It’s been a while since I posted anything here, but I’m back and I have a few things to share.
Today it’s about AGPM (Advanced Group Policy Management).
I’m a not going to get into details on how AGPM works, there are plenty of other blogs about the subject.
I regularly go onsite to clients to help them set up AGPM in their environment and when installing AGPM you always want to have this article in mind from the Ask Directory Services Team on how to set AGPM with least privilege (here).
After a few half dozen times, I started thinking about automating these tasks.
So here is a powershell script that I use to quickly prepare the environment for the installation of AGPM.
In details what it does is:
1) Create an OU where all AGPM accounts and Groups will be stored
2) Create the AGPM service account with a never expiring password (you are prompted to manually enter that password)
3) Add the AGPM service account to the groups “Backup Operator” and “Group Policy Creator owners”
4) Create the AGPM Full admin account (you are prompted to manually enter the password)
5) Create an “AGPM_Admin” group and add the AGPM Full admin account to it. This groups can then later be delegated the full admin role in AGPM
6) Create an “AGPM_Approver” group. This Group can later be delegated the Approver role in AGPM
7) Create an “AGPM Editor” group. This group can later be delegated the Editor role in AGPM
8) Create an “AGPM Reviewer” group. This group can later be delegated the Reviewer role in AGPM
9) Give full control on all existing GPOs to the AGPM Service Account
10) Give the “Read Gplink” and “Write gplink” extended rights to the root of the OU structure to the AGPM Service account
However to be in line with the Least Privilege article, you will have to manually give Full control to the AGPM Archive folder and Temp folder to the AGPM service account on the AGPM server, once AGPM is installed.
You can download the script here
I give this script as is and you can modify it as much as you want.
There is no requirements for groups to install AGPM, as well as the OU to store the groups and users. This is just a habit I have.
The main tasks you want to keep if you want to customize it are:
1) Create the AGPM service account
2) Create the Full admin account (even this one is optional)
3) Add the AGPM service account to the groups “Backup Operator” and “Group Policy Creator Owners”
4) Give full control on all existing GPOs to the AGPM service account
5) Give the “Read Gplink” and “Write gplink” extended rights to the root of the OU structure to the AGPM Service account
As usual let me know your inputs.