Nathan Ziehnert

5 minute read

We’ve thus far installed and configured AGPM, created our first policy, and at the same time walked ourselves through the approval flow built into AGPM. What happens when we have existing policies though? I’m assuming that if you’re reading this you’re not building GPOs from the ground up (if you are, kudos for implementing good practices up front). This post will cover a few different things:

  1. Importing existing GPOs for management (and discovering a flaw in our existing setup)
  2. Rolling back to a previous version of a policy
  3. Re-syncing policies when they get out of sync
Alright Mr. GPO Manager, let’s get to it!

Importing Existing Policies

For those of you with a penchant for self-harm, feel free to create all new copies of your policies and rebuild them from scratch. For those of you with a little more sense, let’s learn how to import our existing policies. This is honestly simple, and if you’ve been following along and doing some of your own digging around (which I encourage), there is a good chance you’ve already discovered this on your own (and may have run into an error - if you did, read on).

Let’s open the group policy management console and open up Change Control. Click on the “Uncontrolled” tab and then you’ll see a list of policies that exist in “Production” (Active Directory) but not in the “Archive” (AGPM).

Now right click on a policy in this list you want to manage in AGPM, select “Control…”, enter a comment, and then press OK… annnnnnd… crud.

[GPMC Error] Could not take ownership of the production GPO. Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))

If you followed the least privilege guide and didn’t give the AGPM service account Domain Admin privileges, there is a good chance that your “Group Policy Creator Owners” group doesn’t by default have delegated privileges to all policies in the domain. At this point you can do one of two things - you can delegate privileges to the “Group Policy Creator Owners” group or directly to your AGPM Service Account. An easy way to do this is by running the “Set-GPOFullControl.ps1” script available on my GitHub. You can run this script from any machine on the domain (no administrative tools required) provided the account running the script has the appropriate privileges on the GPOs. As always - please test, or have a recovery plan in place should something go wrong with a script!

After running the script (or validating that the AGPM Service Account has Full Control over the policies you want to manage) let’s try again - right-click on a policy in the uncontrolled list, select “Control…”, enter a comment, and then press OK. You should see something like this instead (If you are only an editor, you will have to submit a request same as we did when we requested a new policy be created):

From here on out, it works the same way as I described in the last post - check out/in, edit, deploy, etc.

Rolling Back to a Previous Version of a Policy

Mistakes are inevitable - you have to strike a fine balance between testing as many scenarios as you can think of and the amount of time that you can afford to spend testing. When you run into an issue - especially with a large GPO - it can sometimes be hard to figure out what you changed in the last edit. That’s why AGPM version control is so nice - you can redeploy and old version of a policy that you know works.

One caveat that you need to know up front - if you are not managing policies with AGPM (even if AGPM is installed) you will NOT get the benefit of version control. Remember AGPM is merely just an archive of copies of GPOs - it doesn’t magically keep track of all the changes to GPOs in AD.

First locate the policy that you want to rollback in your “Controlled” policies. Right-click on the policy and select “History”

Now you get a list of the history of the policy - and provided you haven’t set a limit on how many policies to keep, it’s the entire history. Right-click on a version of the policy you want to rollback to, and select “Deploy…” - it’s as simple as that! Of course, as always, if you’re only an editor, this will send a request to the approvers to be approved.

Re-syncing Policies When They Get Out Of Sync

It happens every once in awhile - someone edits a policy outside of AGPM. Luckily resynchronizing the policies is as easy as right-clicking on the policy in AGPM and choosing one of two options:
  1. “Deploy…” - this will send the Archive version into Production, but be warned that any changes in the current Active Directory version of the policy will NOT be saved.
  2. “Import from…” > “Production” - this will take the current version in Production (Active Directory) and import it into the Archive, effectively synchronizing the Archive and Production versions of the GPO without making any changes to the current settings
It’s really that simple - probably one of the easier to fix mistakes within AGPM. And again as always, if you’re only an editor, this will send requests to the approvers to be approved.

Conclusion

Alright, so now we’re getting closer to a more “usable” setup for AGPM. We can import current policies to be controlled in AGPM, we can fix synchronization issues, and we can rollback when mistakes are made. In the next post we’ll cover deletions of policies, and anything else that I can think of between now and then. Hope you’re enjoying this series - Merry Christmas and Happy Admining!

comments powered by Disqus