Nathan Ziehnert

3 minute read

We've thus far installed and configured AGPM, created our first policy, and at the same time walked ourselves through the approval flow built into AGPM. What happens when we have existing policies though? I'm assuming that if you're reading this you're not building GPOs from the ground up (if you are, kudos for implementing good practices up front). This post will cover a few different things:

Let's open the group policy management console and open up Change Control. Click on the “Uncontrolled” tab and then you'll see a list of policies that exist in “Production” (Active Directory) but not in the “Archive” (AGPM).

Now right click on a policy in this list you want to manage in AGPM, select “Control…", enter a comment, and then press OK… annnnnnd… crud.

[GPMC Error] Could not take ownership of the production GPO. Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))

If you followed the least privilege guide and didn't give the AGPM service account Domain Admin privileges, there is a good chance that your “Group Policy Creator Owners” group doesn't by default have delegated privileges to all policies in the domain. At this point you can do one of two things - you can delegate privileges to the “Group Policy Creator Owners” group or directly to your AGPM Service Account. An easy way to do this is by running the “Set-GPOFullControl.ps1” script available on my GitHub. You can run this script from any machine on the domain (no administrative tools required) provided the account running the script has the appropriate privileges on the GPOs. As always - please test, or have a recovery plan in place should something go wrong with a script!

After running the script (or validating that the AGPM Service Account has Full Control over the policies you want to manage) let's try again - right-click on a policy in the uncontrolled list, select “Control…", enter a comment, and then press OK. You should see something like this instead (If you are only an editor, you will have to submit a request same as we did when we requested a new policy be created):

From here on out, it works the same way as I described in the last post - check out/in, edit, deploy, etc.

One caveat that you need to know up front - if you are not managing policies with AGPM (even if AGPM is installed) you will NOT get the benefit of version control. Remember AGPM is merely just an archive of copies of GPOs - it doesn't magically keep track of all the changes to GPOs in AD.

First locate the policy that you want to rollback in your “Controlled” policies. Right-click on the policy and select “History”

Now you get a list of the history of the policy - and provided you haven't set a limit on how many policies to keep, it's the entire history. Right-click on a version of the policy you want to rollback to, and select “Deploy…” - it's as simple as that! Of course, as always, if you're only an editor, this will send a request to the approvers to be approved.

comments powered by Disqus

Table of Contents