Windows Server 2008 and Windows Vista : Advanced Group Policy Management - Workflow (part 1) - E-Mail Configuration , Pending Tab

1. E-Mail Configuration

It is no surprise that e-mail is an option for communication within AGPM for workflow. However, e-mail is not a required form of communication within AGPM. E-mail messages that indicate that a task has been performed include all of the pertinent information related to the task. They include information regarding the action, the GPO being modified, the user requesting the task, and a comment if necessary.

Initially, e-mail is not used or configured for use with the workflow in AGPM. To configure the e-mail option within AGPM, follow these steps:

1.	Open the GPMC as a user with full control over AGPM.
2.	Click the Change Control node in the domain or forest in which you want to manage GPOs.
3.	Click the Domain Delegation tab in the details pane.
4.	Enter the information related to e-mail in the top portion of the tab. You will need to include the following information, which is also shown in Figure 1: From: The e-mail address that you will use, which will appear to AGPM administrators who have approval capability in the workflow process. To: The e-mail addresses of AGPM administrators who should always be notified of workflow tasks. This is a comma-delimited list. Note Additional e-mail addresses can be entered when the e-mail message is sent from the GPO administrator. The To: line is just for administrators who should receive every workflow e-mail message. SMTP server: A valid SMTP server. User name: A valid user name, with access to the SMTP server. Password and Confirm password: A valid password for the user name you entered.
5.	Enter the e-mail address of the user who should receive all workflow e-mail messages related to AGPM in the To box, as shown in Figure 1.

Figure 1. You must enter all of the information related to e-mail addresses and SMTP server to ensure that the e-mail portion of workflow functions for AGPM.

When a user performs a task that he or she does not have permission to perform, the user is not denied that action explicitly. Instead, the workflow-related tasks offer that an e-mail message could be sent to the AGPM administrator responsible for that level of task. The e-mail message sent to the approving administrator contains all of the significant information.

2. Pending Tab

If the e-mail portion of workflow is not configured, workflow still functions. E-mail is just an option, whereas the Pending tab communication method works with no configuration. The Pending tab alerts the AGPM administrator when an administrator performs a task that is not completed because of the limited permissions of the administrator who attempted the task.

When a task has been performed that requires approval, it appears on the Pending tab, as shown in Figure 2.

Figure 2. All actions that require approval appear on the Pending tab, allowing approving administrators to view and update pending requests at their leisure.

All pending requests include the information that the approving administrator needs to know to make a decision. Pending requests include the following:

• GPO name

• Computer part version number

• User part version number

• Pending state of the GPO

• GPO status

• Windows Management Instrumentation (WMI) filters associated with the GPO

• Date GPO was modified and put in pending state

• Owner of the modified GPO

GPOs that appear on the Pending tab will remain there until approved or rejected.

3. Creating GPOs

Creation of a GPO in AGPM is possible only if the administrator performing the creation has the appropriate permissions. The reasons for limiting the creation of GPOs are obvious. First, if everyone could create GPOs, the domain would be flooded with GPOs that didn’t do anything or were configured incorrectly. Second, an errant GPO could cause limited connectivity on the network, or with no connectivity at all.

Therefore, the creation of GPOs is limited to only a few administrators who can be trusted with such an awesome task. After an administrator has been granted the correct delegated permissions (in both the GPMC and AGPM), the ability to create a GPO within AGPM is granted.

Creating a GPO (with Create Permissions)

During the creation process of a GPO from within AGPM, you have the choice to create the GPO live or offline. In both cases, the GPO will be created and placed on the Controlled tab in AGPM. If you create the GPO offline, it will appear on the Controlled tab, but it will not be deployed to a domain controller into production. If the GPO is created live, it will be deployed and put into the production environment.

To create a GPO from AGPM, follow these steps:

1.	In the GPMC, right-click the Change Control node, and then click New Controlled GPO.
2.	In the New Controlled GPO dialog box, enter the name of your GPO in the GPO Name box.
3.	(Optional) Type a comment for the GPO in the Comment box.
4.	Select either Create Live or Create Offline.
5.	From the GPO Template list, select the GPO template on which you will base the new GPO. You use this GPO template as a starting point for the new GPO.

Note

The first time a GPO is created, a dialog box appears indicating that a GPO template has not yet been created and that one will be created for you. This GPO template will be created with no settings and will be marked as default. For future GPOs created in AGPM, this dialog box will not appear.

Creating a GPO (without Create Permissions)

If the administrator does not have permission to create a GPO from within AGPM, but does have other permissions, the option to create a new GPO will still be available. This is because the workflow process that is built in to AGPM can send a request to create a new GPO. In this instance, the GPO will not be created—it will be placed in a pending state for the approving AGPM administrator to approve.

To create a GPO without create permissions using the workflow mechanism, follow these steps:

1.	In the GPMC, right-click the Change Control node, and then click New Controlled GPO.
2.	In the Submit New Controlled GPO Request dialog box, type the e-mail address of additional administrators that should receive the request.
3.	Type the name of the GPO in the GPO Name box.
4.	(Optional) Type a comment for the GPO in the Comment box.
5.	Select either Create Live or Create Offline.
6.	From the GPO Template list, select the GPO template on which you will base the new GPO. You use this GPO template as a starting point for the new GPO.

Note

If the SMTP portion of AGPM is not configured, the request is not e-mailed and will appear in the GPO creation confirmation as failing. The GPO is created on the Pending tab, but no administrator is notified of the pending request.

Withdrawing a GPO That Is Pending Creation

If a request to create a GPO is sent errantly or should be withdrawn, the administrator who sent the request can withdraw it. To do this, the GPO that was placed under the Pending tab will be right-clicked, and then the withdraw menu option will be selected. An e-mail message will be sent to the administrators who are configured within the SMTP area, as well as those in the CC box of the New Request dialog box. This message simply informs the recipients of the original request that it no longer requires any action.

Approving or Rejecting a Pending GPO

If the request to create a new GPO was not in error and the administrator with approval permissions is notified of the pending GPO creation, he or she can either approve or reject the GPO as shown previously in Figure 2.

Approving the GPO will create it, either live or offline depending on the initial creation settings. Rejecting the GPO will delete it, and nothing will be created in production or AGPM.