Advanced Group Policy Management

When Active Directory was introduced with Windows Server 2000 a rumor circulated that the US federal government had forbidden the use of Group Policy Objects (GPOs) by its administrators until this new capability had been thoroughly studied.  That was probably a good idea since Group Policy can be extremely powerful and has the potential to disrupt an entire network.

Microsoft recommends that new Group Policies be tried on a test network before deploying  to a production environment. Microsoft has also developed tools for testing and troubleshooting GPOs. GPRESULT and Resultant Set of Policies (RSOP) can display Group Policy settings that are applied to a specific user and computer combination and predict how a proposed but unlinked GPO would affect them.

But it is still difficult to manage GPOs on a large network if many Domain Administrators are permitted to create and link them.  Two or more Admins could edit the same GPO with unpredictable results. If “Too many cooks spoil the soup” is true for soup it could also be true for Group Policy.

Microsoft has created a solution named Advanced Group Policy Management (AGPM) for  Software Assurance customers. AGPM is a part of the Microsoft Desktop Optimization Pack (MDOP). With AGPM you can put GPOs under AGPM control. One a GPO is managed by AGPM only Admins with specific role-based permissions such as Reviewer, Editor and Approver can access it. GPO versioning, with a check-out and check-in requirement ensures that there is only one true current version a GPO. AGMP will keep a version history of changes made to a GPO’s settings and identify the user who made the changes.  AGMP has its own mmc console which includes a  roll-back feature;  any disastrous changes made to a GPO can be rolled back to a previous version.  So, AGMP can let you have a lot of cooks without spoiling the soup after all.

Check out Microsoft’s AGMP video tour at:


In this article

Join the Conversation