As a Group Policy MVP, I am often asked about Microsoft's Advanced Group Policy Management software, or AGPM for short. AGPM is a "change management" system around Group Policy Objects (GPOs) themselves. It enables teams of administrators to avoid stepping on people's toes, enables quick rollback of undesired changed GPOs, provides a history of changes, and performs comparisons between live and "offline" GPOs.In considering AGPM, administrators and managers are often confused about:
...and more !
With that in mind, here's a handful of AGPM Myths and Facts to help you decide if AGPM is right for you and some tips on your AGPM journey.
MYTH: I don’t need AGPM, I have everything I need in the box.
Fact: For starters, AGPM doesn’t ship in the box with, say, Server 2008 or Server 2012. What does ship in the box as included as part of both Windows server and Windows client, would be called “Group Policy Core” functionality, which includes the GPMC utility, the Group Policy and Group Policy Preferences settings. The “change management” functionality (or the other features listed earlier) of AGPM aren’t in the box. What is true, however, is that AGPM fits “inside” the GPMC, which administrators know and love. You can see AGPM inside the GPMC in Figure 1.
Figure 1: AGPM fits inside the GPMC
MYTH: AGPM is free to use / I want to buy just AGPM
Fact: AGPM isn’t a free download. It’s part of the paid “Microsoft Desktop Optimization Pack” MDOP suite of tools. And, the tools within MDOP are not sold separately. When you get an MDOP subscription you acquire all the tools in MDOP, even if you only wish to utilize AGPM. For more information on purchasing MDOP start out at www.Microsoft.com/mdop and/or talk with your Microsoft representative about purchase options.
MYTH: AGPM adds super-powers to every desktop
Fact: AGPM adds zero super-powers to your desktop. That’s OK, AGPM isn’t meant to add more super-powers to every desktop.
Remember: AGPM is a “change management” tool, not a “desktop management” tool.
This is the biggest myth about AGPM, mostly because it ships within the “Microsoft Desktop Optimization Pack” bundle. People see the words “Desktop Optimization” in the MDOP suite name, and falsely assume AGPM adds more super-powers to the Group Policy “core” or perform new abilities on desktops themselves.
Note, I’m not saying AGPM isn’t powerful or useful. It is – to do the job it was designed for. It simply doesn’t have any desktop super-powers.
The kinds of super-powers people often want to add to their arsenal of desktop management is configuring 3rd party applications, which, Microsoft’s in-the-box Group Policy doesn’t excel at. If you’re looking to actually add desktop superpowers to your existing Group Policy superpowers, consider PolicyPak Professional (www.PolicyPak.com) which is specifically designed to augment existing Group Policy deployments, and add extra super powers like managing Lync, IE, Firefox, Flash, Java, Acrobat, and 80+ other applications via Group Policy. PolicyPak can additionally perform true security upon these apps so users cannot work around your settings – even when they’re offline. In other words, true desktop superpowers.
MYTH: AGPM has a complicated architecture
Fact: AGPM almost couldn’t be simpler. There is a server piece, which can live on any Windows server (latest Windows Server version always preferred.) There is no UI to the AGPM server, it literally installs just a Windows service. Then there’s the AGPM “client”. The AGPM client is loaded on administrator computers and simply extends the GPMC to provide the AGPM node and interface to AGPM. That’s it.
There are no databases to install, and the client piece doesn’t need to be loaded on everyone’s machine in the company. Simply on administrators’ machines who want to participate with the AGPM change management system.
MYTH: There is no formal training for AGPM
Fact: Microsoft has no formal AGPM training in any Microsoft Official Curricilum course that I'm aware of. However, in my Group Policy Master Classes (www.GPanswers.com/training) I cover all the ins and outs of AGPM. From installation, to working together as a team, to pitfalls and troubleshooting. If your team is considering an AGPM rollout, consider taking my battery of Group Policy training which includes AGPM training.
MYTH: All 3rd party Group Policy products are compatible with AGPM
There are a wide variety of 3rd party Group Policy products which extend Group Policy’s functionality. Do note, however, that not all 3rd party Group Policy extension products are compatible with AGPM. Specifically, AGPM works by performing backups of GPOs, then restoring them when necessary during rollback operations. If your 3rd party Group Policy product doesn’t play nicely with the built-in Group Policy backup and restore system, it likely won’t play nicely within AGPM.
Making sure your 3rd party Group Policy product works with AGPM is very important. The last thing you want to do is have a Group Policy change management system you use only 80% of the time, because it’s incompatible with a 3rd party Group Policy product you also need to use.
For an example video of a 3rd party utility (PolicyPak) that does play nicely within AGPM, check out this example video.
AGPM is powerful – for what it’s designed to do. That is, again, to enable teams of administrators to manage GPOs without stepping on each others’ toes.
AGPM is very simple to deploy and the architecture is easy to understand and manage.
However, remember AGPM doesn’t add super-powers to the desktop for increased settings delivery or lockdown functionality. To perform these kinds of super-powers you need 3rd party Group Policy extensions (and AGPM is not one.)
I hope this Myths and Facts guide helped you out.
Make contact with Jeremy Moskowitz, Group Policy MVP at www.GPanswers.com or www.PolicyPak.com. Thanks.
Good article. Great thing about AGPM is an organization does not have to control all Group Policies (its not all or nothing proposition). Group Policies which contain incompatible 3rd party extensions may be left "uncontrolled" and managed without AGPM.
One aspect I like is its ability to export and import Policies between AD forests with no trusts. This doesn't work without the AGPM tool. Keep in mind Group Policy permissions are not managed at all by the AGPM tool.
I've been using the AGPM 4.5 beta and it seems to have all the same features. It is aware of Windows 8 / Windows Server 2012 settings and runs on the respective O/S's.
I have the feeling, that AGPM is a kind of abandoned product. No new versions, updates, patches, support.
Many issues occur, I have to review alternative GPOAdmin knowledge base to resolve the issue, because the architecture is similar.
Correct me, if I wrong.
Shameful Plug here, since Jeremy does not make it obvious that he developed Policy Pak in the article, and since when does Microsoft let its MVPs write commercials about their own software. No offense, but Jeremy does make it look like he is trying to review AGPM, but he ends up pushing his own product up above it. Reviewing should not be done by someone who has produced a similar product. Note to self - Go GET POLICYPAK for SuperPowers Group Policy desktop superpowers. Very slick place for an ad,!!
We were planning to implement AGPM in our Domain. But the biggest problem we have was the WAN link.
Its extremely slow to edit GPO from branch offices over the WAN link. Once the policy checked out remote office AGPM client has to connect to head office AGPM server to edit the GPO. In our case browsing through GPO is extemely slow.