Microsoft Desktop Optimization Pack Managing GPOs with Advanced

Microsoft Desktop Optimization Pack: Managing GPOs with Advanced Group Policy Management (AGPM) 4. 0 CLI 316 Brad Mc. Cabe, Product Manager Michael Kleef, Program Manager

What we will discuss Introducing Advanced Group Policy Management (AGPM) What’s new in AGPM 4. 0 Search Multi-Forest Windows 7/Windows Server 2008 R 2 Support How it works “under the covers” How to get it

Introducing AGPM

What We Want meat (start) mat (removed ‘e’) man (changed ‘t’ to ‘n’) mane (added ‘e’) mine (changed ‘a’ to ‘i’) Know what changed and undo bad changes

Advanced Group Policy Management Enhancing group policy through change management Benefits What it Does Versioning, history & rollback of group policy changes Role-based administration & templates Workflow Offline editing London Borough of Camden “We have increased control of Group Policy Objects (GPOs) and cut downtime previously linked to improperly configured GPOs. ” Simon Boxall Active Directory Infrastructure Engineer, London Borough of Camden Enable group policy change management Provides granular administrative control Reduce risk of widespread failure Previous Version 3. 0 New Version Released October 2009

Architecture AGPM Server Component Copy of GPO 1 Direct link Admin Component Administrative Desktop Copy of GPO 2 Domain Controller Direct link GPO 1 GPO 2

Offline Editing Edit GPOs offline before deploying live

Differences added changed removed Compare settings between GPOs

Delegation - Roles Full Control Editor Approver Reviewer Define granular control without making everyone a Domain Admin

Workflow Control Deployment Check-out Offline Reporting Edit Requests Check-in Create a repeatable workflow that you can track

demo How AGPM works: Editing, Linking, Reporting and Deploying

What’s new in AGPM 4. 0

AGPM 4. 0 Client and Server Support Operating system on which AGPM Server 4. 0 runs Operating system on which AGPM Client 4. 0 runs Status of AGPM 4. 0 support Windows 7/R 2 Supported Best Experience Partially supported Windows Server 2008 R 2 Windows Vista with SP 1/2008 Cannot edit policy settings or preference items that exist only in Windows Server 2008 R 2 or Windows 7/R 2 Unsupported Supported with limitations Windows Server 2008 Windows Vista with SP 1/2008 Cannot report or edit policy settings or preference items that exist only in Windows Server 2008 R 2 or Windows 7

Search (Filtering) What it does Filters GPOs by properties Allows for column precision Maintains a list of the recent 10 searches What it doesn’t do Search for settings

Multi Forest Support What it does Allows GPO movement from AGPM to AGPM Preserves origin metadata Supports migration tables What it doesn’t do Online moves between domains/forests GPP and Migrations Tables limitation

Windows 7/Server 2008 R 2 What was supported Group Policy Preferences Reporting for all new extensions Applocker, DNSSEC, IE 8, Scheduled Tasks Service execution RSAT

Authoring demo AGPM…the new Stuff Editing, Searching, Moving and Deploying

Microsoft Desktop Optimization Pack What you need to know What the Desktop Optimization Pack provides 1 Provide immediate ROI • Regular updates • Faster upgrade cycle, separate from Windows® • Minimal deployment effort 2 Deliver end-to-end solutions • Run out of the box • Integrate with existing management solutions Lower Desktop TCO • >95% of MDOP customers are (very) satisfied *1 • $70 -$80 net cost savings per PC per year using MDOP 3 *2 *1, Microsoft MDOP customer study. Base: Current MDOP customer n=500 non-MDOP customer n=500 *2, MDOP ROI Analysis by Wipro

question & answer

Helpful Resources MDOP Blog http: //blogs. technet. com/MDOP/ MDOP Tech. Net page http: //www. microsoft. com/technet/mdop/ Group Policy Tech. Net page http: //www. microsoft. com/technet/grouppolicy Group Policy Team Blog http: //blogs. technet. com/grouppolicy Group Policy Tech. Net Forum http: //forums. microsoft. com/Tech. Net

Complete an evaluation on Comm. Net and enter to win an Xbox 360 Elite!

© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U. S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

appendix

Controlling GPOs Uncontrolled GPOs are in Production environment Use Control GPO into AGPM • Makes a copy of GPO • All edits to controlled GPO are made offline Generates a “request” for those that don’t have permission to control GPOs • Approvers can control GPOs • Required due to updating of permissions on production GPO (used to be Editor role)

Requests What happens when a request is made? • Moves GPO to pending tab • Sends E-mail When is a request generated? • Control • Deploy • Delete • Restore What actions can be taken? • Approve/Reject – Approver / Full control • Withdraw – Editor who made request

Deployment Editor can select “Deploy” • Does not deploy GPO • Sends e-mail to AGPM Admin • Places GPO into “Pending” mode Select “Deploy” for “Pending” GPO • Full Control • Approver Production Delegation (new in 3. 0) • Flexibility: Improve the security in the production GPOs • Control: Control permissions on all production GPOs • Security: Ensure the use of the AGPM tool by other administrators

What we want meat (start) mat (removed ‘e’) man (changed ‘t’ to ‘n’) mane (added ‘e’) mine (changed ‘a’ to ‘i’) Know what changed and undo bad changes

Auditing Get complete details on what happened, who did it, and why

History is a list of complete backups Rollback to a safe state Safeguard your live environment from unapproved changes and untested settings

Reporting Settings Parity with Group Policy settings reports Difference Versions: older compared to newer Any 2 GPOs Template: GPO compared to its baseline

Workflow demo

What we will discuss Advanced Group Policy Management (AGPM) Change Management Auditing Reporting Delegation New features What does the future hold for AGPM? How to get it

New 3. 0 Features Overview OS support Windows 2008, Vista SP 1 with RSAT 64 bit systems Group Policy Preferences Localization 11 languages Granular change tracking Purge historical data Delegation

Granular change tracking

Purge historical data

Delegation

Also… Improved installation process Simplified procedure for modifying the port on which the AGPM Server listens Email security - SSL encryption of SMTP traffic Friendlier names for AGPM policy settings The Editor role requires permissions to delete GPOs Improved GPO role delegation experience General UI improvements