Operating System Support
AGPM was released in a
final version in the summer of 2007, falling directly in the Windows
Vista and Windows Server 2008 release time frame—these are the operating
systems from which you can manage Group Policy by using the AGPM
interface. You can also manage an Active Directory enterprise of GPOs
running Windows 2000 or Microsoft Windows Server 2003 from AGPM, but you
must do so from Windows Vista, Windows Server 2003, or Windows Server
2008.
GPMC Requirements
The
GPMC has been the primary tool for administration of Group Policy for
years. The GPMC is a centralized view of all GPOs, from a single forest
with just one domain, to multiple forests with multiple domains. AGPM
utilizes this view of Group Policy within the GPMC by adding a simple
snap-in that allows control over the GPOs per domain, just like the GPMC
originally intended.
AGPM adds a new node in the GPMC called Change Control, which is where all AGPM features are controlled. This node is shown in Figure 1.
With Windows Vista, the
GPMC comes installed and ready to use by default. However, if you have
installed Windows Vista Service Pack 1, you will need to install the
updated GPMC, which provides support for the new Windows Server 2008
features, such as searching and filtering.
Client Installation
After AGPM Server is installed, you must install
the AGPM Client so that you can administer the GPOs from within the
AGPM environment. The AGPM Client is not a client in the sense that it
receives any information from the server. Rather, the AGPM Client is the
administrative interface for the AGPM management environment.
The AGPM Client adds a new node within the GPMC,
which is why the GPMC was mentioned earlier as a requirement for AGPM.
The result of the AGPM Client installation is the same as what you
looked at earlier, but the Change Control node is added to the GPMC.
The AGPM Client must be installed on a computer
running Windows Server 2003, Windows Server 2008, or Windows Vista. To
install the AGPM Client, double-click the AGPMClient.msi file, which
launches the AGPM Client Setup Wizard. To install the full product,
follow these steps:
1. | Double-click the AGPMClient.msi file.
|
2. | On
the Welcome to the Microsoft Advanced Group Policy Management – Client
Setup Wizard page, read and agree to the terms, and then click Next.
|
3. | Read and agree to the licensing terms.
|
4. | On
the Application Path page, select the path to install the AGPM Client.
The default path is C:\Program Files\Microsoft\AGPM\Client, which should
work in most cases. During the installation, you can select your
installation path or keep the default.
|
5. | On
the AGPM Server page, enter the fully qualified DNS name for the AGPM
Server in the Name box. This should be in the form: <servername>.domainname.com (for example, Server1.fabrikam.com).
|
6. | Enter
the port number on which the AGPM Server service is running in the Port
box. The default is 4600, but you can change it if you are already
using this port for a different service or application.
|
7. | Agree to the configurations that you made, and then install the AGPM Client.
|
Best Practices
It
is always a best practice to administer services running on Windows
servers from an administrative desktop. This is ideal so that the server
remains locked and the possibility of causing other errant
configurations or issues on the server is reduced. With the AGPM Client,
it is ideal to install it on a computer running Windows Vista, but it
can also be run from Windows Server 2003 or Windows Server 2008. |
After the AGPM Client is installed, you will be
able to launch the GPMC and start to administer GPOs from within the
AGPM tool. To verify that the AGPM Client is installed properly and
functioning, follow these steps:
1. | Start the GPMC management tool.
|
2. | Click the Change Control node under the domain where you installed the AGPM Server.
|
3. | You should see a list of the GPOs that are already controlled, or a list of uncontrolled GPOs, in the details pane. |
Offline Editing of GPOs
AGPM provides many benefits. The benefit that
most administrators claim to be most important to them is the ability to
edit GPOs offline. This is in contrast to the GPMC management of GPOs,
which modifies only the GPOs in production. The negative aspect of
administering the GPOs via the GPMC method is that any change that is
made to a GPO affects the production GPO immediately. Thus, if you make
the change errantly, the target computers or users could be affected by
the background refresh within minutes of the GPO being modified.
When a GPO is edited
directly by using the GPMC, the changes made are immediate. This is an
important issue, because changes can be made errantly or with malicious
intent, with immediate results. To see this, edit a GPO from within the
GPMC, under the Group Policy Objects node. The Group Policy Management
Editor will show the contents of the GPO settings. As an example, you
can modify any setting and see that the GPT will immediately show that
change after you confirm the setting. To see this, expand the Computer
Configuration container to where you can alter a security setting, such
as Enabling or Disabling the Administrator account. This path is
Computer Configuration\Windows Settings\Security Settings\Local
Policies\Security Options. If you were to open the to where a setting
from this location in the GPO is stored, you could see the setting take
effect immediately. To do this, on the domain controller running the PDC
Emulator role, go to C:\Windows\Sysvol\sysvol\<domainname>\
Policies\<GUID of GPO>\Machine\Microsoft\Windows NT\SecEdit. Here
you will find the GPTTmpl.inf file (if you have not made the setting
yet, this path and file will not exist). Now, go back to the GPME and
set the Administrator account status to Enabled, and then click OK. If
you open the GPTTmpl.inf file, you will see an entry that says
EnableAdminAccount = 1. Notice that you are still in the GPME, but the
setting has been already written to the GPT. At this point, the contents
of the GPT are already being replicated to all other domain
controllers, as well as the contents of the GPC. If the target computers
happen to refresh Group Policy at this point, they will receive this
setting, even though you are still in the GPME.
