Windows Server 2008 and Windows Vista : Architecture of Advanced Group Policy Management (part 1)

2/24/2013 6:47:03 PM

Operating System Support

AGPM was released in a final version in the summer of 2007, falling directly in the Windows Vista and Windows Server 2008 release time frame—these are the operating systems from which you can manage Group Policy by using the AGPM interface. You can also manage an Active Directory enterprise of GPOs running Windows 2000 or Microsoft Windows Server 2003 from AGPM, but you must do so from Windows Vista, Windows Server 2003, or Windows Server 2008.

GPMC Requirements

The GPMC has been the primary tool for administration of Group Policy for years. The GPMC is a centralized view of all GPOs, from a single forest with just one domain, to multiple forests with multiple domains. AGPM utilizes this view of Group Policy within the GPMC by adding a simple snap-in that allows control over the GPOs per domain, just like the GPMC originally intended.

AGPM adds a new node in the GPMC called Change Control, which is where all AGPM features are controlled. This node is shown in Figure 1.

Figure 1. AGPM includes a Change Control node in the GPMC interface for managing your GPOs offline.

With Windows Vista, the GPMC comes installed and ready to use by default. However, if you have installed Windows Vista Service Pack 1, you will need to install the updated GPMC, which provides support for the new Windows Server 2008 features, such as searching and filtering.

Client Installation

After AGPM Server is installed, you must install the AGPM Client so that you can administer the GPOs from within the AGPM environment. The AGPM Client is not a client in the sense that it receives any information from the server. Rather, the AGPM Client is the administrative interface for the AGPM management environment.

The AGPM Client adds a new node within the GPMC, which is why the GPMC was mentioned earlier as a requirement for AGPM. The result of the AGPM Client installation is the same as what you looked at earlier, but the Change Control node is added to the GPMC.

The AGPM Client must be installed on a computer running Windows Server 2003, Windows Server 2008, or Windows Vista. To install the AGPM Client, double-click the AGPMClient.msi file, which launches the AGPM Client Setup Wizard. To install the full product, follow these steps:

Double-click the AGPMClient.msi file.

On the Welcome to the Microsoft Advanced Group Policy Management – Client Setup Wizard page, read and agree to the terms, and then click Next.

Read and agree to the licensing terms.

On the Application Path page, select the path to install the AGPM Client. The default path is C:\Program Files\Microsoft\AGPM\Client, which should work in most cases. During the installation, you can select your installation path or keep the default.

On the AGPM Server page, enter the fully qualified DNS name for the AGPM Server in the Name box. This should be in the form: <servername> (for example,

Enter the port number on which the AGPM Server service is running in the Port box. The default is 4600, but you can change it if you are already using this port for a different service or application.

Agree to the configurations that you made, and then install the AGPM Client.

Best Practices

It is always a best practice to administer services running on Windows servers from an administrative desktop. This is ideal so that the server remains locked and the possibility of causing other errant configurations or issues on the server is reduced. With the AGPM Client, it is ideal to install it on a computer running Windows Vista, but it can also be run from Windows Server 2003 or Windows Server 2008.

After the AGPM Client is installed, you will be able to launch the GPMC and start to administer GPOs from within the AGPM tool. To verify that the AGPM Client is installed properly and functioning, follow these steps:

Start the GPMC management tool.

Click the Change Control node under the domain where you installed the AGPM Server.

You should see a list of the GPOs that are already controlled, or a list of uncontrolled GPOs, in the details pane.

Offline Editing of GPOs

AGPM provides many benefits. The benefit that most administrators claim to be most important to them is the ability to edit GPOs offline. This is in contrast to the GPMC management of GPOs, which modifies only the GPOs in production. The negative aspect of administering the GPOs via the GPMC method is that any change that is made to a GPO affects the production GPO immediately. Thus, if you make the change errantly, the target computers or users could be affected by the background refresh within minutes of the GPO being modified.

How It Works: GPO Changes Using the GPMC and the GPME

When a GPO is edited directly by using the GPMC, the changes made are immediate. This is an important issue, because changes can be made errantly or with malicious intent, with immediate results. To see this, edit a GPO from within the GPMC, under the Group Policy Objects node. The Group Policy Management Editor will show the contents of the GPO settings. As an example, you can modify any setting and see that the GPT will immediately show that change after you confirm the setting. To see this, expand the Computer Configuration container to where you can alter a security setting, such as Enabling or Disabling the Administrator account. This path is Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options. If you were to open the to where a setting from this location in the GPO is stored, you could see the setting take effect immediately. To do this, on the domain controller running the PDC Emulator role, go to C:\Windows\Sysvol\sysvol\<domainname>\ Policies\<GUID of GPO>\Machine\Microsoft\Windows NT\SecEdit. Here you will find the GPTTmpl.inf file (if you have not made the setting yet, this path and file will not exist). Now, go back to the GPME and set the Administrator account status to Enabled, and then click OK. If you open the GPTTmpl.inf file, you will see an entry that says EnableAdminAccount = 1. Notice that you are still in the GPME, but the setting has been already written to the GPT. At this point, the contents of the GPT are already being replicated to all other domain controllers, as well as the contents of the GPC. If the target computers happen to refresh Group Policy at this point, they will receive this setting, even though you are still in the GPME.

  •  Windows Vista : Installing and Running Applications - Launching Applications
  •  Windows Vista : Installing and Running Applications - Applications and the Registry, Understanding Application Compatibility
  •  Windows Vista : Installing and Running Applications - Practicing Safe Setups
  •  Windows Server 2003 : Domain Name System - Command-Line Utilities
  •  Computer Planet I7 Extreme Gaming PC
  •  Windows Vista : Web and Email (part 4) - Change the Default Email Reader, Stop Spam, Send Large Files
  •  Windows Vista : Web and Email (part 3) - Stop Annoying Animations, Opt Out of Tabbed Browsing, Surf Anonymously
  •  Windows Vista : Web and Email (part 2)
  •  Windows Vista : Web and Email (part 1) - Lock Down Internet Explorer, Change Internet Shortcut Icons
  •  Windows 7 : Zero Touch Installations - Monitoring Deployment Progress
    Most View
    System Audio Aura 1 Bookshelf Loudspeaker (Part 2)
    The Porsche Macan – Nearly Hot Hatch (Part 1)
    ASP.NET 3.5 : Writing HTTP Modules (part 2) - The Page Refresh Feature
    Installing Windows 8 on a new or formatted system (part 1) - Starting the installation
    Sony Cyber-Shot WX200 - 10x Optical Zoom Len In An Ultra-Compact Camera (Part 2)
    Beats Executive Headphones - A Smart Overhaul For The Modern Gentleman
    Play It Smart (Part 4) - Sony 46HX750
    SanDisk Extreme II 480GB, Plextor M5 Pro Extreme 256GB and 512GB
    ViewSonic VX2770Smh-LED - Frameless Widescreen Monitor
    LaCie Rugged USB 3.0 Thunderbolt
    Top 10
    Windows Server 2012 : Implementing Group Policy preferences (part 4) - Windows Settings extensions,Control Panel Settings extensions
    Windows Server 2012 : Implementing Group Policy preferences (part 3) - Understanding preferences - Item-level targeting, Configuring a preference item
    Windows Server 2012 : Implementing Group Policy preferences (part 2) - Understanding preferences - Common options, Using environment variables
    Windows Server 2012 : Implementing Group Policy preferences (part 1) - Understanding preferences - Preference categories, Configuring preferences
    Windows Server 2012 : Managing Group Policy using Windows PowerShell - Creating and linking GPOs
    The Mercedes-Benz E 250 CDI – Small Motor Good In Big Benz
    The Porsche Macan S Diesel 3.0 V6 – The Ultimate SUV You Can Drive (Part 3)
    The Porsche Macan S Diesel 3.0 V6 – The Ultimate SUV You Can Drive (Part 2)
    The Porsche Macan S Diesel 3.0 V6 – The Ultimate SUV You Can Drive (Part 1)
    The Toyota GT86 – Great Fun To Drive