AGPM: GPLinks are being destroyed each time I deploy

A customer reported an issue to me recently where the customer reported that when using AGPM 3.0, each time they deployed out to production, their GPLinks were being destroyed.

Why is this occurring?

What’s probably relevant here is to outline what’s happening and why.

When AGPM manages GPO’s it performs all its editing offline. When you have finished editing your GPOs and “Deploy to Production”, what you’re essentially doing is overwriting the GPO with the new information. It does this operation with everything that AGPM knows about including:

  • GPO settings
  • Access Control Lists (security filtering and management)
  • GPLinks

Anything that you do in the Production object before this occurs will be overwritten with AGPM deploys its new object information. This means if you make a GPLink change in production and then don’t tell AGPM about it, the object AGPM has will overwrite those changes next time around and you will wonder what happened.

This problem is compounded by the fact that AGPM doesn’t offer any ability to manage GPLinks (or Security Filtering) within AGPM itself – this is all done with GPMC and Imported into AGPM later.

So how do you make sure AGPM knows about GPLink and Security Filter changes?

There are actually two ways to do this though the best way is to make the GPLink and Security Filtering changes to the Production object and then do an “Import from Production” operation. This essentially takes a copy of everything in production and pulls it into AGPM. Note that in this case the reverse can occur where changes in AGPM are overwritten by the production object. Heres a good way to make sure you capture everything you want:

  1. Make your GPO changes (if necessary) in AGPM
  2. Deploy to production
  3. Make any necessary changes to GPLinks and Security Filtering
  4. Import from Production

This ensures that the settings stay the way you want and the GPLinks and Security Filtering are preserved and known by AGPM for that particular object. From then on you can make all the settings changes you want and AGPM will continue to push out the correct GPLinks and Filtering (unless of course you want to change it again)

Hope this helps

Michael Kleef, Program Manager

Comments (1)

  1. Rostislav says:

    Thanks Michael. I would also mention that this also applies to WMI filters. If you’d like to preserve WMI filters on GPOs you should also import GPO from production before modifying it with AGPM and then deploying it.