|
The "Advanced" in GP Management
Dealing with GPOs can sometimes feel like you're juggling grenades.
As soon as you open a GPO for editing, it's already whizzing around your network,
replicating around your DCs and potentially available for any clients looking for
an update.
What if you're in the middle of editing a GPO and you suddently get called away,
with, say a half-finished GPO?
Well, it's likely at least SOME clients will ask for that update and download it.
Also, I don't know about you, but even with my daily GP comings-and-goings, I
still kinda wish there was an "Are you sure?" prompt when I'm editing stuff or
about to do a bone-headed move.
Let's think about all the times I wish I could put
some process around my GP world. For instance, there
is no "Are you sure" when:
() Creating GPO
() Editing GPO
() Linking a GPO
() Deleting a GPO
You get the idea. There's a lot of potential for quick damage there.
And, no way to see history of a GPO and "roll back" a
set of changes once rolled forward
(though there is manual backup and restore capability.)
That's why I like products that put a little "process" around GP management.
Microsoft's AGPM v 3.0 was recently released as part of MDOP R2
(http://www.Microsoft.com/mdop) and it's got some neat-o features.
It's not a revolutionary upgrade to what I talked about in Chapter 12 of my latest
book (http://www.GPanswers.com/books).
But the new features are a nice welcome addition.
It's strange, but I ask a lot of people if they've even HEARD
of Microsoft's AGPM (Advanced Group Policy Management) product,
and I often get blank stares.
So, in the interest of GP Public service, I'm here to clear up what it is and what it does. Let's spend a quick minute discussing what it is and how to get it.
What it is: It's one of the 6 tools which are part of the Microsoft Desktop Optimization Pak (MDOP).
What does it do: It puts "Change management" around GPOs, so you have a full trackable history of what people did plus a way to roll back if there are problems.
How to get it: MDOP is a yearly subscription service which is only available to Microsoft SA customers who then ADDITIONALLY pay about $10 a seat, PER year.
Holy moly factor: Yep. It can be expensive, but because MDOP is a set of 6 products, it's actually a pretty good bargain overall. But it's pretty understandable to have a strong reaction to the cost.
AGPM's Philosophy: You can think of AGPM almost like a library system. (At least, that's how I think of it.) Only one person can have a GPO "checked out" at any given time for editing. And those edits don't happen ONLINE and LIVE. They happen OFFLINE and are trackable. Essentially removing any direct impact to live computers.
What's new in AGPM 3.0 vs AGPM 2.5: There's a gaggle of stuff, but here's the hitlist:
() Windows Server 2008 Compatibility including all 64 bit platforms (yay!)
() Windows Vista compatibility (in fact, the client piece which let's you do work in AGPM requires Vista + SP1 + updated GPMC.)
() Localization to a zillion languages
and, for me, the big one is
() When a GPO is "controlled" to the AGPM system, it becomes immediately unavailable to those trying to edit it "live."
This was a big deal to me and something I made a lot of noise about in the book.
Before AGPM 3.0, you had to "re-deploy" the GPO back in to the live environment
before it made the GPO off-limits to non-AGPM administrators. This was a real
bummer, but the 3.0 version got this part exactly right. Good job, MS team.
So, are you using AGPM? Here's my one-question survey:
http://www.surveymonkey.com/s.aspx?sm=0Yl_2f5f_2byRygP8fnoBjvRCQ_3d_3d
PS: If you have no plans to be an SA customer and then get the MDOP suite, then
you can get MDOP comparible functionality from 3rd party vendors, like NetIQ with
their GPA product.
In the effort of full disclosure, I'll mention that NetIQ advertises GPA
on GPanswers.com here:
http://www.gpanswers.com/solutions/company/40-netiq/57-netiq-group-policy-administrator
|
