How to prevent the creation of GPOs from outside AGPM (Advanced Group Policy Management)

During my interactions with Premier Microsoft customers I have found out that the main reason for not using AGPM (Advanced Group Policy Management) in order to enforce change control procedures on Group Policy management is the lack of information on how to prevent GPOs from being created or edited outside of AGPM.
Basically their experience tells them that any Domain/GPO admin will be able to use the normal GPMC (Group Policy Management Console) to create/edit GPOs thus bypassing the desired change control enforcement supposedly provided by AGPM. I am writing these lines to address that problem.

This post explains how to install and configure AGPM in order to prevent the creation of GPOs from outside AGPM.

AGPM is a plug-in for GPMC that provides the following features:

Offline editing
Change control
Role-based delegation
Search and filter capabilities
Cross-forest management
AGPM can be found on the MDOP (Microsoft Desktop Optimization Pack) for Software Assurance.

To install the AGPM follow the steps below:

1. Create an AGPM Service Account
2. Add the AGPM Service Account to the following groups:
2.1. Group Policy Creator Owners
2.2. Backup Operators
2.3. Local Administrators (on the Client(s) and Server selected to install the AGPM Client and Server components respectively)
3. Install the AGPM Server component on the selected server.
4.1. Run the AGPM server installer
4.2. Select the Archive Path (can be a local folder or network share)
4.3. Select the AGPM Service Account under which the AGPM service will run.
4.4. Assign the Archive Owner/AGPM Administrator (Full Control) role to the Group (or individual User) that will have Full Control over AGPM thus will be able to assign AGPM roles and permissions to other Group Policy Administrators.
4.5. Select the port listener for AGPM service (default:4600)

NOTE: The AGPM Service Account requires (at least) the following permissions:
– Full Control to the AGPM Archive
– Full Control to %systemroot%\temp folder
– Full Control to existing GPOs

5. Install the AGPM Client component on the selected workstation.
5.1. Run AGPM client installer
5.2. Insert the AGPM Server and Port for connecting to the AGPM server service.

To prevent the creation of GPOs from outside AGPM do the following:

1. Remove All members (except the AGPM Service Account and the Archive Owner/AGPM Administrator) of the “Group Policy Creator Owners” group

To prevent changes of existing GPOs outside AGPM

1. Remove Domain Admins and Enterprise Admins permissions from every GPO in the domain.

NOTE: Domain Admins may re-add themselves permissions to all GPOs. Depending on your environment additional Groups may have to be removed from all GPOs. Ensure that Authenticated Users have Allow Read permissions and that target Groups have Allow Apply Group Policy. Also that you don’t remove the AGPM Administrator account assigned in step 4.4.

In order to easy this task consider the use of GrantPermissionOnAllGPOs.wsf included in GPMCSampleScripts.msi which can be downloaded from
You may also find many other useful scripts there.

From now on the AGPM Administrator may configure e-mail notifications, control policies and manage roles and delegated permissions and approve requests via AGPM client without worrying about GPO admins circumventing change control with GPMC.

Hope it helps!

Comments (3)

  1. Anonymous says:

    Well done

  2. Anonymous says:

    forgot to login before posting the above comment.

  3. John says:

    Paulo, has this changed in the past 2 years as far as supported from Microsoft?  I ask becuase this blog from the AD team states it is not supported, as of 2011, and if you call in for support issues around GPO's they will have you restore the default permissions.  I love the idea of doing this so all changes have to be done via AGPM, but do not want to put myself in a unsupported configuration.…/forcing-domain-admins-to-use-agpm-but-not-really.aspx