What Is AGPM?
AGPM is the abbreviation of Advanced Group Policy Management. It is part of the Microsoft Desktop Optimization Pack (MDOP), which is an add-on to the enterprise agreement signed with SA. Most companies with Windows Enterprise already have access to MDOP and its components, such as AGPM.
Microsoft’s Advanced Group Policy Management (AGPM) enables you to manage GPOs more closely. For example, with AGPM, you must check out the GPO to make edits, which prevents anyone from accidentally making changes while others are editing. You can request approval of proposed changes; that is built-in change management. If the changes you make cause problems, AGPM also allows you to roll back to the previous version of the GPO.
Versions of AGPM
AGPM 4.0 SP3 supports Windows 10, Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows 8.1, Windows Server 2012, Windows Server 2008 R2, Windows 7, Windows Server 2008, and Windows Vista with SP1.
AGPM 4.0 SP2 supports Windows Server 2012 R2, Windows 8.1, Windows Server 2012, Windows Server 2008 R2, Windows 7, Windows Server 2008, and Windows Vista with SP1.
AGPM 4.0 SP1 supports Windows Server 2012, Windows Server 2008 R2, Windows 7, Windows Server 2008, and Windows Vista with SP1.
AGPM 4 supports Windows Server 2008 R2, Windows 7, Windows Server 2008, and Windows Vista with SP1.
AGPM 3 supports Windows Server 2008 and Windows Vista with SP1.
AGPM 2.5 supports Windows Vista (32-bit) and Windows Server 2003 (32-bit) without service packs.
AGPM Server Requirements
AGPM Server 4.0 requires GPMC in Windows Server 2008 R2, Windows Server 2008, Windows 7 and Remote Server Management Tools (RSAT), or Windows Vista with SP1 and GPMC in RSAT. Both 32-bit and 64-bit versions are supported.
Before installing the AGPM server, you must be a member of the Domain Admins group and must have the following Windows features, unless otherwise noted:
GPMC
Windows Server 2008 R2 or Windows Server 2008: If GPMC does not exist, it will be installed automatically by AGPM.
Windows 7: Before installing AGPM, you must install GPMC from RSAT. For more information, see Remote Server Management Tool for Windows 7
Windows Vista SP1: Before installing AGPM, you must install GPMC from RSAT. For more information, see Windows Vista Remote Server Management Tool with Service Pack 1.
.NET Framework 3.5 or higher
Windows Server 2008 R2 or Windows 7: If .NET Framework 3.5 or later does not exist, AGPM will automatically install .NET Framework 3.5.
Windows Server 2008 or Windows Vista SP1: Before installing AGPM, you must install .NET Framework 3.5 or higher.
The AGPM server requires the following Windows features. If these features are not present, they will be installed automatically:
1. WCF activation; non-HTTP activation
2. Windows Process Activation Service
- Process model
- .NET environment
- Configure API
Also see: How to Check .NET Framework Version on Windows 10 [3 Methods]
How to Set up AGPM
AGPM is relatively easy to set up. You only need two accounts, a server, and a client.
The server does not need to be dedicated to AGPM; you only need the one that has the Group Policy Management Console feature installed. In fact, on Server 2008 R2 or later, GPMC and the required .NET features will be installed by the AGPM installer when necessary. These two accounts are the AGPM administrator account and the AGPM service account. Before setting up AGPM, you need to grant the service account access to all existing GPOs.
Then all you need to do is to set up the server AGPM software and client. If you want to manage the client software in one place, you can install the client software and server software on the same server. If you want to manage GPOs from other workstations, the client software needs to install Windows RSAT.
Once you set up the server software, it locks all existing GPO permissions so that only domain administrators can right-click and edit GPO objects from the standard GPMC. Any other user must use the AGPM client to check out and edit the GPO.
You can further lock it down by denying the domain administrators group’s permission to explicitly edit the GPO to prevent domain administrators from editing outside of AGPM. This effectively forces everyone to use AGPM so that you can manage and approve changes in a controlled manner.