Implementing Multiple AGPM Servers

Hi Everyone,

Paulo here, a Microsoft Premier Field Engineer (PFE), recently I have had several customers querying about how to deploy multiple AGPM Servers per Forest/Domain. As you know AGPM was designed to centralize change control over Group Policies so not exactly developed for this intended purpose.

The configuration of Group Policy in a single AGPM server scenario is straight forward

The AGPM server takes control of GPOs which copies GPOs into the AGPM archive enabling the AGPM server to control them and to do that the AGPM Service account must have Full Control over all the GPOs. Refer to my earlier AGPM related post for more information on that at https://blogs.technet.microsoft.com/reference_point/2013/08/21/how-to-prevent-the-creation-of-gpos-from-outside-agpm-advanced-group-policy-management/

However, by having multiple AGPM servers each AGPM service account can only control its own subset of policies (for example having an AGPM server/service per OU, Domain or Business Unit).

Start by creating a Governing body/team which ultimately has an account which can change and create new GPOs in AD, and then they decide which AGPM Server will need to be responsible over this new Group Policy, so then they assign permissions to that new policy for the applicable AGPM service account. Channeling GPO creation through the Governing body prevents GPO creation outside of the AGPM.

Each AGPM server has only control over the policies which they can see, which obviously is controlled by permissions.

As an administrator you can create GPOs anywhere in the domain, which is a nightmare. So as business unit if you want a new policy, you must make a request to the governing body (or change control team whichever you like to call it).

They’ll create the new policy and set the permissions so that your AGPM server has exclusive full control over it.

No AGPM service accounts can create policies (actually no one other than the governing body) or this model’s purpose will be defeated.

It is important as you roll out AGPM is ADMX maintenance. As you upgrade the PolicyDefinitions folder with ADMXs to support new platforms, if you have the AGPM client on running on Windows 2012 R2 and you want to manage a Windows 10 client… you cannot do it. You must put in a Windows Server 2016 client to be able to do that. 2012 R2 can only manage up to Windows 8.1 clients, right?

Wait… well that was the Microsoft support statement until Mark Empson (also a PFE@Microsoft) a few months ago published his amazing work documenting the known challenges that can occur when you manage a Windows 10 Group Policy client from a Windows Server 2012 R2 server. So before you jump in and deploy your new Multiple AGPM design make sure you check Mark’s article at https://support.microsoft.com/en-us/help/4015786/known-issues-managing-a-windows-10-group-policy-client-in-windows-serv

Hope it helps

Paulo Francisco Viralhadas

PFE@Microsoft