Dell s Implementation of Microsoft Advanced Group Policy Management

Similar documents
Step-by-Step Guide for Microsoft Advanced Group Policy Management 4.0

MS 50255B: Managing Windows Environments with Group Policy (4 Days)

NETWRIX CHANGE NOTIFIER

Course 6425C: Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services

Manage Dell Hardware in a Virtual Environment Using OpenManage Integration for VMware vcenter

Role-Based Security and its Implementation

Reference Architecture for Dell VIS Self-Service Creator and VMware vsphere 4

WHY EXTENDING GROUP POLICY MAKES SENSE FOR YOUR WINDOWS ENTERPRISE

Dell Compellent Storage Center

Dell Compellent Storage Center

NetIQ Group Policy Administrator User Guide

NETWRIX EVENT LOG MANAGER

Essential Managing the BlackBerry Enterprise Server using the BlackBerry Administration Service

VMware ESX 2.5 Server Software Backup and Restore Guide on Dell PowerEdge Servers and PowerVault Storage

Course 6425C: Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services

50255: Managing Windows Environments with Group Policy

NETWRIX ACCOUNT LOCKOUT EXAMINER

Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services

Active Directory. Users & Computers. Group Policies

MS-50255: Managing, Maintaining, and Securing Your Networks Through Group Policy. Course Objectives. Required Exam(s) Price.

DELL Remote Access Configuration Tool

Configuring and Troubleshooting Windows 2008 Active Directory Domain Services

Managing Windows Environments with Group Policy 50255D; 5 Days, Instructor-led

Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services

6425C: Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services

Outline SSC Configuring and Troubleshooting Windows Server 2008 Active Directory

Course 6425C: Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services

Deploying Dell OpenManage Server Administrator on VMware ESXi Using Dell Online Depot and VMware Update Manager

ChangeAuditor. Migration Guide CA-MG

NetWrix Account Lockout Examiner Version 4.0 Administrator Guide

Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services

6425C - Windows Server 2008 R2 Active Directory Domain Services

ExecuTrain Course Outline Configuring & Troubleshooting Windows Server 2008 Active Directory Domain Services MOC 6425C 5 Days

EventTracker: Support to Non English Systems

Getting Started Guide

Configuration Guide. for the Lepide User Password Expiration Reminder

Course 6425C: Five days

MS-6425C - Configuring Windows Server 2008 Active Directory Domain Services

Using Red Hat Network Satellite Server to Manage Dell PowerEdge Servers

About Recovery Manager for Active

TS: Small Business Server 2008, Configuring

RSA Authentication Agent 7.2 for Microsoft Windows Installation and Administration Guide

Managing Windows Environments with Group Policy

Dell Compellent Storage Center SAN & VMware View 1,000 Desktop Reference Architecture. Dell Compellent Product Specialist Team

NETWRIX FILE SERVER CHANGE REPORTER

User Guide Secure Configuration Manager

Lifecycle Controller Platform Update/Firmware Update in Dell PowerEdge 12th Generation Servers

Module 8: Implementing Group Policy

Enhancements to idrac7 Alert Notification

NE-6425C Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services

Netwrix Auditor for Exchange

Outline SSS Configuring and Troubleshooting Windows Server 2008 Active Directory

Administering Group Policy with Group Policy Management Console

Installing, Configuring, and Managing a Microsoft Active Directory

Citrix XenServer Workload Balancing Quick Start. Published February Edition

RSA Authentication Agent 7.1 for Microsoft Windows Installation and Administration Guide

PGP Universal Server 2.5 SmartLine DeviceLock 6.2

NetWrix USB Blocker. Version 3.6 Administrator Guide

About This Guide Signature Manager Outlook Edition Overview... 5

Implementing an Advanced Server Infrastructure

MailStore Outlook Add-in Deployment

COURSE OUTLINE MOC 20413: DESIGNING AND IMPLEMENTING A SERVER INFRASTRUCTURE

Configuring Dell OpenManage IT Assistant 8.0 to Monitor SNMP Traps Generated by VMware ESX Server

COMPLETE COMPUTING, INC.

NetWrix USB Blocker Version 3.6 Quick Start Guide

Active Directory Change Notifier Quick Start Guide

Administering Windows Server 2012

NetIQ Directory and Resource Administrator NetIQ Exchange Administrator. Installation Guide

Privilege Guard 3.0 Administration Guide

Configuring and Troubleshooting Windows Server 2008 Active Directory Domain MOC 6425

NetWrix SQL Server Change Reporter

Dell Recovery Manager for Active Directory 8.6.0

Dell InTrust 11.0 Best Practices Report Pack

Lesson Plans Microsoft s Managing and Maintaining a Microsoft Windows Server 2003 Environment

Q A F 0 3. ger A n A m client dell dell client manager 3.0 FAQ

Course: Configuring and Troubleshooting Windows Server 2008 Active Direct-ory Domain Services

Dual-Core Processors on Dell-Supported Operating Systems

M6425a Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services

Lepide Exchange Recovery Manager

Create, Link, or Edit a GPO with Active Directory Users and Computers

Dell Active Administrator 7.5. Install Guide

Dell MessageStats for Lync and the MessageStats Report Pack for Lync & OCS 7.3. User Guide

Quest GPOADmin 5.4. User Guide

Configuring idrac6 for Directory Services

ScriptLogic Active Administrator. VERSION 6 Installation Guide

NetWrix Privileged Account Manager Version 4.0 Quick Start Guide

DELL. Unified Server Configurator Security Overview. A Dell Technical White Paper. By Raja Tamilarasan, Wayne Liles, Marshal Savage and Weijia Zhang

Installation Guide. . All right reserved. For more information about Specops Deploy and other Specops products, visit

Installing idrac Certificate Using RACADM Commands

Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services

Course 6425B: Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services

Acronis Backup & Recovery 11.5 Quick Start Guide

How To Set Up Safetica Insight 9 (Safetica) For A Safetrica Management Service (Sms) For An Ipad Or Ipad (Smb) (Sbc) (For A Safetaica) (

For Active Directory Installation Guide

ICT Professional Optional Programmes

Adobe Acrobat 9 Deployment on Microsoft Windows Group Policy and the Active Directory service

Dell Recovery Manager for Active Directory 8.6.3

RSA Authentication Manager 7.1 to 8.1 Migration Guide: Upgrading RSA SecurID Appliance 3.0 On Existing Hardware

Dell InTrust Preparing for Auditing and Monitoring Microsoft IIS

Tivoli Endpoint Manager for Security and Compliance Analytics. Setup Guide

Transcription:

Dell s Implementation of Microsoft Advanced Group Policy Management Dell implemented AGPM in June of 2011 and is taking advantage of the benefits it offers for managing Group Policy. By Pat Pitre Sr. Systems Engineer at Dell Inc. November, 2011 Abstract Dell implemented Microsoft Advanced Group Policy Management to take advantage of features like change control, and offline editing, when managing group policy objects. This paper focuses on both the benefits of AGMP and some of the unique challenges encountered during integration testing, and how they were resolved. This information may help other large organizations who are considering or are in the process of implementing AGPM. 1

THIS WHITE PAPER IS FOR INFORMATIONAL PURPOSES ONLY, AND MAY CONTAIN TYPOGRAPHICAL ERRORS AND TECHNICAL INACCURACIES. THE CONTENT IS PROVIDED AS IS, WITHOUT EXPRESS OR IMPLIED WARRANTIES OF ANY KIND. 2010 Dell Inc. All rights reserved. Reproduction of this material in any manner whatsoever without the express written permission of Dell Inc. is strictly forbidden. For more information, contact Dell. Dell, the DELL logo, and the DELL badge, OpenManage, and PowerEdge are trademarks of Dell Inc. Microsoft, Windows Vista, and Windows are either trademarks or registered trademarks of Microsoft Corporation in the United States and/or other countries. Other trademarks and trade names may be used in this document to refer to either the entities claiming the marks and names or their products. Dell Inc. disclaims any proprietary interest in trademarks and trade names other than its own. 2

Contents Introduction... 4 AGPM Feature Overview... 4 Offline Editing... 4 Change Control... 4 Role Based Delegation... 4 Workflow... 5 Search and Filter... 5 Export and Import... 5 Overview of Dell s Implementation... 5 AGPM Server Architecture... 5 Server Configuration... 5 AGPM Prerequisites... 5 Issues and Challenges... 7 AGPM s DC Locator Process in the Dell Environment... 7 Enforcing use of AGPM... 7 Problems connecting to the AGPM Archive... 7 References... 7 3

Introduction Dell uses Group Policy technology extensively in its large enterprise environment and wanted to improve control and reduce risk of related widespread outages. Microsoft Advanced Group Policy Management (AGPM) helps reduce risk by allowing Group Policy Objects (GPOs) to be edited offline, outside of the production environment. AGPM provides better overall control for Group Policy by providing Change Control, Roles based Workflow, as well as other advanced features that make GPO management for efficient. This paper provides an overview of AGPM and its capabilities, as well as a look at Dell s implementation and the challenges faced during testing and deployment. For details on how to install and configure AGPM in your environment, related references to Microsoft documentation can be found at the end of this document. AGPM Feature Overview Offline Editing The AGPM server archive provides offline storage for GPOs. Changes you make to GPOs in the archive do not affect production until you deploy them. You can edit GPOs and test them in a safe area. After reviewing the changes you can deploy them, knowing that instant rollback is possible. With Dell s large system base, offline editing reduces the risk associated with production group policy changes. Change Control A Check in/check out feature prevents simultaneous editing of a GPO History of individual actions on a GPO can be used for audit and rollbacks Detailed settings report are available for each entry in history Instant rollback is available by deploying a specific instance in a GPO s history Differences feature lets you compare any two GPO entries in history to determine differences Role Based Delegation The following roles allow you to assign specific privileges to GPO administrators and can be used to limit the actual deployment to more senior administrators: Reviewer - Can view and compare GPOs. They cannot edit or deploy GPOs. E d i t o r - C a n c h e c k o u t G P O s f r o m t h e a r c h i v e, e d i t G P O s, a n d c h e c k i n G P O s t o t h e a r c h i v e. E d i t o r s c a n request deployment of a GPO. Editors can also view and compare GPOs 4

Approver - Approvers can approve the creation and deployment of GPOs. (When Approvers create or deploy a GPO, approval is automatic.) Approvers can also view and compare GPOs Workflow AGPM supports creation of GPO template libraries that allow more efficient GPO creation. A repeatable workflow can be obtained using a series of tasks like Controlling, Check-out, Edit, Check-in, Requests, Reporting, and Deployment along with Roles and automatic e-mail notification. Search and Filter AGPM 4.0 allows you to search the list of GPOs for specific attributes and filter the list of GPOs displayed. Export and Import - You can copy a controlled GPO from a domain in one forest to a domain in a second forest using the export/import feature. This feature was not previously available with GPMC. Overview of Dell s Implementation AGPM Server Architecture An AGPM server runs the AGPM Service and is used to manage an archive. Each AGPM Server can manage only one archive, but a single archive can contain data for multiple domains in a forest. Dell chose to implement a single server to manage its main production domain and 4 subdomains. Although an archive can be hosted on a computer other than an AGPM Server, Dell obviously wanted to install and maintain AGPM on a dedicated server in a managed data center. AGPM is also used to manage group policy in Dell s Proof of Concept Lab forest. Server Configuration Dell s AGPM servers are Virtual Machines running Windows Server 2008 R2, with dual processors and 2GBs of RAM. This server configuration performs well with all of the domains in the dell.com forest (Americas, EMEA, Japan, and APAC), that are contained in the production archive. AGPM Prerequisites This section covers groups and account creation that was done to prepare for the AGPM server installation and roles based delegation. 1) Service Account to run the AGPM Server Tool (named Service AGPM). This account must be a member of the Domain Admins group, or for a least-privilege configuration 5

(used by Dell), it should be a member of the following groups in each domain that is managed by the AGPM Server: Group Policy Creator Owners (Or explicit access to sysvol in each domain) Backup Operators (in each domain) 2) Additionally, this account requires Full Control permission for the following folders: The AGPM archive folder, for which this permission is automatically granted during the installation of AGPM Server if it is installed on a local drive. The local system temp folder, typically %windir%\temp. 3) Create a Universal Group named AGPM Administrators. This will be used as the Archive Owner during the AGPM Server install. 4) Create the following Universal Groups. Each one represents a role within the archive: 1. AGPM Approvers 2. AGPM Editors 3. AGPM Reviewers Additional Permissions Requirements (Post AGPM install): 1. Grant Full Control on the Group Policy Objects container in GPMC, to the Service AGPM account. 2. Service account needs full control delegation to all production GPOs. There is a sample script included with AGPM that allows you to automate this task: http://msdn.microsoft.com/enus/library/windows/desktop/aa814151(v=vs.85).aspx#_win32_grant_permissions_for_a ll_gpos_in_a_domain 3. Make the Service AGPM account a local admin on AGPM server. 6

Issues and Challenges This section lists the main issues and challenges that Dell worked through during implementation. AGPM s DC Locator Process in the Dell Environment Dell restricts sysvol share permissions on its domain controllers beyond the default permissions for security purposes. Full Control is enabled for Authenticated Users only on PDCs but removed on all other DCs. This permissions configuration caused random access denied type errors and poor performance when initially testing AGPM with various functions within the tool. AGPM uses a costing method to locate and write changes to the domain controller that is closest to the AGPM server. It does not automatically write changes to the DC or PDC specified in your Group Policy Management Console, like with GPMC. To resolve this issue the AGPM server was moved into the same site where its PDCs from each domain reside. This configuration allows AGPM to locate and use the PDCs in the site that it resides in and that its service account has Full Control to. This configuration change resolved all of the random access denied issues we were seeing in AGPM. Enforcing use of AGPM Once AGPM is implemented, it s important to get all of your domain admins using it and to prevent GPO changes from being made directly in production. Making changes directly in production defeats the purpose of AGPM and has the potential for changes to be overwritten. Prior to Dell s AGPM implementation, GPO Administrators were granted privileges to update GPOs through the Group Policy Creator Owners group in each domain. To enforce the use of AGPM, Dell moved all members of the Group Policy Creator Owners group to dedicated domain local groups that are privileged in the AGPM. Domain Admins still have the ability to elevate their privileges and make GPO changes directly in production, but this will only be used in the event that the AGPM Server is down when an urgent GPO change is needed. Problems connecting to the AGPM Archive Ensure that AGPM client contains the correct server name (FQDN, or IP as needed) and port. Ensure that the AGPM Service is running on the server. If the issue persists, ensure that the password for the service has not changed. You can also install GPMC directly on the AGPM server to ensure that the archive is functional. References AGPM Planning Guide Microsoft Corporation Technical Overview of AGPM Microsoft TechNet AGPM Step-By-Step Microsoft TechNet 7

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information