how to install agpm (advanced group policy management… · how to install agpm (advanced group...
TRANSCRIPT
HOW TO INSTALL AGPM (ADVANCED GROUP POLICY MANAGEMENT)
v4.0 SP3 ON WINDOWS SERVER 2019 DOMAIN CONTROLLER
In this post, I will show you how to install and configure AGPM on Windows Server 2019 which is my
domain controller.
Configuration Flow - AGPM
AGPM Explained in detail: The Process
Supported Configuration & Pre Requisites:
First create these Groups and User account. To keep everything in order, I have created OU and inside
the OU created Groups and Users
Now it is time to mount MDOP 2015 ISO file and run AGPM Server installer.
Now we will perform AGPM Client install. Please note it is installed on the same server (DC).
Now open GPMC. As you can see Change Control which is part of AGPM configuration shows up and
here we have various other tabs to take care. So, the install of AGPM Server and Client is successful.
Contents:
Since this is a brand-new install, we don’t have any GPO’s under Controlled. There are few GPO’s in
Uncontrolled. I am going to transfer these to Controlled as detailed below.
Now, if you look at Controlled GPO’s we have these
Domain Delegation:
I have updated email address (From, To) and Exchange Server information. So when new GPO’s are
created, these users will get new email for Approval, Review and Authorize the GPO’s for deployment.
Under Domain Delegation you can add users or groups individually and give appropriate permission.
Below is just an example,
GPO Version Limits:
By default, AGPM will save each and every version you create of every controlled GPO in the AGPM
archive. This can add up to a lot of GPO versions over time, which not only consumes disk space but also
can make it harder to filter/search for GPO versions because of unwanted results being returned. It's
therefore a good idea to limit how many versions of each controlled GPO can be stored in your archive.
Creating a New Controlled GPO:
The various permissions within AGPM are listed below. So, the user within the AGPM Security group can
only perform task that are assigned. It is a great way of controlling GPO deployment within large
environment spread out geographically.
Product Delegation:
Here you don’t have to do anything. Just for reference only.
POWERSHELL COMMANDS: get-command –module grouppolicy
get-command –module grouppolicy | get-help
Backup-GPO Backs GPO
Copy-GPO Copies a GPO.
Get-GPInheritance Retrieves GPO inheritance
Get-GPO Gets one GPO or all GPOs
Get-GPOReport Generates a report in either XML or HTML
Get-GPPermissions Gets the permission level for security principals
Get-GPPrefRegistryValue Retrieves one or more registry preference
Get-GPRegistryValue Retrieves one or more registry-based policy settings
Get-GPResultantSetOfPolicy Outputs the Resultant Set of Policy (RSoP) information
Get-GPStarterGPO Gets one Starter GPO or all Starter GPOs in a domain. Import-GPO Imports the Group Policy settings from a backed-up GPO New-GPLink Links a GPO to a site, domain, or OU.
New-GPO Creates a new GPO.
New-GPStarterGPO Creates a new Starter GPO.
Remove-GPLink Removes a GPO link from a site, domain, or OU.
Remove-GPO Deletes a GPO.
Remove-GPPrefRegistryValue Removes one or more registry preference items
Remove-GPRegistryValue Removes one or more registry-based policy settings
Rename-GPO Assigns a new display name to a GPO. Restore-GPO Restores one GPO or all GPOs in a domain from Set-GPInheritance Blocks or unblocks inheritance for a specified domain or OU.
Set-GPLink Sets the properties of the specified GPO link.
Set-GPPermissions Grants a level of permissions to a security principal
Set-GPPrefRegistryValue Configures a registry preference item
Set-GPRegistryValue Configures one or more registry-based policy settings This concludes AGPM install on Server 2019.
Thanks
Ram Lan 1st Jan 2019
Below are few tests, I did with AGPM GPO deployment within the lab in 2018.
For this exercise – I will login as AGPMEditor on a workstation/server that has AGPM Client installed &
open GPMC editor – Right Click Change Control – New Controller GPO. Below is what you will see. Give
GPO Name and enter your Comment and click Submit.
Since the GPO is in pending statate – it requires approval. The AGPMAdmin or the AGPMApprover has to
approve the GPO. Once the requested GPO is approved, the AGPMEditor can configure GPO settings and
have it ready for deployment (for testing and Post Production).
First AGPMEditor has to check out the GPO to edit and make necessary configuration.
Once it is cheked out – AGPMEditor can edit the GPO. Once all the settings are done AGPMEditor can
Check In and request the GPO for deployment.
As you can see from below screen shot the GPO is in pending for deployment. AGPMAdmin or
AGPMApprover can take a look at the GPO settings, approve & deploy GPO for test and production.
To confirm that the controlled GPO has been deployed from the AGPM archive into the RAMLAN
production environment, AGPMAdmin expands Group Policy Objects node for ramlan.ca domain in the
GPMC. The Test GPO is displayed under this node, a copy of this controlled GPO is now present in SYSVOL.
While the controlled GPO is now present in the production environment, it is not yet being applied to
any target computers because it has not yet been linked to an organizational unit (OU).
The controlled GPO that AGPMEditor proposed creating has now been fully deployed by AGPMAdmin into
the RAMLAN production environment. This concludes AGPM configuration and GPO creation and
deployment.