AGPM seamlessly integrates with both GPMC version 1.0 (SP1) for Windows XP/Windows Server 2003 and GPMC version 2.0 for Windows Vista.
Once the AGPM Client has been installed, the GPMC includes one extra option to choose from in the left hand pane, Change Control, as circled in Figure 16 below. The figure shows the GPMC before and after the AGPM Client has been installed.
Figure 16: GPMC Before and After AGPM Client Installation
The Change Control option provides GPO Administrators with a new set of tabs in which to manage the GPOs. The right hand details pane displays the following tabs:
Contents
Controlled
Uncontrolled
Pending
Templates
Recycle Bin Domain Delegation AGPM Server Note
Upon starting the GPMC and selecting the Change Control option, the AGPM Client contacts the AGPM Server through the connection specified during installation. Should an error display whilst loading the archive of controlled GPOs, informing that the connection was actively refused, restart the AGPM Service on the AGPM Server and once the service has been started, refresh the AGPM Client screen to reload the archive.
Page 98
8.2.6.1 GPMC Change Control Contents Tab
The Contents tab is where the majority of a GPO Administrator’s focus will be. It provides further tabs which list all of the Domain GPOs that are available. These additional tabs categorise the GPOs and, as such, dictate what tasks can be carried out with the GPO.
The Controlled tab lists all the GPOs which have been created using AGPM Client within the GPMC and the GPOs that have been moved from the Uncontrolled tab to enable AGPM to manage them.
Tasks available to a GPO Administrator are accessed by right clicking the GPO or a blank area beneath the GPOs; options are provided via a context menu.
Table 56 details the options.
Option Description
New Controlled GPO This option is only available when right clicking a blank area in the GPO frame. It enables a GPO Administrator to create a Controlled GPO, allowing the name and a comment to be specified, and whether the GPO is created directly in Live or in an Offline state. It also allows the option to create the GPO based upon a pre-existing template.
History This opens a new window displaying historical information about the GPO. The window contains three tabs to filter the view so as to show all versions of the GPO, show only checked-in versions of the GPO, or only GPOs that have labels associated with them.
Settings This option enables the creation of either an HTML or XML report, showing the settings contained within the GPO. It also provides the option to display where the GPO is linked to.
Differences This option enables the creation of an HTML report, an XML report or a GPO template, containing the differences between two GPOs. To generate the reports, the GPOs for comparison need to be selected when clicking this option.
Edit This option opens the Group Policy Object Editor to allow editing of the selected GPO. This option is only available when the GPO has been checked out.
Check Out or Check In This option allows a GPO Administrator to check out a GPO to make it available for editing. If the GPO is already checked out, the check in option is displayed.
Undo Check Out This option only appears once a GPO has been checked out. Selecting Undo Check Out discards any changes made to the GPO.
Import from Production This option allows the importing of settings from a controlled GPO.
Delete This option deletes the selected GPO but only to the Recycle Bin. If necessary, the GPO can be restored.
Deploy This option makes the GPO available to the production environment and starts affecting live users and/or computers
Label This option provides the ability to comment, or label, the GPO for record keeping.
Rename This option provides the ability to rename the selected GPO.
Save as Template This option enables a GPO Administrator to save the selected GPO as a template for creating standardised GPOs from in the future.
Refresh This option refreshes the current screen.
Help This option displays the help file.
Table 56: AGPM Controlled GPO Right Click Options
The Uncontrolled tab contains all GPOs which are not managed by the AGPM. It provides the ability to select a GPO and take control of it. This then creates a copy of the GPO in the archive and moves the GPO listing to the Controlled tab.
As with the options available in the Controlled tab, when right clicking a GPO within the Uncontrolled tab, a GPO Administrator has the option to run reports showing the settings
contained within the GPO and also to show the differences between two selected GPOs. The GPO can also be saved as a template for use when creating a new managed GPO.
Figure 17 below shows the Uncontrolled tab with a context menu, showing the menu given upon right-clicking of an unmanaged GPO.
Figure 17: GPMC AGPM Uncontrolled Tab
The Pending tab lists the GPOs that require action from a GPO Administrator. Unique options available within this tab allow a GPO Administrator to withdraw a request for action prior to the request being completed. It also enables the assigned AGPM Administrator to either Approve or Reject the request.
The Templates tab provides a location for template GPOs. These templates can then be used as a basis to create new managed GPOs. A template is distinctly different to any other managed GPO, in that they cannot be edited and, as such, there is no history associated with them. Should a template need to be amended, a new controlled GPO should be created by basing it upon the old template, this can then be edited as required, and then saved as a template.
Similar to the way in which the Windows operating system recycle bin works, the AGPM Recycle Bin provides a location to place GPOs that have been deleted. This provides a level of protection against accidental deletion of GPOs. Unique options available within this tab are to either Destroy or Restore deleted GPOs. As the name suggests, Destroy permanently deletes a GPO, whereas Restore moves a GPO back to the Controlled tab.
Note
It is not possible to delete an uncontrolled GPO from within AGPM.
Page 100
8.2.6.2 GPMC Change Control Domain Delegation Tab
The Domain Delegation tab provides a list of GPO Administrators who have domain-level access to the archive and it indicates the AGPM role of each GPO Administrator.
This tab also provides the AGPM Administrator with the ability to configure the permissions for the AGPM roles. See section 8.2.5 for more details on AGPM roles. Figure 18 below shows the Advanced Permissions for a user within the contoso.com domain.
Figure 18: AGPM Advanced Permissions Dialog Box
Within this dialog box, it is possible to amend the AGPM role for each of the GPO Administrators.
The e-mail notification can also be configured from within the Domain Delegation tab, enabling further use of the role based delegation functionality; see section 8.2.2.4 on how to configure the e-mail notification.
8.2.6.3 GPMC Change Control AGPM Server Tab
As part of the installation of the AGPM Client, the AGPM Server Host name and port number are specified (see section 8.2.2.2 for installation details). The AGPM Server tab displays these details, and both the host name and port number can be changed from here.
Recommendation
The ability to specify the AGPM Server host name and port number can be managed through a GPO. It is recommended that healthcare organisations use this method (see section 8.2.2.3 for further information on how to do this). If managed through a GPO, the fields on the AGPM Server tab are unavailable.