AGPM and Powershell


  • Hello. We have successfully implemented AGPM in our environment and are looking to automate a few of the steps for our Change Control folks.

    As of right now, when someone deploys a GPO via AGPM, the email is sent to our ticketing system where it generates a change request. My goal is that when the change request is approved by the CAB, we can execute a powershell command to Approve the change request in AGPM and complete the deployment.

    I am currently stuck trying to even use powershell to deploy a GPO via AGPM. I am aware of the cmdlets, and have read the documentation on all of them, but the main issue I am running into is as follows.

    If the GPO is checked-in or out, 

    Get-ControlledGPO | where {$ -eq "name of gpo"}

    This gives me the relevant information of the GPO, as well as the correct state.

    If the GPO is deployed, the command returns nothing. Basically, if it is in the deployed state, I can't seem to find it in powershell. The end result of the command should be

    Get-ControlledGpo -Domain "" | Where {$ -eq "name of gpo"} | Publish-ControlledGpo -comment "CHG00001234 Approved" -PassThru

    I did verify that I can publish other test GPOs that are not in a deployed state.

    Thanks for any help!

    Wednesday, November 2, 2016 2:26 AM

All replies

  • Hi,

    I am currently stuck trying to even use powershell to deploy a GPO via AGPM.

    >>>To achieve your goal, you may try to use new-gpo and new-gplink.

    Here is an article below about AGPM for your reference.

    Advanced Group Policy Object Management 4.0

    Best Regards,


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact

    Sunday, November 6, 2016 11:48 AM
  • Hi,
    Am 02.11.2016 um 03:26 schrieb Llyenn:
    > If the GPO is deployed, the command returns nothing.
    Thats the expected behavior. BEcause if it is deployed, there is no
    /life/ copy of the controlled GPO.
    Be aware how AGPM actually works:
    I never edits the GPO in production. The "control" over the GPOs is
    simply to copy the productive (checkout), edit the copy, save and delete
    the copy (checkin) and import the backupcopy into the productive GPO
    (deploy) and changing some permissions
    The information which completly new GPElements is associated with a life
    GP is stored in XML.
    If it is deployed, there is no copied GP Element, then there is no
    information in AGPM, that a "control" situation is active. Because it´s
    nothing actually controlling ... if GPs are deployed, they are just
    GPOs, like in any other domain, where no AGPM is used.
    Mark Heitbrink - MVP Group Policy - Cloud and Datacenter Management
    Homepage: - deutsch
    Sunday, November 6, 2016 1:15 PM
  • I guess my confusion relies on the deployment, because it isn't currently deployed, it is in a state of Requested Deployment. The full workflow we were looking for is as follows.

    1. Admin changes GPO in AGPM and Requests deployment.
    2. AGPM emails our Change Management system, which creates a formal change request (this is required, if not automated, must be entered here manually).
    3. CAB approves change.
    4. Change management system then "approves" or publishes the GPO to production via AGPM powershell cmdlet.

    The issue is that the Publish-ControlledGpo cmdlet relies on the lookup of Get-ControlledGpo. Since the GPO is in the limbo state of being Published (but not really, since it was only requested) I can't Publish it via powershell.

    Wednesday, November 30, 2016 11:58 PM