The archive is essentially a copy of all controlled GPO’s. As I stated in last week’s article, administrators must check-out a GPO, modify it, check it back in, and deploy it. All of the checking out, modifying, and checking in is done with this archive copy. When the GPO is deployed, it takes the archive copy and replaces the production copy. It is vital that once a GPO is controlled, it is only modified from AGPM. Domain admins will still have the ability to modify the GPO outside of AGPM. If they do this and then the GPO is modified from AGPM later, all changes made by domain admins will be wiped away. The way around this is to import the GPO. If you right-click on it from the AGPM snap-in, there’s an option to import the GPO. This bring a copy of the production GPO back over to AGPM.


After installation is complete, AGPM is basically ready to go. Now you need to go through the “control” your GPOs. You do this by adding the AGPM service account to all of your GPO’s. Unfortunately, there isn’t a quick, easy way to do this. You have to go one by one and add the account. It also gives you a good opportunity to clean up permissions and remove anyone who has delegated access directly on the GPO. After the service account is added, you can go to the “Change Control” node of Group Policy Management, then click the “Uncontrolled” tab. You can mass select GPOs here, right-click, and select “Control”. This will add them to AGPM and they will show up under the “Controlled” tab. Now you are ready to go and begin to manage GPO’s through here.

Finally, AGPM can create group policies. If you right-click in the “Controlled” section and select “New Controlled GPO”, it will create a new one. To have it create it in both AGPM (labeled as “Archive”) and production, select the “Create in archive and production” option. For this to work, the AGPM service account must have GPO creator rights. The easiest way to do this is to add the service account to the “Group Policy Creator Owners” group in AD.

I hope this helps in your installation and configuration of AGPM.



Contact Us

On Key

More Posts

Mastering Azure AD Connect - A Comprehensive Guide by WME
Active Directory

Mastering Azure AD Connect – A Comprehensive Guide

Modern businesses are fast moving toward cloud-based infrastructure. In fact, cloud-based business is not just a trend anymore but a strategic necessity. Microsoft’s Azure Active Directory (Azure AD) has become a frontrunner in this domain. It

Read More »
Security Best Practices in SharePoint
Office 365

Security Best Practices in SharePoint

Microsoft SharePoint is an online collaboration platform that integrates with Microsoft Office. You can use it to store, organize, share, and access information online. SharePoint enables collaboration and content management and ultimately allows your teams to

Read More »
The Ultimate Guide to Microsoft Intune - Article by WME
Active Directory

The Ultimate Guide to Microsoft Intune

The corporate world is evolving fast. And with that, mobile devices are spreading everywhere. As we venture into the year 2024, they have already claimed a substantial 55% share of the total corporate device ecosystem. You

Read More »
Protecting Microsoft 365 from on-Premises Attacks
Cloud Security

How to Protect Microsoft 365 from On-Premises Attacks?

Microsoft 365 is diverse enough to enrich the capabilities of many types of private businesses. It complements users, applications, networks, devices, and whatnot. However, Microsoft 365 cybersecurity is often compromised and there are countless ways that

Read More »
Be assured of everything

Get WME Services

Stay ahead of the competition with our Professional IT offerings.