Implementing Multiple AGPM Servers

___________________________________________________________________________________________________________________________

IMPORTANT ANNOUNCEMENT FOR OUR READERS!

AskPFEPlat is in the process of a transformation to the new Core Infrastructure and Security TechCommunity, and will be moving by the end of March 2019 to our new home at https://aka.ms/CISTechComm (hosted at https://techcommunity.microsoft.com). Please bear with us while we are still under construction!

We will continue bringing you the same great content, from the same great contributors, on our new platform. Until then, you can access our new content on either https://aka.ms/askpfeplat as you do today, or at our new site https://aka.ms/CISTechComm. Please feel free to update your bookmarks accordingly!

Why are we doing this? Simple really; we are looking to expand our team internally in order to provide you even more great content, as well as take on a more proactive role in the future with our readers (more to come on that later)! Since our team encompasses many more roles than Premier Field Engineers these days, we felt it was also time we reflected that initial expansion.

If you have never visited the TechCommunity site, it can be found at https://techcommunity.microsoft.com. On the TechCommunity site, you will find numerous technical communities across many topics, which include discussion areas, along with blog content.

NOTE: In addition to the AskPFEPlat-to-Core Infrastructure and Security transformation, Premier Field Engineers from all technology areas will be working together to expand the TechCommunity site even further, joining together in the technology agnostic Premier Field Engineering TechCommunity (along with Core Infrastructure and Security), which can be found at https://aka.ms/PFETechComm!

As always, thank you for continuing to read the Core Infrastructure and Security (AskPFEPlat) blog, and we look forward to providing you more great content well into the future!

__________________________________________________________________________________________________________________________

Hi Everyone,

Paulo here, a Microsoft Premier Field Engineer (PFE), recently I have had several customers querying about how to deploy multiple AGPM Servers per Forest/Domain. As you know AGPM was designed to centralize change control over Group Policies so not exactly developed for this intended purpose.

The configuration of Group Policy in a single AGPM server scenario is straight forward

The AGPM server takes control of GPOs which copies GPOs into the AGPM archive enabling the AGPM server to control them and to do that the AGPM Service account must have Full Control over all the GPOs. Refer to my earlier AGPM related post for more information on that at https://blogs.technet.microsoft.com/reference_point/2013/08/21/how-to-prevent-the-creation-of-gpos-from-outside-agpm-advanced-group-policy-management/

However, by having multiple AGPM servers each AGPM service account can only control its own subset of policies (for example having an AGPM server/service per OU, Domain or Business Unit).

Start by creating a Governing body/team which ultimately has an account which can change and create new GPOs in AD, and then they decide which AGPM Server will need to be responsible over this new Group Policy, so then they assign permissions to that new policy for the applicable AGPM service account. Channeling GPO creation through the Governing body prevents GPO creation outside of the AGPM.

Each AGPM server has only control over the policies which they can see, which obviously is controlled by permissions.

As an administrator you can create GPOs anywhere in the domain, which is a nightmare. So as business unit if you want a new policy, you must make a request to the governing body (or change control team whichever you like to call it).

They’ll create the new policy and set the permissions so that your AGPM server has exclusive full control over it.

No AGPM service accounts can create policies (actually no one other than the governing body) or this model’s purpose will be defeated.

It is important as you roll out AGPM is ADMX maintenance. As you upgrade the PolicyDefinitions folder with ADMXs to support new platforms, if you have the AGPM client on running on Windows 2012 R2 and you want to manage a Windows 10 client… you cannot do it. You must put in a Windows Server 2016 client to be able to do that. 2012 R2 can only manage up to Windows 8.1 clients, right?

Wait… well that was the Microsoft support statement until Mark Empson (also a PFE@Microsoft) a few months ago published his amazing work documenting the known challenges that can occur when you manage a Windows 10 Group Policy client from a Windows Server 2012 R2 server. So before you jump in and deploy your new Multiple AGPM design make sure you check Mark’s article at https://support.microsoft.com/en-us/help/4015786/known-issues-managing-a-windows-10-group-policy-client-in-windows-serv

Hope it helps

Paulo Francisco Viralhadas

PFE@Microsoft