Group Policy: potentially one of the most powerful built-in features in an IT Administrators arsenal

In his regular column, Kingsley Starling helps out with desktop deployment and management. This month the focus is on the power of Group Policy for managing the users and computers within your Active Directory environment.

So if Group Policy is managing the users and computers, who (or rather what) is managing Group Policy?

By now most organisations have been using the Group Policy Management Console (GPMC). This tool provides IT Administrators a central console for viewing and configuring all the properties of a Group Policy Object (GPO). It also provides backup and restore, import and export, troubleshooting and reporting functionality. However, it really does have a few limitations.

Let’s say for example that you have a GPO applying to your computers that configures some security settings. When you edit this GPO, using the standard GPO Editor tool, the GPO is saved immediately upon exiting the GPO Editor. But this GPO is live and applying to your computers. What if you made a mistake as part of editing the GPO?

Even worse now, how do you roll back the incorrect edits? Also, as an IT Administrator, how do you know who made the change in the first place if it was a member of the Domain Admins group?

So many questions and to get the answers is where Advanced Group Policy Management (AGPM) comes in. Available to Microsoft Software Assurance customers as part of the Microsoft Desktop Optimization Pack (MDOP), the AGPM provides all the bits that organisations really need that the standard GPMC lacks.

It gives you:

•  Change Control
•  Offline editing of GPOs
•  Role-based delegation
•  Integration with the GPMC

Let’s take a quick look at each of these areas:

Change Control

When you edit a GPO using the AGPM, a copy is taken of it and it is this copy that you then edit. What this means is, if a mistake is made to a GPO and this has been deployed to the live environment, you can very quickly roll back to a previous version of the GPO. This is just limited to one previous version either. As many previous versions that have been created are available to choose from.
 

As an added bonus, run a report on the current live GPO against any of the previous GPOs and see very easily any differences between them. In fact, you can run a difference report on any two GPOs, whether they are previous versions of the same GPO, or a completely different GPO. The report will be provided in an easy to read HTML report to analyse their contents.

Offline Editing

Yet another important feature available is the editing of GPOs in offline mode. As I said earlier, make a change to a GPO with just standard GPMC, and it is instantly live and applying to users and/or computers. However, the AGPM creates an archive of the GPOs, also known as an offline store.

When you edit a GPO, it is actually a copy of that GPO which is being edited. As such, once the GPO is saved by closing the GPO Editor, the GPO is not yet live. To make the GPO available and apply to users or computers, the GPO needs to be ‘deployed’; an action by an administrator that has permissions to make the edited GPO live.

Role-Based Delegation

The role-based element of the AGPM introduces an optional workflow process, including specific roles for GPO Administrators. There are four default role types provided:

• AGPM Administrator
• Approver
• Editor
• Reviewer

This enables IT Administrators to delegate certain responsibilities to various members of the IT department. It is common to have Editors who will create or edit a GPO, but do not have the permission to deploy it. This must be completed by the Approver role.

As an additional useful feature, it is possible to configure e-mail notification. This enables an automated notification to an Approver that an Editor or Reviewer has requested a specific action that needs their attention.
 

Integration into GPMC

Once the AGPM is installed, it provides an additional section within the standard GPMC console. The IT Administrator doesn’t have to learn a new interface and as such the AGPM should be easy to get to grips with for most members of the IT department.

In summary, implementing AGPM will provide an organisation with a more secure and better managed environment in which to provide desktop management through Group Policy, and therefore help to reduce the TCO of the Windows Desktop estate.