Octopussy By Robert Bowen
Today I want to talk about a stylish, fashionable, but not very youthful - she is already 10 years old - models of working with group policies using Advanced Group Policy Management.
It adds zest like versioning and control when creating and modifying a GPO.
A barrel of honey
In my practice more than once there have been situations when a rollback to a previous version or the restoration of a deleted group policy helped to do without convulsive memories in the style of “What did I do there ?!”. And when working in a team, especially when not everyone is accustomed to documenting every change in the infrastructure, sometimes there are questions like “Well, and who is so clever with us turned off SMBv1, and at a pace will bring everything back?”.
All this is easily solved with the help of the Advanced Group Policy Management (AGPM) module, which is included in the special Microsoft Desktop Optimization Pack (MDOP).
The main components in this package are designed to facilitate application deployment, user environment setup, and system recovery after a crash. Learn more about all the features - under the spoiler.
What is included in MDOPApp-V. Microsoft's application virtualization method with centralized deployment and management. Reminds of the more well-known VMware ThinApp, it only requires client installation on workstations.
The advantages, like those of other solutions, compared to a typical installation are in the isolation of applications and the ability to run their different versions. For example, for normal work with your favorite plugins and macros, you can take a 32-bit MS Office. And if you need to open a heavy-weight Excel document with complex calculations, then use the 64-bit version.
App-V operation scheme.
You can read more about the App-V operation mechanism in the article “ Application Virtualization Using Microsoft App-V for the Undecided ”. It is worth noting that App-V is already included in the delivery of modern operating systems like Windows 10.
MED-V. Microsoft Enterprise Desktop Virtualization is used for deployment on workstations running Windows 7 virtual machines based on Microsoft Virtual PC. The solution is designed to support old applications and is a corporate XP Mode . If suddenly someone needs this still outdated mechanism, then you can familiarize yourself with it in the Overview of MED-V section.
UE-V . Microsoft User Experience Virtualization is designed to replace roaming user profiles. Unlike classical profiles, the technology allows you to select custom settings for synchronization, including for individual applications.
Such synchronization allows the user to get a familiar environment in any type of work, be it a corporate laptop or a VDI farm with applications virtualized using App-V.
The scheme of the UE-V.
Like App-V, the UE-V component is available in modern versions of Windows 10. The component configuration is described in the MS User Experience Virtualization (UE-V) for Windows 10 documentation.
MBAM . Microsoft BitLocker Administration and Monitoring serves, as is easy to guess, for centralized management and monitoring of BitLocker drive encryption. Its peculiarity is that users can encrypt their data without administrative rights, and also store recovery keys in a separate encrypted SQL database - in case they forget their PIN or lose a USB flash drive with a key. And, of course, you can receive reports on the status of encryption both over the network as a whole, and also on individual workstations.
MBAM architecture.
The principles of MBAM can be found in more detail using the MS Microsoft BitLocker Administration and Monitoring 2.5 documentation.
DaRT. Microsoft Diagnostic and Recovery Toolkit, which does not need a separate view, is also known to many as ERD Commander, and is a tool for diagnosing and fixing Windows errors. Officially, it is distributed as part of MDOP.
Install and use AGPM
Compared to classic group policy management, the following options are offered here:
- Versioning. If you thought about how to tie SVN or Git to the group policies, then AGPM solves this question.
- Delegation and moderation. You can allow the creation of a GPO to individual employees, but without the right to use. Apply can, for example, a senior administrator after verification.
- Audit, reports and monitoring. Will help in the analysis of flights on the topic "Who forgot to hang the safety filter on the installation of 1C."
For AGPM to work, you will need to install the service on the server where the group policy archive will be located. In an amicable way, the archive should be stored in a reliable repository with regular backups.
Specify the storage location of the GPO archive during installation.
The installation also asks for credentials for the operation of the service and an account that is given full rights. Ideally, you need to configure permission to work with GPO only for this account. But it is not necessary if we teach people with administrative rights not to touch group policies bypassing AGPM.
As an account for the service, a good option would be to configure MSA (Managed Service Accounts). You can familiarize yourself with the principles of operation of this mechanism in the Group Managed Service Accounts section. And to see a step-by-step example on setting up a bundle of MSA and AGPM - in the article Running AGPM with a Managed Service Account .
The server itself can be any, you can install it on a domain controller, in principle, this is a matter of taste.
The client can also be installed on any machine where the Group Policy Management snap-in can start. Of course, it should have access to the server on the TCP port (default 4600).
Work with AGPM is carried out through the above-mentioned equipment, in the item “Change of control”.
Russification leaves much to be desired. A localized version can not be set, but we love the complexity and the Russian language.
AGPM interface.
The mechanism of operation is quite simple. First of all, you should convert existing GPO objects into “Managed” AGPM - they can be found in the “Uncontrolled” tab.
We transfer the old group policies to AGPM.
Now group policies are stored in the repository archive, along with a change history and a basket for remote policies. Work with them is carried out in the “Managed” tab - just like that, they cannot be changed immediately. It is necessary to extract the required GPO object from the repository, edit it and return it back.
This is done for collaboration and convenient logging. Plus every action can be accompanied by a comment. People familiar with collaborative development mechanisms like Git will see nothing new here.
Work with group policy.
You can also make a template from existing policies to easily create new ones and export-import policies to a file.
It is worth noting that you can work with group policies without applying them - that is, exclusively in the archive. And then apply it in a working environment (in terms of AGPM - “Production”) with the “Expand” command.
The test policy is applied, the test2 policy is currently only in the archive.
When deploying a GPO, the AGPM service connects to the domain and creates / modifies the group policy. Practically release.
To work together, you will need to create users, grant them permissions and configure the mail server to send notifications and requests.
Teamwork
User and mail server settings are configured in the Domain Delegation tab.
A feature of the Russification are the same field names "Email". So, the first field is from whom to send, the second is to whom to send.
There are four user roles:
- Full access.
- Checking It has access to reports and can view GPO objects.
- Editor. Can create GPO objects.
- Approver or moderator - can use GPO objects.
As an example, take the user admin-zhora and give him the right to editor.
Configure access to AGPM.
Now Georgy can create a new managed GPO by sending an approval request:
Request for new policy.
It is more convenient to first create a template with all the necessary settings. The rights of the editor are enough for this.
Now the AGPM administrator will receive a notification in the mail, and the request itself will appear on the “Pending” tab. The administrator will review the group policy and make a willful decision to apply or reject the request.
You can see the chronicle of events in the group policy log.
GPO log.
Through the journal, if necessary, you can roll back to previous versions. It is more convenient to do this in the “Unique Versions” tab - here all actions are displayed with all states, such as retrieving and returning to the repository without any changes.
Details of the mechanisms for working with AGPM are described in the documentation, which is included in the installation package, or in the Guide for Microsoft Advanced Group Policy Management section. For those who want to learn more about what is under the hood of AGPM up to the content of network packets - a series of articles on the AGPM Production GPOs TechNet (under the hood) .
A spoon of tar
Unfortunately, the Microsoft Desktop Optimization Pack is simply not available. It can be legally obtained only with an active MS subscription, be it Software Assurance or MSDN.