none
Group policy change control AGPM

    Question

  • hi, this hopefully will be an easy question, once Microsoft Group policy change control has been installed and implemented (AGPM), so you have to checkin and checkout group policys, is there a way to remove certain group polices or all of them from change control.

    many thanks

    Mark Green

    Wednesday, July 20, 2016 7:52 AM

Answers

  • Hi,
     
    Am 20.07.2016 um 09:52 schrieb Mark Green (MCP) (MCSA):
    > hi, this hopefully will be an easy question, once Microsoft Group policy
    > change control has been installed and implemented (AGPM), so you have to
    > checkin and checkout group policys, is there a way to remove certain
    > group polices or all of them from change control.
     
    Yes. As long the GPOs was not manually braught into Change Control, a
    "controlled" state, the GPO is only managed in Group Policy objects and
    behaves like any other GPO you know in any system without AGPM.
     
    AGPM is only an optional feature. It does not restrict Domain Admins
    from editing GPOs beside AGPM. Content will be inconsitent if they do
    so, but you can not prevent this.
     
    The recommandation is to remove DomainAdmin permissions on GPOs and
    integrate only "AGPM-Admin(s)".
     
    But at least, they are DomainAdmins, they can get every permission they
    want ... is more like a good advice not to work without AGPM to
    DomainAdmins. It needs the AGPM Client installed on every "GP editing
    machine", otherwise you can only edit the GPOs, without control mechanism.
     
    Mark
    --
    Mark Heitbrink - MVP Group Policy - Cloud and Datacenter Management
     
    Homepage:  http://www.gruppenrichtlinien.de - deutsch
     
    Wednesday, July 20, 2016 8:31 AM