In this blog post, we will go through Deploying Advanced Group Policy Manager (AGPM) from Microsoft. This software is part of the Desktop Optimisation Pack and is available through your volume license agreement where applicable.
Note: It’s your responsibility to ensure you are fully licensed to use this.
The AGPM server should be provisioned on a dedicated server. It doesn’t need to be a high spec server but this example is done using a dedicated server. We will set up AGPM to use a Group Managed Service Account (GMSA) as per our previous blog post. We will also use a least privilege model to ensure the GMSA only has the access it requires and not just the default Domain Administrator access.
Pre-requisites
For this we are going to need a few things to be provisioned before we can start installing and configuring the software.
The first thing we will do is create a group that will be granted Full Control to the AGPM server. This group is specified during the installation process.
New-ADGroup -Name "gs_AGPM-FullControl" -SamAccountName gs_AGPM-FullControl -GroupCategory Security -GroupScope Global -DisplayName "AGPM Full Control" -Path "CN=Users,DC=<<domain>>,DC=<<tld>>" -Description "Members of this group have Full Control of the AGPM Server"
We can add our current working account to this group so that when AGPM is deployed we are able to configure it.
Next, we will create a group that grants access to the GMSA, the computer account for the server will be added as a member of this group. A reboot will be required for this to take effect
New-ADGroup -Name "gs_GMSA-AGPM" -SamAccountName gs_GMSA-AGPM -GroupCategory Security -GroupScope Global -DisplayName "GMSA AGPM" -Path "CN=Users,DC=<<domain>>,DC=<<tld>>" -Description "Members of this group are able to use the GMSA for AGPM"
Add-ADGroupMember gs_GMSA-AGPM -Members <<ServerName>>$
Note: The dollar at the end of Server Name is required, once the membership is updated, reboot the AGPM server.
Next, we will create a temporary account that will be used during the installation process. Once we have installed AGPM and configured it to use the GMSA it will be removed. It doesn’t need any special permissions as it won’t actually be used.
$password = "Start12345" | ConvertTo-SecureString -AsPlainText -Force
New-ADUser -Name svc.AGPM -GivenName Service -Surname AGPM -AccountPassword $Password -ChangePasswordAtLogon $False -Enabled $True
Our final step is to create the GMSA that will be used later on. We will add it to the relevant groups as part of restricting the access. This requires the KDC Root Key to be created as per the post Enable Recycle Bin & Get ready for GMSA.
New-ADServiceAccount -Name gmsa-AGPM -DNSHostName gmsa-AGPM -PrincipalsAllowedToRetrieveManagedPassword gs_GMSA-AGPM
Add-ADGroupMember "Group Policy Creator Owners" -Members gmsa-AGPM$
Add-ADGroupMember "Backup Operators" -Members gmsa-AGPM$
Now we can proceed with the installation and configuration of AGPM
AGPM Installation
To install AGPM you will need the ISO for MDOP. There are two components for this, the server and the client. The installation is a Next Next Next affair. The wizard will prompt you for a service account, use the details for the User account we created earlier. You will be asked for the initial owner of the archive, set this to be the Full Control group we created. You can also chose a new location for the archive and if you desire a different network port (default is 4600).
Once the server is installed, you should be able to install the client on your management workstation/server and attempt to connect to the service. This part should work fine.
Changing to a GMSA
Microsoft don’t officially support using a GMSA for AGPM however they also produced a blog post explaining how to configure it. It’s a little fiddly to configure but not particularly difficult.
The first task is to stop the AGPM Server service on the server. With this stopped, we need to transfer to Service Principal Name (SPN)
setspn -l svc.AGPM
This will return something along the lines of
AgpmServer/<<server dns name>>/<<domain dns name>>
We delete the SPN from the temporary account then add it to the GMSA
setspn -D AgpmServer/<<server dns name>>/<<domain dns name>> svc.AGPM
setspn -A AgpmServer/<<server dns name>>/<<domain dns name>> gmsa-AGPM
If you have set up the archive owner as the group we created you do not need to worry about changing this setting in the registry. Set the permissions on the AGPM data folder (by default this is C:\ProgramData\Microsoft\AGPM) and on the folder %windir%\temp to grant ‘Full Control’ on these 2 folders and all sub files and folder to gmsa-AGPM$
Set permissions on all GPOs to grant gmsa-AGPM$ full control using:
Set-GPPermission -All -PermissionLevel GpoEditDeleteModifySecurity -TargetName DOMAIN\gmsa-AGPM$ -TargetType Computer
Set permissions to the root of each domain to all gMSA-AGPM$ to have “Link GPO” rights to all OU objects:
$agpmserviceaccountname = “gMSA-AGPM$”
$domaindn = (Get-ADDomain).distinguishedname
$agpmaccountsid = (get-adserviceaccount $($agpmserviceaccountname)).sid
$newsddl = "(OA;CI;RPWP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;;$($agpmaccountsid))"
$objsecurity = get-acl -Path "ad:\$($domaindn)"
$objsecurity.SetSecurityDescriptorSddlForm($objsecurity.sddl+$newsddl)
Set-Acl -Path "ad:\$($domaindn)" -AclObject $objsecurity
Set service properties for AGPM Service to logon as DOMAIN\gMSA-AGPM$ (keep the password fields blank), then start the service. Test you can create/update/take control of your GPOs. Then you can delete the original temporary user
Remove-ADUser svc.AGPM -Confirm:$False
Now you have AGPM set up using least priviledge and a Group Managed Service Account. To force your admins to go through AGPM for all GPO changes, you can revoke permissions for the domain administrators.
Ref: https://blogs.technet.microsoft.com/craigf/2015/06/24/running-agpm-with-a-managed-service-account-msa-or-gmsa/
Is there a type in your New-ADServiceAccount cmdlet?
It says: -DNSHostName gsma-AGPM
Shouldn’t it be: -DNSHostName gmsa-AGPM?
Good spot thank you! I have updated it now. It would still work but you’re correct I should have done gmsa not gsma
Mark,
I realize this is an old article, but I just followed it to deploy a new 2019 server onto which I moved my existing AGPM install (from Server 2008 R2). Unfortunately, I have a recurring permissions issue deploying policies. Specifically: Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))
I have verified the permissions on the GP objects (via Get-GPPermissions) and on the folders, both local to the AGPM service (ProgramData) and the network share (DC\SYSVOL). I have found some files . New policies are created and deploy without issue. Interestingly, if I delete the policy from history I can re-control it and have complete control. This seems to imply this is related to the archive permissions, but I have verified the gMSA is owner and has full permissions.
Interestingly, if I un-control the policy (i.e. delete the history) I can re-Control it to gain full control. I think this means it’s a permissions issue with the archive, but given I’ve verified the permissions are correct I’m not sure how this could be.
Any pointers as to what I’m missing?
Hi Tony,
It does sound permission related although I am not sure what you’re missing. Does it work if you re-use the Service account on a fresh 2019 install rather than the GMSA? Just trying to eliminate the change from 2008R2 to 2019 as a potential issue
The directions where great. However i did run into a permissions issue:
Failed to read the permissions for this archive.
The following error occurred:
Access to the path ‘C:\ProgramData\Microsoft\AGPM\gpostate.xml’ is denied.
System.UnauthorizedAccessException (80070005)
i gave the gmsa-agpm user full control, and that took care of it. This was on Windows Server 2019.
Thank you Justin, thinking about it, I have a feeling I might have seen that before, possibly when restoring. I will run through the doc again and update.