Advanced Group Policy Management Microsoft Confiential: Preliminary Information: NDA Only Advanced Group Policy Management Delivering Business Value Today and Tomorrow

Microsoft Confiential: Preliminary Information: NDA Only The Optimized Desktop Enterprise Investment Areas Access Information Anywhere Enhance Security and Control Streamline PC Management “My enterprise is becoming more disperse. How do I keep people connected to what they need?” “How can I enable the software and devices my users require and minimize their risk?” “How can I reduce costs and take advantage of new technologies like virtualization?” App-V; MED-V Bitlocker™; AGPM; DaRT MUI; 4 Virtual OS; Subsystem 4 Unix; AIS; AGPM; App-V; DEM

Microsoft Desktop Optimization Pack What you need to know Microsoft Confiential: Preliminary Information: NDA Only Microsoft Desktop Optimization Pack What you need to know What the Desktop Optimization Pack provides *1, Microsoft MDOP customer study. Base: Current MDOP customer n=108, non-MDOP customer n=367 *2, MDOP ROI Analysis by Wipro. Wipro Product Strategy and Architecture Practice’s Analysis of Features, Cost Benefits, and Effects on IT Best Practices that Improve IT Infrastructure Optimization, March 2007, Sponsored by Microsoft, available on our website at <http://download.microsoft.com/download/8/f/4/8f461f10-23fd-472a-8af9-72153b56fcc1/MDOP%20TCO%20Wipro%2020March%202007.xps> Regular updates Faster upgrade cycle, separate from Windows® Minimal deployment effort 1 Provide immediate ROI 2 Run out of the box Integrate with existing management solutions Deliver end-to-end solutions 3 >95% of MDOP customers are (very) satisfied *1 $70-$80 net cost savings per PC per year using MDOP *2 Lower Desktop TCO *1, Microsoft MDOP customer study. Base: Current MDOP customer n=108, non-MDOP customer n=367 *2, MDOP ROI Analysis by Wipro

Current Enterprise Issues with GP/GPMC One size fits all implementation No checks and balances Live changes No history or rollback capabilities Limited Reporting Many organizations use Group Policies to manage the systems on their networks. While group policy is very powerful and beneficial there are some issue that are faced with both group policies and using GPMC to manage them in the Enterprise. GPMC is built with a one size fits all implementation. The challenge is that every Enterprise works differently. Some use central groups to manage GPOs, while others take a more distributed approach. Many organization want to have a review process but with GPMC this is not possible. With GPMC all changes are made against production servers, must organizations have horror stories of a person in the organization taking out some large section of their users by making changings to GPOs and having unintended effects. After a bad GPO deployment there is no easy way to rollback the changes and limited reporting options to figure out the root cause of the problem.

Advanced Group Policy Management Microsoft Confiential: Preliminary Information: NDA Only Advanced Group Policy Management Enhancing group policy through change management What it Does Benefits Versioning, history & rollback of group policy changes Role-based administration & templates Flexible delegation model Enable group policy change management Provides granular administrative control Reduce risk of widespread failure AGPM was designed to solve the issues with GPMC. AGPM was built as an add in to GPMC to bring to it versioning, history, and rollback capabilities to enable group policy change management. AGPM allows organizations to set up role-based administration and templates to provide granular administrative control. With it’s flexible delegation model AGPM helps to reduce the risk of widespread failure. “Advanced Group Policy Management has been like a magic bullet for us. Its automated change management and workflow-enabled delegation capabilities are impressive. I wouldn't be able to manage GPOs without it.” Michael Wilcox MIS Client Services Supervisor Forsyth County Forsyth County “We have increased control of Group Policy Objects (GPOs) and cut downtime previously linked to improperly configured GPOs.” Simon Boxall Active Directory Infrastructure Engineer, London Borough of Camden

AGPM allows workflow and change management for Group Policy updates * AGPM Benefits AGPM deliver a simple, easily configuration mechanism to delegate GPO changes and approval Group Policy updates can be verified and approved to ensure they work With offline editing and robust change management AGPM reduces downtime and operational costs AGPM allows workflow and change management for Group Policy updates Rich reporting provides insight into any GPO changes and current state AGPM facilitates large scale Enterprise needs AGPM provides visibility across the Enterprise for all Group Policy Updates The key benefits of AGPM fall into two primary buckets. The first is allowing workflow and change management for GPO updates. The second key area is to provide visibility across the Enterprise for all group policy updates. 6

Microsoft Confiential: Preliminary Information: NDA Only AGPM Terminology Archive Offline AGPM Client AGPM Snap-In AGPM Server Controlled GPO Uncontrolled GPO Archive: In AGPM, a central store that contains the controlled GPOs that the associated AGPM Server manages, in addition to the history for each of those GPOs. This includes all previous controlled versions of each GPO. An archive consists of an archive index file and associated archive data that may include data for GPOs in multiple domains. An archive can be hosted on a computer other than an AGPM Server. Offline: The AGPM archive provides offline storage for GPOs. Changesmade to GPOs in the archive don’t affect the production environment until you deploy the GPOs. AGPM Client: A computer that runs the AGPM snap-in for the Group Policy Management Console (GPMC) and from which Group Policy administrators manage GPOs. AGPM snap-in: The software component of AGPM installed on AGPM Clients so that they can manage GPOs. AGPM Server: A server that runs the AGPM Service and manages an archive. Each AGPM Server can manage only one archive, but one AGPM Server can manage archive data for multiple domains in one archive. An archive can be hosted on a computer other than an AGPM Server. AGPM Service: The software component of AGPM that runs on an AGPM Server as a service. The service manages GPOs in the archive and in the production environment in that forest. Controlled GPO: A GPO that is being managed by AGPM. AGPM manages the history and permissions of controlled GPOs, which it stores in the archive. Uncontrolled GPO: A GPO in the production environment for a domain and not managed by AGPM.

Administrative Desktop Architecture Archive/Offline Production AGPM Server Copy of GPO 2 Domain Controller GPO 1 GPO 2 GPO 2 Copy of GPO 1 GPO 1 Direct link Server Component Direct link AGPM works by making a copy of the production GPOs to the AGPM server. This allows the administrative clients to make changes to the copies of the GPO in an offline state, without any impact to the production servers. When an admin edits the GPO he is editing the copy. That copy is then what is reviewed through the workflow process, and when it is fully approved it is then pushed as a unit out to the production servers. Admin Component Administrative Desktop 8

Delegation - Roles Full Control Editor Approver Reviewer Define granular control without making everyone a Domain Admin 10

Customizable permissions What permissions are set on the Production GPOs? Permissions defined on Production delegation tab plus Service account with full permission Security filtering not affected When do these permissions get set? When a GPO is controlled When a GPO is deployed When a GPO is restored from recycle bin Who can set the permissions? Only AGPM administrators who are granted the full control role

Controlling GPOs "Uncontrolled” GPOs are in production environment “Controlled” GPOs are in AGPM Makes a copy of GPO All edits to controlled GPO are made offline Generates a “request” for those that don’t have permission to control GPOs Approvers can control GPOs Required due to updating of permissions on production GPO (used to be Editor role)

Workflow Offline Control Check-out Edit Check-in Requests Reporting Deployment Offline The pacman represents the parts in the change control process that are done within AGPM. Remember that all of the work in AGPM, is happening on the offline archive.

Requests When is a request generated? When is a request generated? Moves GPO to pending tab Sends E-mail When is a request generated? Control Deploy Delete Restore What actions can taken? Approve/Reject – Approver / Full control Withdraw – Editor who made request

Deployment Editor can select “Deploy” Does not deploy GPO Sends e-mail to AGPM Admin Places GPO into “Pending” mode Select “Deploy” for “Pending” GPO Full Control Approver Production Delegation (new in 3.0) Flexibility: Improve the security in the production GPOs Control: Control permissions on all production GPOs Security: Ensure the use of the AGPM tool by other administrators

Reporting Difference Reports Settings reports

Microsoft Confiential: Preliminary Information: NDA Only New 4.0 Feature Overview Support for Windows 7 and Windows Server 2008 R2 Search and Filter GPOs Export and Import GPOs to Different Forests Search and filter GPOs In AGPM 4.0, you can search the list of GPOs for specific attributes to filter the list of GPOs displayed. For example, you can search for GPOs with a particular name, state, or comment. You can also search for GPOs that were last changed by a particular Group Policy administrator or on a particular date. You can create a complex search string by using the format GPO attribute 1: search text 1 GPO attribute 2: search text 2…, where a GPO attribute is any column heading in the list of GPOs in AGPM. For example, to search for all GPOs with names including the text "MyGPO" that are checked in and were last changed by the user Editor03, you would type the following in the Search box: name: MyGPO state: checked in changed by: Editor03. The search returns partial matches so that you can enter part of a GPO name or user name and view a list of all GPOs that include that text in their name. Additionally, you can use the same special terms available when you search in Windows to search for GPOs changed on a specific date or range of dates. For example, change date: lastmonth or change date: thisweek. Export and import GPOs to different forests Using AGPM 4.0, you can copy a controlled GPO from a domain in one forest to a domain in a second forest. For example, you can export a GPO from a domain in one forest to a CAB file by using AGPM, copy that CAB file to a USB drive, plug the USB drive into a computer in a domain in a second forest, and import the GPO into AGPM in a domain in the second forest. You can either import the GPO as a new controlled GPO, or import it to replace the settings of an existing GPO that is checked out. Support for Windows Server 2008 R2 and Windows 7 AGPM 4.0 supports Windows Server 2008 R2 and Windows 7, yet still supports Windows Server 2008 and Windows Vista® with Service Pack 1 (SP1). However, there are limitations in a mixed environment that includes both the newer and older operating systems. More details in the following slide and appendix

Easy setup, fast ROI Install server component using agpmserv.msi Should be installed on domain server Installation specifics Establish a service account Establish an administrator Install using agpmclient.msi Must be installed on computer with GPMC Can deploy using Group Policy software install

MDOP Solutions Value Reduce Application Management Costs Enable Roaming and Free Seating Build Business Continuity for Applications Proactive insight into desktop crashes and hangs Enable governance and change control Reduce Help Desk Calls Accelerate OS Migrations Manage software assets across the Enterprise

Microsoft Confiential: Preliminary Information: NDA Only Resources You can find MDOP on the Windows client site under Desktop Management Technologies go to www.windowsvista.com/optimizeddesktop Check out Demos & Videos, Case Studies, Data sheets & white papers Our blog is at blogs.technet.com/mdop Find details on App-V here: technet.microsoft.com/appvirtualization Other MDOP information at the Windows Client techcenter at technet.microsoft.com/springboard Download our software from TechNet*, MSDN* or the MVLS* site (*require a subscription, no trial for AIS)

Helpful Resources MDOP customer site: www.microsoft.com/mdop/ MDOP TechNet site: http://www.microsoft.com/technet/mdop/ MDOP Team Blog: http://blogs.technet.com/mdop/ AGPM 4.0 Overview Whitepaper: http://TechNet.Microsoft.Com/library/ee532079.aspx Trial Software and Virtual Labs: http://www.microsoft.com/technet/downloads/trials/default.mspx Microsoft Learning and Certification: http://www.microsoft.com/learning/default.mspx

Helpful Resources Group Policy TechNet page http://www.microsoft.com/technet/grouppolicy Group Policy Wiki http://grouppolicy.editme.com Group Policy Team Blog http://blogs.technet.com/grouppolicy Group Policy TechNet Forum http://forums.microsoft.com/TechNet Group Policy Health Model http://technet2.microsoft.com/windowsserver2008/en/library/e695eea4-01c4-429e-8fd1-c98e3ef6f7791033.mspx?mfr=true Technical Communities, Webcasts, Blogs, Chats & User Groups http://www.microsoft.com/communities/default.mspx

© 2008 Microsoft Corporation. All rights reserved © 2008 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Operating System Support Operating system on which AGPM Server 4.0 runs Operating system on which AGPM Client 4.0 runs Status of AGPM 4.0 support Windows Server 2008 R2 or Windows 7 Supported Windows Server 2008 or Windows Vista with SP1 Supported, but cannot edit policy settings or preference items that exist only in Windows Server 2008 R2 or Windows 7 Unsupported Supported, but cannot report or edit policy settings or preference items that exist only in Windows Server 2008 R2 or Windows 7