3. Using Templates
AGPM
GPO templates are nothing more than predefined GPOs. The ability to
define a GPO full of settings—that can then be used to create new
GPOs—is very useful in simple to complex environments. You can create
multiple GPO templates, each containing a preset suite of GPO settings.
In most cases, these preset GPO settings create a “baseline” of
settings that all similar GPOs will contain.
After
a GPO template is created, anyone within the AGPM environment that has
been granted the ability to create GPOs can use them. Any new GPO
within AGPM can be modeled after a GPO template, avoiding the need to
create an empty GPO that then must be configured.
Note
After
a template is created, it cannot be modified. It is a best practice to
take existing GPOs and make templates out of them, to create a baseline
of settings. |
To create a GPO template from scratch, follow these steps:
1. | In the GPMC, select the Change Control panel.
|
2. | Click the Controlled tab in the details pane.
|
3. | Right-click the GPO on which you want to create a GPO template, and then click Save As Template.
|
4. | Type a name for the new template in the Name box, add an optional comment, and then click OK.
|
5. | When
the progress indicator window shows that the progress is complete,
click Close. Look for the new template on the Templates tab.
|
In
some cases, you may want to create a GPO template originating your
process from an existing GPO. This will allow you to take an existing
GPO (and its settings), and then reuse it as the model for additional GPOs. To create a GPO template using an existing GPO, follow these steps:
1. | In the GPMC, click the Controlled tab in the details pane.
|
2. | Right-click the GPO on which you want to create a GPO template, and then click Save As Template.
|
3. | Type a name for the new template in the Name box, and add an optional comment.
|
A
GPO within AGPM includes all of the settings that can be contained in a
GPO, including software deployment, security settings, user rights,
audit policy settings, IP security settings, and Administrative
Template settings (registry settings).
Best Practices
It
is a best practice to create GPO templates based on departments, types
of computers, types of users, and so on. Then, establish the delegation
on the GPO template, which will then be carried over to the newly
created GPO. This copying of the delegated permissions is an ideal way
to ensure that only those administrators who should have control over
the GPO and the settings can alter the settings in the template and new
GPO residing in AGPM. |
4. Recycle Bin
Every
administrator who has made a mistake that cost his or her company
hundreds or thousands of dollars has wished to go back in time and undo
the mistake. Such an error might include a misconfiguration, an errant
deployment, inadequate testing of a technology, or a deleted file. When
GPOs are deleted from AGPM, they are not deleted immediately. Instead,
they are placed in a Recycle Bin, just in case the administrator has
doubts or made a mistake.
Note
The
history of a GPO will be restored during the restoration process of a
GPO in AGPM. However, if the GPO is destroyed from AGPM, the history is
also destroyed. |
The
Recycle Bin is a default feature of AGPM and cannot be eliminated. It
retains all GPOs that are deleted from within AGPM. When a GPO is
deleted from anywhere in the AGPM tool, it is placed in the Recycle
Bin, as shown in Figure 3.
To access the Recycle Bin and either restore or destroy a GPO, follow these steps:
1. | In the GPMC, click the Recycle Bin tab in the details pane.
|
2. | Right-click
the GPO that you want to control, and then click either Destroy, to
permanently delete the GPO from AGPM and GPMC, or Restore, to place the
GPO back on the Controlled tab within AGPM.
|
Note
Restoring
a GPO from the Recycle Bin will not put the GPO back into production.
It will only place the GPO back on the Controlled tab in AGPM. |
5. Restoring GPOs and GPO Links
GPOs
that are stored in AGPM are not completely controlled by AGPM. Some
configurations are not manageable or even tracked within the tool. One
such configuration is GPO links, which are completely controlled by the
GPMC.
There is one exception: When an
administrator deletes or otherwise manipulates a GPO, AGPM tracks the
GPO links. If the GPO is restored, deployed, or in any way put back
into production, you may choose which GPO links to restore. To view and
select the links that are associated with a GPO that an administrator
is putting back into production, follow these steps:
1. | In the GPMC, click the Controlled tab in the details pane.
|
2. | Right-click the GPO for which you want to view links, and then click Deploy.
|
3. | Ensure that the Restore Links check box is selected, and then click Advanced.
|
4. | In
the GPO Links for Selected GPO dialog box, select the Active Directory
nodes that you want to have the GPO linked to so that you can view the
links, as shown in Figure 4.
|
If you want to see where a GPO is linked before deployment, you can view a report of GPO links by following these steps:
1. | In the GPMC, click the Controlled tab in the details pane.
|
2. | Double-click the GPO for which you want to view a report.
|
3. | Right-click the archived version of the GPO, and then click Settings – GPO Links.
The results appear in the GPO Links for Selected GPOs dialog box. |
