The installation prerequisites for the two AGPM components are that both the AGPM Server and the AGPM Client can be installed on Windows Vista bit version) or Windows Server 2003 (32-bit version). The GPMC must also be installed on the chosen server and client. The user account used to install the AGPM Server needs to be a member of the Domain Admins group.
Note
Installation of both the Server and Client component is required. Installing just one component will not allow a healthcare organisation to take advantage of the benefits and advanced features of AGPM.
Installation of the AGPM on 64-bit versions of Windows is not currently supported.
The AGPM Client can be installed on the same computer on which AGPM Server has been installed.
Recommendation
In a test environment, the AGPM Server and Client can be installed on the same computer however it is recommended that in a production environment, these two components are installed on different computers.
Consider installing the APGM Server on a domain member server which has capacity to store the archive of the GPOs. Once the AGPM Server is installed, it is possible to modify the path at a later date should it become necessary to do so.
All GPO Administrators should have the AGPM Client installed ensuring that all access to GPOs is maintained through the change control process.
The installation and configuration of AGPM is a relatively simple process but one that requires a number of steps. The following list can be used as a checklist to ensure all of these steps have been completed:
1. Install the AGPM Server.
2. Install the AGPM Client.
3. Configure an AGPM Server Connection.
4. Configure e-mail notification.
5. Delegate Access Note
It is not possible to migrate an archive from an AGPM Server running on Windows Server 2003 to an AGPM Server running on Windows Vista.
If installing AGPM Server onto Windows Server 2003 which already has GPOVault Server installed, allow the installation of AGPM Server to uninstall GPOVault Server, as this will automatically transfer any existing GPOVault archive data to an AGPM archive.
By default, the Link GPOs permission is assigned to only members of the Domain Administrators and Enterprise Administrators security groups. To assign the Link GPOs permission to additional users or groups, you should use the Delegation tab within GPMC.
8.2.2.1 Install the AGPM Server
The computer on which AGPM Server is installed will host the AGPM Service and manage the archive.
To install the AGPM Server:
1. Log on to the computer which will act as the AGPM Server using an account that is a member of the Domain Admins group.
2. Perform one of the following to start the Microsoft Advanced Group Policy Management – Server Setup Wizard:
Insert the Microsoft Desktop Optimization Pack CD and select Advanced Group Policy Management – Server
In Windows Explorer, locate and double-click the AGPMServer.msi file
Page 84
The Microsoft Advanced Group Policy Management – Server Setup Wizard launches and the Welcome page displays:
3. Click Next. The Microsoft Software License Terms page displays:
4. Read and accept the terms by selecting the I accept the license terms check box.
5. Click Next. The Application Path page displays:
6. Type the location for installing the AGPM Server will be installed, or click Change… to browse to the destination folder.
7. Click Next. The Archive Path page displays:
Page 86
8. Type the path for where the archive will be located, or click Change… to browse to the destination folder.
9. Click Next. The AGPM Service Account page displays:
10. Enter the credentials of the account to be used.
11. Click Next. The Archive Owner page displays:
Page 88
12. Enter the name of the User Account82 that will act as the initial owner and therefore have full permissions over all GPOs.
Note
The User Account used as the initial Archive Owner can be a temporary assignment. The purpose of this account is to allow the specified user to add further users, or groups of users, and assign appropriate AGPM permissions to them. These permissions can follow the standard set available using the AGPM Admin, Approver, Editor and Reviewer roles, or customised further if appropriate.
13. Click Next. The Ready to install Microsoft Advanced Group Policy Management – Server page displays:
14. Click Install.
15. Once installation of the Microsoft Advanced Group Policy Management – Server is complete, click Finish.
Note
As part of this installation, step 9 provides the AGPM Service Account page. This page may appear differently depending upon the computer on which the AGPM Server component is being installed on. If the installation is carried out on a DC or Member Server, an additional field would be available to select to use the Local System account.
Only choose to use the Local System account if installing within a single domain and on a DC. If installing on a Member Server or other domain client, specify a different account to use as only the Domain Local System account will have access to the Domain GPOs.
If specifying a different account, ensure that it has full access to all GPOs that the AGPM will manage.
This is done by adding the service account user with the permissions of ‘Edit settings, delete, modify security’ in the Delegation tab of each GPO.
82 It is recommended that a user group is specified as the membership of the group can change whilst the group remains the overall archive owner.
8.2.2.2 Install the AGPM Client
Each GPO Administrator requires the AGPM Client installed.
To install the AGPM Client:
1. Perform one of the following to start the Microsoft Advanced Group Policy Management – Client Setup Wizard:
Insert the Microsoft Desktop Optimization Pack CD and select Advanced Group Policy Management – Client
In Windows Explorer, locate and double-click the AGPMClient.msi file
2. The Microsoft Advanced Group Policy Management – Client Setup Wizard is launches and the Welcome page displays:
3. Click Next. The Microsoft Software License Terms page displays:
4. Read and accept the terms by selecting the I accept the license terms check box.
5. Click Next. The Application Path page displays:
6. Type the location for installing the AGPM Client, or click Browse… to browse to the destination folder.
Page 90
7. Click Next. The AGPM Server page displays:
8. Specify the fully qualified DNS Name of the AGPM Server and the Port on which to connect. By default, the port number is 4600.
9. Click Next. An information dialog box may be presented informing the user that the chosen port is required for client/server communication.
10. Click Yes to add the port to the Windows Firewall exceptions list.
11. Click Next on the AGPM Server page again to proceed to the Ready to install Microsoft Advanced Group Policy Management – Client page.
12. Click Install. The Completed the Microsoft Advanced Group Policy Management – Client Setup Wizard page displays:
13. Click Finish to close the wizard.
Page 92
8.2.2.3 Configure an AGPM Server Connection
It is important to ensure that all GPO Administrators connect to the same AGPM Server. The following steps use a GPO to configure this connection; this can be either a new GPO or an existing GPO that has been applied to all GPO Administrators:
To configure the connection using GPO:
1. Open the Group Policy Management Console, (Start > Administrative Tools > Group Policy Management).
2. In the GPMC, edit or create a GPO that is applied to all GPO Administrators.
3. In the Group Policy Object Editor, expand User Configuration > Administrative Templates > Windows Components.
4. If AGPM is not listed under Windows Components:
a. Right-click Administrative Templates and select Add/Remove Templates.
b. Click Add and select either AGPM.ADMX or AGPM.ADM.
c. Click Open followed by Close.
d. The Group Policy Object Editor window may need to be refreshed by clicking on the Refresh button, to view the AGPM component under Windows Component.
5. Under Windows Components, click AGPM.
6. In the right-hand details pane, double-click AGPM Server (all domains).
7. In the AGPM Server (all domains) Properties window, click Enabled.
8. Type the fully qualified computer name and the port number, in the following format:
servername.domainname.com:portnumber 9. Click OK.
10. Close the Group Policy Object Editor.
Once this GPO is deployed to the GPO Administrators, the installation of the GPO Client will be preconfigured with the server name and port number.
Note
For large healthcare organisations, it is possible to have multiple AGPM Servers should the environment require it. In this instance, refer to the Advanced Group Policy Management help file topic: AGPM Server Connection Settings. This help file is installed to the Application Path as specified during the installation of either the AGPM Server or AGPM Client.
Recommendation
Within the GPO edited in the steps above, the setting AGPM Server (all domains) was configured. It is recommended that as a minimum this setting is configured and applied to all GPO Administrators. Should certain GPO Administrators use a different AGPM Server, then utilise the AGPM Server setting and apply this to those GPO Administrators. The AGPM Server GPO setting overrides the AGPM Server (all domains) setting.
For example, create a baseline GPO that configures the AGPM Server (all domains) setting and have this apply to all GPO Administrators. Then create an incremental GPO that configures the AGPM Server setting and have this applied to only those GPO Administrators which use a different AGPM Server to the default.
8.2.2.4 Configure E-mail Notification
The configuration of the e-mail notifications provides the ability to specify an e-mail address or addresses of where a request of an action is to be sent. The action could come from an Editor or Reviewer who is requesting the creation, deployment or deletion of a GPO. See section 8.2.5 for further details on roles and actions.
To configure e-mail notification:
1. Open the Group Policy Management Console, (using an AGPM Administrator account, click Start or the Windows Button , point to Administrative Tools and then click Group Policy Management.
2. Click Change Control in the domain in which the GPOs are to be managed.
3. In the right hand details pane, click the Domain Delegation tab.
4. In the From field, type the e-mail alias for AGPM from which notifications should be sent.
5. In the To field, type a list of e-mail addresses of Approvers who should receive the requests. The e-mail address should be separated by commas.
6. In the SMTP Server field, type the name of an SMTP mail server to use to send the requests.
7. In the User name and Password fields, type the credentials of a user with access to the SMTP service.
8. Click Apply to configure e-mail notification.
Note
E-mail notification for AGPM is a domain-level setting. Different Approver e-mail addresses or AGPM e-mail aliases can be provided on each domain's Domain Delegation tab, or the same e-mail addresses can be used throughout the environment.
8.2.2.5 Delegate Access
Once the installation and configuration of AGPM has been completed, access to the GPOs needs to be delegated appropriately before it can be used by the GPO Administrators. This involves the assigning of an AGPM role to each of the GPO Administrators. See section 8.2.5 for details of the roles and their default permissions.
Important
Membership in the Group Policy Creator Owners group should be restricted so that it is not used to circumvent AGPM management of access to GPOs. This is completed through the Group Policy Management Console, by clicking Group Policy Objects in the forest and domain in which GPOs are to be managed, clicking Delegation, and then configuring the settings to ensure permissions are set appropriately.
To delegate access:
1. Using an AGPM Administrator account, open the Group Policy Management Console, (click Start or the Windows Button , point to Administrative Tools and click Group Policy Management.
2. Click Change Control in the domain in which the GPOs are to be managed.
3. In the right-hand details pane, click the Domain Delegation tab.
4. Click the Advanced button.
Page 94
5. In the Permissions dialog box, select the check box for each role to be assigned to a GPO Administrator.
6. Click the Advanced button.
7. In the Advanced Security Settings dialog box, select a GPO Administrator, and click Edit.
8. For Apply onto, select This object and nested objects, click OK in the Permission Entry dialog box.
9. In the Advanced Security Settings dialog box, click OK.
10. In the Permissions dialog box, click OK.
Once access has been delegated appropriately to the GPO Administrators, the workflow process of managing GPOs can be followed. See section 8.2.5, Figure 15 for further details.