For a lot of people including myself, GPO configuration and validation take
time... too much time.
Sometime, despite all checks possible, there is a miss, other times, a GPO
corrupts and nobody knows why... (Murph law n°42 : the more a GPO is critical,
the less it will works properly)
Usually you restore it (by the way, since when did you backup your 1.5000 domain GPO?), if it's still not working, you start a good night to understand why and fix it. That was before...
1- installing AGPM
The install process is really simplified. 1server, 1 client (always two they are, no more, no less). Server-side component has to be installed on a DC (don't even think about it) or member server. There is no schema upgrade, no partition modification, nothing... In fact, we're not far from a Winamp install.
In fact, you just need to give a domain account which will become the
application service account, and another one which will become AGPM
administrator (aka archive owner). It does not have to be
domain admin.
Install time : 3 minutes. 3 minutes and 5 seconds if you decided to change de
default port used (default is 4600).
Client-side component must be installed on a Vista OS (no XP allowed) or an administration sever wich can be a Windows Server 2003 or 2008. The installation wizard just asks for the server's name and port. Then it integrates AGPM to GPMC so that there is no other MMC to use than your favorite one. You will find AGPM functions in a new folder named Change Control.
2- Linking GPO to AGPM
Base function of AGPM is GPO edition in offline mode, without the need to clone production to a pre-production environment. In AGPM, offline mode is called "controlled". A controlled GPO means that the policy can be modified and validated with no impact (as if you deleted the gpo link to every OU). Everything is done very simply. In change control, go to the Uncontrolled, select de GPO(s) you want to manage with AGPM (exemple :all GPO), then right click and control. They now appear on the Controlled tab.
Now that your favorite GPOs are linked to AGPM, let''s take a look at
the delegaton of the administration choices. Until now, to delegate specific
right to a GPO, you used a wizard (boooh!) or the GPMC's delegation tab
(ahhhhhh! ^_^).
First thing to do is a good CTRL-Z on every groups authorized to manage GPO,
just keep System and potential GPO filtering groups.
=> Don't forget that this is now the service account specified on the
installation that will do the work "on behalf" of you. You just can't edit
a GPO directly now, as you remove yourself the rights to do that... but at
last you won't break anything anymore 
Just a little problem, I did not found a way (read : integrated to the tool)
to do that step automaticaly on my 1.500 GPO...
Now that your GPMC doesn't work anymore, you have to give the rights, sorry the
"role based accesses" to do something to the good groups. To be allowed, an
account or administration group for the controlled GPO must be added to the
domain delegation tab [domain wide) or to the equivalent option for a specific
GPO. There are 4 specific roles :
- Full Control : am I obliged to explain that role?
- Reviewer : read AGPM functions
- Editor : edit and modify a GPO in Offline mode
- Approver : approve and validate a GPO so that it can return in production mode.
3- Modifying and Auditing policy changes.
Another AGPM cool feature is its capacity to list EVERY changes that occured
to a controlled GPO. Theire is nothing to configure,enable, disable, summon or
so...
For Each GPO change, the audit system analyses and follow modified
parameters, time them, specifies the user account used, original parameters
before the change...
Well that's great but at the moment, you still don't have any right (even
with the archive owner account) to edit your favorite GPO. Of course, it's by
design, as you are in production mode.
First, select the desired policy, right click it then choose Check
Out. The Audit process starts to record events, and you now have the
rights (if you're at least Editor) to modify what you want.
After having modified a policy, It'still offline, to pass it in online
mode, right click and Check in. (that does not means that you
are in production already!)
Note : if an account had checked out a GPO, it's locked for the rest of the universe (except if you're archive owner, when you will be able to recheck in it). No other account will be able to modify it.
4- Validating and deploying GPO
Ok, you just checked in a GPO and done a GPUpdate /force but nothing
appends, so what? In fact the policy is'nt still in production, you have now to
deploy it. To do so, right click the GPO then choose
Deploy.
If your have full control, life is beautifull,
and the GPO is published. But imagine you don't, as you are only Editor. The
GPO isn't in the Controlled tab anymore and is lazying in the
Pending one, waiting for an Approver to validate it. An
approver account will be able to read, export or compare it with the one in
production... if validated, he will be able to right click then
Approve and voilà the GPO is now fully validated
and in production mode. You can now do your gpupdate /force and hopefully,
every parameter will work as you wanted.
5- Reporting and comparing GPO
Anoher great AGPM functionality is the historization of GPO changes. In the controlled tab, double click a GPO to analyse. History of changes appears and you can check the differences between it and one of it's old version. the differences are colorized :
- Blue means changed parameters
- red means deleted parameters
- green means new parameters
6- Disaster recovery
The AGPM essential functionality ! Until now, you planified your backups (or
you really believe in miracles!) like "everyday at 02:00 AM". But what about a
GPO you didn't have the time to backup, or a corrupt GPO you backed up? As AGPM
records every changes, it is now possible to select a specific policy version
(N-1, N-2 ...) and restore it, directly in production. Yes, you're saved
7- Conclusion
As you already understood, AGPM is clearly the Must-have GPMC addon. A lot of other functionalities aren't described on that article, from automatic mailing to GPO templates creation the list is too long to be enumerated here.
Anyway, you can believe me when I tell you to test that product as fast as
you can, It's probably the greatest free gift Microsoft offered since so many
time. The only limit is that Software Assurance agreement, but I'm sure
your boss will finally accept to subscribe 
Commentaires
except if you're archive owner, when you will be able to recheck in it .. point de détail très important
merci pour ce bilet ! continue !
florian lavoux