Brad McCabe, Product Manager Michael Kleef, Program Manager Microsoft Desktop Optimization Pack: Managing GPOs with Advanced Group Policy Management (AGPM) 4.0 Brad McCabe, Product Manager Michael Kleef, Program Manager CLI316
What we will discuss Introducing Advanced Group Policy Management (AGPM) What’s new in AGPM 4.0 Search Multi-Forest Windows 7/Windows Server 2008 R2 Support How it works “under the covers” How to get it
Introducing AGPM
What We Want meat (start) mat (removed ‘e’) man (changed ‘t’ to ‘n’) mane (added ‘e’) mine (changed ‘a’ to ‘i’) Know what changed and undo bad changes
Advanced Group Policy Management Enhancing group policy through change management What it Does Benefits Versioning, history & rollback of group policy changes Role-based administration & templates Workflow Offline editing Enable group policy change management Provides granular administrative control Reduce risk of widespread failure “We have increased control of Group Policy Objects (GPOs) and cut downtime previously linked to improperly configured GPOs.” Simon Boxall Active Directory Infrastructure Engineer, London Borough of Camden Previous Version New Version 3.0 Released October 2009
Administrative Desktop Architecture Archive/Offline Production Copy of GPO 2 AGPM Server Domain Controller GPO 1 GPO 2 GPO 2 Copy of GPO 1 GPO 1 Direct link Server Component Direct link Admin Component Administrative Desktop
Offline Editing Edit GPOs offline before deploying live
Differences added changed removed Compare settings between GPOs
Delegation - Roles Full Control Editor Approver Reviewer Define granular control without making everyone a Domain Admin
Workflow Create a repeatable workflow that you can track Offline Control Check-out Edit Check-in Requests Reporting Deployment Offline Create a repeatable workflow that you can track
demo How AGPM works: Editing, Linking, Reporting and Deploying
What’s new in AGPM 4.0
AGPM 4.0 Client and Server Support Operating system on which AGPM Server 4.0 runs Operating system on which AGPM Client 4.0 runs Status of AGPM 4.0 support Windows Server 2008 R2 Windows 7/R2 Supported Best Experience Windows Vista with SP1/2008 Partially supported Cannot edit policy settings or preference items that exist only in Windows Server 2008 R2 or Windows 7 Windows Server 2008 Unsupported Supported with limitations Cannot report or edit policy settings or preference items that exist only in Windows Server 2008 R2 or Windows 7
Search (Filtering) What it does What it doesn’t do Filters GPOs by properties Allows for column precision Maintains a list of the recent 10 searches What it doesn’t do Search for settings
Multi Forest Support What it does What it doesn’t do Allows GPO movement from AGPM to AGPM Preserves origin metadata Supports migration tables What it doesn’t do Online moves between domains/forests GPP and Migrations Tables limitation
Windows 7/Server 2008 R2 What was supported Group Policy Preferences Reporting for all new extensions Applocker, DNSSEC, IE8, Scheduled Tasks Service execution RSAT
AGPM…the new Stuff Editing, Searching, Moving and Deploying Authoring demo AGPM…the new Stuff Editing, Searching, Moving and Deploying
Microsoft Desktop Optimization Pack What you need to know What the Desktop Optimization Pack provides Regular updates Faster upgrade cycle, separate from Windows® Minimal deployment effort 1 Provide immediate ROI 2 Run out of the box Integrate with existing management solutions Deliver end-to-end solutions 3 >95% of MDOP customers are (very) satisfied *1 $70-$80 net cost savings per PC per year using MDOP *2 Lower Desktop TCO *1, Microsoft MDOP customer study. Base: Current MDOP customer n=500 non-MDOP customer n=500 *2, MDOP ROI Analysis by Wipro
question & answer
Helpful Resources MDOP Blog http://blogs.technet.com/MDOP/ MDOP TechNet page http://www.microsoft.com/technet/mdop/ Group Policy TechNet page http://www.microsoft.com/technet/grouppolicy Group Policy Team Blog http://blogs.technet.com/grouppolicy Group Policy TechNet Forum http://forums.microsoft.com/TechNet
Complete an evaluation on CommNet and enter to win an Xbox 360 Elite!
Required Slide © 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
appendix
Controlling GPOs Uncontrolled GPOs are in Production environment Use Control GPO into AGPM Makes a copy of GPO All edits to controlled GPO are made offline Generates a “request” for those that don’t have permission to control GPOs Approvers can control GPOs Required due to updating of permissions on production GPO (used to be Editor role)
Requests What happens when a request is made? Moves GPO to pending tab Sends E-mail When is a request generated? Control Deploy Delete Restore What actions can be taken? Approve/Reject – Approver / Full control Withdraw – Editor who made request
Deployment Editor can select “Deploy” Does not deploy GPO Sends e-mail to AGPM Admin Places GPO into “Pending” mode Select “Deploy” for “Pending” GPO Full Control Approver Production Delegation (new in 3.0) Flexibility: Improve the security in the production GPOs Control: Control permissions on all production GPOs Security: Ensure the use of the AGPM tool by other administrators
What we want meat (start) mat (removed ‘e’) man (changed ‘t’ to ‘n’) mane (added ‘e’) mine (changed ‘a’ to ‘i’) Know what changed and undo bad changes
Auditing Get complete details on what happened, who did it, and why
History History is a list of complete backups Rollback to a safe state Safeguard your live environment from unapproved changes and untested settings
vs Reporting GPO 1.0 Security Template GPO A Security Kiosk GPO 1.5 Settings Parity with Group Policy settings reports Difference Versions: older compared to newer Any 2 GPOs Template: GPO compared to its baseline GPO 1.0 Security Template GPO A Security Kiosk GPO 1.5 GPO B vs
Workflow demo
What we will discuss Advanced Group Policy Management (AGPM) Change Management Auditing Reporting Delegation New features What does the future hold for AGPM? How to get it
New 3.0 Features Overview OS support Localization Windows 2008, Vista SP1 with RSAT 64 bit systems Group Policy Preferences Localization 11 languages Granular change tracking Purge historical data Delegation
Granular change tracking
Purge historical data
Delegation
Also… Improved installation process Simplified procedure for modifying the port on which the AGPM Server listens Email security - SSL encryption of SMTP traffic Friendlier names for AGPM policy settings The Editor role requires permissions to delete GPOs Improved GPO role delegation experience General UI improvements