Tag Archive for group policy

Advanced Group Policy Management – AGPM


There are a lot of reasons why companies should buy their licences with Software Assurance. One of the main advantages is the right to use the Microsoft Desktop Optimization Pack, which includes AGPM – Advanced Group Policy Management.

AGPM is a tool that will increase the control you will have over your group policies. This toll will help you avoid issues like the one descibed at “Group Policy Management – Steve and Nick’s Tale”.


The key components in Microsoft Advanced Group Policy Management are:

Change Control

AGMP provides a secure archive for controlling changes to GPOs. In order to change a GPO, an administrator has to “check out” the GPO from the voult. When the changes are complete, the GPO gets “checked in” to the vault. Differences between archived versions and live versions are reviewed on the reports tab. When a GPO is ready for deployment it can be transferred to the live environment. The main advantage of this process os that a group policy can be “rolled back” to an archived version.

Offline editing

Group Policy is the centerpiece of security and configuration management on Active Directory®-based networks, and, as such, configuration changes can affect a large number of computers. Offline editing enables you to configure and test changes without impacting live operations, and to deploy those changes with the knowledge that they can be quickly reverted if there are unexpected consequences.

Role-based delegation

Group Policy provides a rich delegation model, allowing administration tasks to be delegated to regional or task-oriented administrators. This is a significant advantage over scripting and utility products. However, the native delegation model allows Group Policy administrators to approve their own changes.

Microsoft Advanced Group Policy Management improves on this by providing an optional workflow process that includes rolebased delegation, review, and approval before deployment to a live environment. At the same time, it preserves the granular delegation inherent in native Group Policy.

GPMC integration

Group Policy Management Console (GPMC) is the central management interface for Group Policy. Microsoft Advanced Group Policy Management provides smooth integration within GPMC.

If you want to learn more about AGPM go to the Microsoft Springboard Website, where you can find documentation, videos, guides, etc.


Group Policy Management – Steve and Nick’s Tale

One of the main reasons why Windows is very well established as The Enterprise Operating System is the ease of centralized administration. Most of the credit goes to Group Policies. Group Policies are a set of rules that will be enforced on the workstations and on user profiles. Based on the rules, user experience will change. That means that a CEO will get a more flexible and open system than a call center user, which will get an OS restricted to the tools he needs to be able to perform his tasks.

Group Policy is extremely powerful, and as Uncle Ben told Peter Parker (a.k.a. Spiderman) – ‘With great power comes great responsibility’. The reason I am bringing that up is that is that IT departments overlook the importance of controlling access to Group Policy management. Group Policies are live, as soon as you edit a setting it is already in place. Giving control of group policy to people without the right skills can be very dangerous and can cost the company productivity and financial loss.

As a real life example, I had the opportunity to work with an Education company related to the military services. One of their IT helpdesk people, I will call him Steve, was trying to “open” the internet connection to one of the directors of the business. The Director who was on a resort for a week with his family, wanted to get some work done, and was struggling to connect to the internet. Steve who is a self-tough IT professional uses the tools he feels can address the issue quickly and helps the Director who seemed really happy over the phone. Feeling great because he was able to help a high profile person on the company, Steve goes away to his 2 days off, as planned in advance.

Next morning Steve’s boss Nick can’t access the internet and starts troubleshooting, but it seems that his proxy settings are not being correctly assign and it isn’t long until other users started calling helpdesk about not being able to access the internet. Nick talks to his team and no one knows what might have caused the issue. Steve was away. That is the point when I was called in.

Trying to gather information on symptoms, we identified that the issue was only affecting manages and directors, therefore, very likely to be a proxy setting issue. Trying to get more information I went to the proxy settings on Internet Explorer on Nick’s computer and found that the settings were blank. Nick was surprised that I could even get to the proxy settings as this was a protected menu on IE. This information was enough to find the cause of the issue. Someone, at some point, change a group policy containing a few settings. Looking at the recent changes I could identify which policy was changed the previous day, but not who did it and which settings where affected. The policy name didn’t help much as it was named “Directors and Managers”.

I focused on restoring internet connectivity by specifying the proxy settings, which took over 40 minutes for Nick to find out what is was due to the lack of documentation. I also restricted access to the connections tab on IE.

With the problem resolved and people back to work just after lunch, I had a meeting with Nick. The first question was “What happened?” The answer was easy; someone changed the group policy settings that affect the managers and director. I restored internet connectivity and secured the menu, but can’t guarantee that other settings are on the state that they should be. Than Nick asked, “What can be done to prevent that from happening again?” An my answer was; don’t give more rights to user than they really need, and more specific for this case, make sure that only people who know what they are doing have permissions to manage group policy. You can also use Microsoft Advanced Group Policy Management, part of MDOP, one of the benefits you have because you have Software Assurance on your Windows Licences.

Two days later I get a call from Nick telling me that Steve did it to help a director and he had no clue what he was doing, but then again, he was never trained by the company to do his job properly.

In short, be careful when assigning permissions for IT admin staff, helpdesk, etc. Always give them the minimum rights they need to be able to perform the tasks they are supposed to do. Many companies give “Domain Admin” rights to a lot of people just because it is easier, and that can cause a lot of issues.

Keep it classy IT pros.

2008 Group Policy Planning and Deployment Guide
Advanced Group Policy Management Overview

TechDays Online UK 2011 – Windows 7 and Internet Explorer



TechDays Online UK 2011 was a very interesting event. I had the pleasure to present 2 sessions, the first about Windows 7 as the best desktop experience and Why Internet Explorer is awesome for the Enterprise. All the recordings for TechDays are available at the TechNet UK Team Blog.

I managed to re-encode my sessions so they can be uploaded to youtube. Enjoy and leave your feedback.


Find the link for the presentations on slideshare on this other post: http://davidnudelman.com/2011/techdaysuk/