HOW TO INSTALL AGPM (ADVANCED GROUP POLICY MANAGEMENT)

v4.0 SP3 ON WINDOWS SERVER 2019 DOMAIN CONTROLLER

In this post, I will show you how to install and configure AGPM on Windows Server 2019 which is my

domain controller.

Configuration Flow - AGPM

AGPM Explained in detail: The Process

Supported Configuration & Pre Requisites:

First create these Groups and User account. To keep everything in order, I have created OU and inside

the OU created Groups and Users

Now it is time to mount MDOP 2015 ISO file and run AGPM Server installer.

Now we will perform AGPM Client install. Please note it is installed on the same server (DC).

Now open GPMC. As you can see Change Control which is part of AGPM configuration shows up and

here we have various other tabs to take care. So, the install of AGPM Server and Client is successful.

Contents:

Since this is a brand-new install, we don’t have any GPO’s under Controlled. There are few GPO’s in

Uncontrolled. I am going to transfer these to Controlled as detailed below.

Now, if you look at Controlled GPO’s we have these

Domain Delegation:

I have updated email address (From, To) and Exchange Server information. So when new GPO’s are

created, these users will get new email for Approval, Review and Authorize the GPO’s for deployment.

Under Domain Delegation you can add users or groups individually and give appropriate permission.

Below is just an example,

GPO Version Limits:

By default, AGPM will save each and every version you create of every controlled GPO in the AGPM

archive. This can add up to a lot of GPO versions over time, which not only consumes disk space but also

can make it harder to filter/search for GPO versions because of unwanted results being returned. It's

therefore a good idea to limit how many versions of each controlled GPO can be stored in your archive.

Creating a New Controlled GPO:

The various permissions within AGPM are listed below. So, the user within the AGPM Security group can

only perform task that are assigned. It is a great way of controlling GPO deployment within large

environment spread out geographically.

Product Delegation:

Here you don’t have to do anything. Just for reference only.

POWERSHELL COMMANDS: get-command –module grouppolicy

get-command –module grouppolicy | get-help

Backup-GPO Backs GPO

Copy-GPO Copies a GPO.

Get-GPInheritance Retrieves GPO inheritance

Get-GPO Gets one GPO or all GPOs

Get-GPOReport Generates a report in either XML or HTML

Get-GPPermissions Gets the permission level for security principals

Get-GPPrefRegistryValue Retrieves one or more registry preference

Get-GPRegistryValue Retrieves one or more registry-based policy settings

Get-GPResultantSetOfPolicy Outputs the Resultant Set of Policy (RSoP) information

Get-GPStarterGPO Gets one Starter GPO or all Starter GPOs in a domain. Import-GPO Imports the Group Policy settings from a backed-up GPO New-GPLink Links a GPO to a site, domain, or OU.

New-GPO Creates a new GPO.

New-GPStarterGPO Creates a new Starter GPO.

Remove-GPLink Removes a GPO link from a site, domain, or OU.

Remove-GPO Deletes a GPO.

Remove-GPPrefRegistryValue Removes one or more registry preference items

Remove-GPRegistryValue Removes one or more registry-based policy settings

Rename-GPO Assigns a new display name to a GPO. Restore-GPO Restores one GPO or all GPOs in a domain from Set-GPInheritance Blocks or unblocks inheritance for a specified domain or OU.

Set-GPLink Sets the properties of the specified GPO link.

Set-GPPermissions Grants a level of permissions to a security principal

Set-GPPrefRegistryValue Configures a registry preference item

Set-GPRegistryValue Configures one or more registry-based policy settings This concludes AGPM install on Server 2019.

Thanks

Ram Lan 1st Jan 2019

Below are few tests, I did with AGPM GPO deployment within the lab in 2018.

For this exercise – I will login as AGPMEditor on a workstation/server that has AGPM Client installed &

open GPMC editor – Right Click Change Control – New Controller GPO. Below is what you will see. Give

GPO Name and enter your Comment and click Submit.

Since the GPO is in pending statate – it requires approval. The AGPMAdmin or the AGPMApprover has to

approve the GPO. Once the requested GPO is approved, the AGPMEditor can configure GPO settings and

have it ready for deployment (for testing and Post Production).

First AGPMEditor has to check out the GPO to edit and make necessary configuration.

Once it is cheked out – AGPMEditor can edit the GPO. Once all the settings are done AGPMEditor can

Check In and request the GPO for deployment.

As you can see from below screen shot the GPO is in pending for deployment. AGPMAdmin or

AGPMApprover can take a look at the GPO settings, approve & deploy GPO for test and production.

To confirm that the controlled GPO has been deployed from the AGPM archive into the RAMLAN

production environment, AGPMAdmin expands Group Policy Objects node for ramlan.ca domain in the

GPMC. The Test GPO is displayed under this node, a copy of this controlled GPO is now present in SYSVOL.

While the controlled GPO is now present in the production environment, it is not yet being applied to

any target computers because it has not yet been linked to an organizational unit (OU).

The controlled GPO that AGPMEditor proposed creating has now been fully deployed by AGPMAdmin into

the RAMLAN production environment. This concludes AGPM configuration and GPO creation and

deployment.