Sunday 27 July 2014

MDOP 2013 R2: Advanced Group Policy Management to Track GPO Changes

I was recently asked to investigate the Advance Group Policy Management toolkit to enforce greater compliance and change control of Group Policy objects in a large enterprise environment. This particular client had various different IT service providers making changes to the Active Directory and Group Policy objects.
You can download the MDOP 2013 R2 ISO from Microsoft;

The first step is to install the AGMP Server  on to a Domain Controller in your environment. The installation is very straight forward and uninteresting therefore I am not going to cover it in detail. In this example I am also going to install the AGMP Client on to the same Domain Controller.


When the AGPM Server installation completes a new tab will appear in Group Policy Management called Change Control this is where the majority of AGPM tasks are done.

Click on the Uncontrolled tab and you will see a list of Group Policy Objects that are not being audited or managed using AGPM. Right click on one of your GPO's and select Control.
This will then instruct AGPM to audit and track any changes that are made to that GPO. For this example I have deliberately make some policy changes to the AGPM Example GPO.

If you click on the Controlled tab, and right click on the GPO you have auditing set on and select Differences and then HTML Report.

AGPM will generate and output a full HTML report that highlights and changes to that particular GPO.

The History tab also tracks time and date stamps on events and GPO changes.

I have found this tool extremely useful in large enterprise environments where there are multiple Active Directory Administrators (or IT service providers) all working on the Group Policies. It was particularly good when someone accidentally deleted the Default Domain Policy link from a production domain.