MDOP 2013 R2: Advanced Group Policy Management to Track GPO Changes

I was recently asked to investigate the Advance Group Policy Management toolkit to enforce greater compliance and change control of Group Policy objects in a large enterprise environment. This particular client had various different IT service providers making changes to the Active Directory and Group Policy objects.
a
You can download the MDOP 2013 R2 ISO from Microsoft;

http://www.microsoft.com/en-us/windows/enterprise/products-and-technologies/mdop/default.aspx

The first step is to install the AGMP Server  on to a Domain Controller in your environment. The installation is very straight forward and uninteresting therefore I am not going to cover it in detail. In this example I am also going to install the AGMP Client on to the same Domain Controller.

 

When the AGPM Server installation completes a new tab will appear in Group Policy Management called Change Control this is where the majority of AGPM tasks are done.

 

Click on the Uncontrolled tab and you will see a list of Group Policy Objects that are not being audited or managed using AGPM. Right click on one of your GPO's and select Control.

 

This will then instruct AGPM to audit and track any changes that are made to that GPO. For this example I have deliberately make some policy changes to the AGPM Example GPO.

 

If you click on the Controlled tab, and right click on the GPO you have auditing set on and select Differences and then HTML Report.

 

AGPM will generate and output a full HTML report that highlights and changes to that particular GPO.

 

The History tab also tracks time and date stamps on events and GPO changes.

 

I have found this tool extremely useful in large enterprise environments where there are multiple Active Directory Administrators (or IT service providers) all working on the Group Policies. It was particularly good when someone accidentally deleted the Default Domain Policy link from a production domain.

DirectAccess GPO's Error "Required GPO Permissions" not Enterprise Admin

You are deploying DirectAccess in a multi-domain, single forest environment. Clients and users reside in one domain, and the DirectAccess Servers in another. Both domains have two way trusts. The forest root domain is separate to these domains and hosts the Schema Master and the Domain Naming master FSMO role.

When you run the DirectAccess wizard and are about to commit changes to the GPO's you receive the error "Required GPO Permissions" on the client settings GPO.

 

The cause here is that the user account provisioning DirectAccess is not a member of the Enterprise Admins forest wide group. Simply add the user account to the Enterprise Admins group, or log in with an elevated account that natively has this level of access. By default the Enterprise Admins group has Full Control access to all of the domain in the forest therefore it is advisable to limit membership.

 

When you try to re-run the wizard with the correct credentials it should not allow you to continue.