3

I am investigating the different solutions available to manage GPOs.

I see that Microsoft proposes two tools, which are AGPM (Advanced Group Policy Management), part of the Desktop Optimization Pack and SCM (Security Compliance Manager).

I see benefits of both: - AGPM provides change management capabilities for GPOs, which is very valuable for any environment - SCM provides Microsoft baselines and guidance to best configure the settings

What I don't really understand is if both tools can be used together, and if yes, how?

dSebastien
  • 133
  • 9
  • The question you should ask first is do either of the tools offer anything that you actually need or have identified a need for? I'm not suggesting that your question isn't valid, I'm only suggesting that the implementation of any technology, method, or tool should be justified via some type of needs analysis. Just because you can do something doesn't mean you should do it. – joeqwerty Jun 06 '11 at 12:26

1 Answers1

4

AGPM is a GP Management Console add-on that gives versioning, editing with out auto-applying "offline editing", and more granular delegation. It's only useful IMO if you've got more then 2 people editing the same GPO's or you need to delegate out specific GPO's to different people (more then a few). We had a large support team for 4,000 computers but only a core of 3-5 that edited GPO's and found that our existing process of "test first, then tell everyone you changed it" was enough to not justify AGPM. AGPM only affects the editing and management client.

SCM is a tool run by GPO managers that once you've got settings the way you want, it will export to a GPO for enforcing a security policy. It's security focused and is more about hardening your environment or creating specific use cases. It's also not just for GPO's.

As far as I know they are not related, solve two different problems, and (I assume) wouldn't affect each other.

Bret Fisher
  • 3,963
  • 2
  • 20
  • 25
  • In our case, we would like to have a clear view of what has been changed to the GPOs, by whom and the rationale behind the modifications. For this reason AGPM is clearly the way to go for us. Also, as you say, SCM has a broader scope and we're very interested in trying to follow Microsoft's security baselines, which is why we also want to use SCM. Our problem is that we don't know if changes done to GPOs via SCM will be seen in the change history of AGPM and how editing the GPOs via SCM works with the check-out/check-in features of AGPM. In any case, thanks for your feedback! – dSebastien Jun 06 '11 at 13:15
  • If you edit a GPO outside of the AGPM add-in, then it's not logged in CM (yea that sucks). However, based on this video of SCM (I've not used it) it creates a GPO export which you would then need to import inside the AGPM editor, which to me means they compliment each other. http://www.microsoft.com/resources/technet/en-us/solutionaccelerators/SCM_Demo_Windows_Server_ITPro.wvx – Bret Fisher Jun 06 '11 at 13:38