CLI316 Brad McCabe, Product Manager Michael Kleef, Program Manager What we will discuss Introducing Advanced Group Policy Management (AGPM) What’s new in AGPM 4.0 Search Multi-Forest Windows 7/Windows.
Download ReportTranscript CLI316 Brad McCabe, Product Manager Michael Kleef, Program Manager What we will discuss Introducing Advanced Group Policy Management (AGPM) What’s new in AGPM 4.0 Search Multi-Forest Windows 7/Windows.
CLI316 Brad McCabe, Product Manager Michael Kleef, Program Manager What we will discuss Introducing Advanced Group Policy Management (AGPM) What’s new in AGPM 4.0 Search Multi-Forest Windows 7/Windows Server 2008 R2 Support How it works “under the covers” How to get it Introducing AGPM What We Want meat (start) mat (removed ‘e’) man (changed ‘t’ to ‘n’) mane (added ‘e’) mine (changed ‘a’ to ‘i’) Know what changed and undo bad changes Advanced Group Policy Management Enhancing group policy through change management What it Does Versioning, history & rollback of group policy changes Role-based administration & templates Workflow Offline editing London Borough of Camden “We have increased control of Group Policy Objects (GPOs) and cut downtime previously linked to improperly configured GPOs.” Simon Boxall Active Directory Infrastructure Engineer, London Borough of Camden Benefits Enable group policy change management Provides granular administrative control Reduce risk of widespread failure Previous Version 3.0 New Version Released October 2009 Architecture AGPM Server Copy of GPO 1 Administrative Desktop Copy of GPO 2 Domain Controller GPO 2 GPO 1 Offline Editing Edit GPOs offline before deploying live Differences added changed removed Compare settings between GPOs Delegation - Roles Full Control Editor Approver Reviewer Define granular control without making everyone a Domain Admin Workflow Control Deployment Check-out Offline Reporting Edit Requests Check-in Create a repeatable workflow that you can track How AGPM works: Editing, Linking, Reporting and Deploying What’s new in AGPM 4.0 AGPM 4.0 Client and Server Support Operating system on which AGPM Server 4.0 runs Operating system on which AGPM Client 4.0 runs Status of AGPM 4.0 support Windows 7/R2 Supported Best Experience Partially supported Windows Server 2008 R2 Windows Vista with SP1/2008 Cannot edit policy settings or preference items that exist only in Windows Server 2008 R2 or Windows 7 Windows 7/R2 Unsupported Supported with limitations Windows Server 2008 Windows Vista with SP1/2008 Cannot report or edit policy settings or preference items that exist only in Windows Server 2008 R2 or Windows 7 Search (Filtering) What it does Filters GPOs by properties Allows for column precision Maintains a list of the recent 10 searches What it doesn’t do Search for settings Multi Forest Support What it does Allows GPO movement from AGPM to AGPM Preserves origin metadata Supports migration tables What it doesn’t do Online moves between domains/forests GPP and Migrations Tables limitation Windows 7/Server 2008 R2 What was supported Group Policy Preferences Reporting for all new extensions Applocker, DNSSEC, IE8, Scheduled Tasks Service execution RSAT Authoring AGPM…the new Stuff Editing, Searching, Moving and Deploying Microsoft Desktop Optimization Pack What you need to know What the Desktop Optimization Pack provides 1 Provide immediate ROI •Regular updates •Faster upgrade cycle, separate from Windows® •Minimal deployment effort 2 Deliver end-to-end solutions •Run out of the box •Integrate with existing management solutions Lower Desktop TCO •>95% of MDOP customers are (very) satisfied *1 •$70-$80 net cost savings per PC per year using MDOP *2 3 *1, Microsoft MDOP customer study. Base: Current MDOP customer n=500 non-MDOP customer n=500 *2, MDOP ROI Analysis by Wipro Helpful Resources MDOP Blog http://blogs.technet.com/MDOP/ MDOP TechNet page http://www.microsoft.com/technet/mdop/ Group Policy TechNet page http://www.microsoft.com/technet/grouppolicy Group Policy Team Blog http://blogs.technet.com/grouppolicy Group Policy TechNet Forum http://forums.microsoft.com/TechNet Complete an evaluation on CommNet and enter to win an Xbox 360 Elite! © 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. Controlling GPOs Uncontrolled GPOs are in Production environment Use Control GPO into AGPM • Makes a copy of GPO • All edits to controlled GPO are made offline Generates a “request” for those that don’t have permission to control GPOs • Approvers can control GPOs • Required due to updating of permissions on production GPO (used to be Editor role) Requests What happens when a request is made? • Moves GPO to pending tab • Sends E-mail When is a request generated? • Control • Deploy • Delete • Restore What actions can be taken? • Approve/Reject – Approver / Full control • Withdraw – Editor who made request Deployment Editor can select “Deploy” • Does not deploy GPO • Sends e-mail to AGPM Admin • Places GPO into “Pending” mode Select “Deploy” for “Pending” GPO • Full Control • Approver Production Delegation (new in 3.0) • Flexibility: Improve the security in the production GPOs • Control: Control permissions on all production GPOs • Security: Ensure the use of the AGPM tool by other administrators What we want meat (start) mat (removed ‘e’) man (changed ‘t’ to ‘n’) mane (added ‘e’) mine (changed ‘a’ to ‘i’) Know what changed and undo bad changes Auditing Get complete details on what happened, who did it, and why History History is a list of complete backups Rollback to a safe state Safeguard your live environment from unapproved changes and untested settings Reporting Settings Parity with Group Policy settings reports Difference Versions: older compared to newer Any 2 GPOs Template: GPO compared to its baseline Workflow What we will discuss What does the future hold for AGPM? How to get it New 3.0 Features Overview OS support Windows 2008, Vista SP1 with RSAT 64 bit systems Group Policy Preferences Localization 11 languages Granular change tracking Purge historical data Delegation Granular change tracking Purge historical data Delegation Also… Improved installation process Simplified procedure for modifying the port on which the AGPM Server listens Email security - SSL encryption of SMTP traffic Friendlier names for AGPM policy settings The Editor role requires permissions to delete GPOs Improved GPO role delegation experience General UI improvements