During my interactions with Premier Microsoft customers I have found out that the main reason for not using AGPM (Advanced Group Policy Management) in order to enforce change control procedures on Group Policy management is the lack of information on how to prevent GPOs from being created or edited outside of AGPM.
Basically their experience tells them that any Domain/GPO admin will be able to use the normal GPMC (Group Policy Management Console) to create/edit GPOs thus bypassing the desired change control enforcement supposedly provided by AGPM. I am writing these lines to address that problem.
This post explains how to install and configure AGPM in order to prevent the creation of GPOs from outside AGPM.
AGPM is a plug-in for GPMC that provides the following features:
Search and filter capabilities
AGPM can be found on the MDOP (Microsoft Desktop Optimization Pack) for Software Assurance.
To install the AGPM follow the steps below:
1. Create an AGPM Service Account
2. Add the AGPM Service Account to the following groups:
2.1. Group Policy Creator Owners
2.2. Backup Operators
2.3. Local Administrators (on the Client(s) and Server selected to install the AGPM Client and Server components respectively)
3. Install the AGPM Server component on the selected server.
4.1. Run the AGPM server installer
4.2. Select the Archive Path (can be a local folder or network share)
4.3. Select the AGPM Service Account under which the AGPM service will run.
4.4. Assign the Archive Owner/AGPM Administrator (Full Control) role to the Group (or individual User) that will have Full Control over AGPM thus will be able to assign AGPM roles and permissions to other Group Policy Administrators.
4.5. Select the port listener for AGPM service (default:4600)
NOTE: The AGPM Service Account requires (at least) the following permissions:
– Full Control to the AGPM Archive
– Full Control to %systemroot%\temp folder
– Full Control to existing GPOs
5. Install the AGPM Client component on the selected workstation.
5.1. Run AGPM client installer
5.2. Insert the AGPM Server and Port for connecting to the AGPM server service.
To prevent the creation of GPOs from outside AGPM do the following:
1. Remove All members (except the AGPM Service Account and the Archive Owner/AGPM Administrator) of the “Group Policy Creator Owners” group
To prevent changes of existing GPOs outside AGPM
1. Remove Domain Admins and Enterprise Admins permissions from every GPO in the domain.
NOTE: Domain Admins may re-add themselves permissions to all GPOs. Depending on your environment additional Groups may have to be removed from all GPOs. Ensure that Authenticated Users have Allow Read permissions and that target Groups have Allow Apply Group Policy. Also that you don’t remove the AGPM Administrator account assigned in step 4.4.
In order to easy this task consider the use of GrantPermissionOnAllGPOs.wsf included in GPMCSampleScripts.msi which can be downloaded from http://www.microsoft.com/en-us/download/details.aspx?id=14536
You may also find many other useful scripts there.
From now on the AGPM Administrator may configure e-mail notifications, control policies and manage roles and delegated permissions and approve requests via AGPM client without worrying about GPO admins circumventing change control with GPMC.
Hope it helps!