12.9. Final Thoughts
AGPM is neat. But it's an investment. Not only is it an investment in terms of money, it's also an investment in terms of time.
Remember that, by default, just because AGPM is deployed doesn't mean that the original owners can't modify the original live GPOs. To prevent that, you'll need to take Control of the GPO and then Redeploy it (even if that means you're just Redeploying the GPOs back on top of themselves). When you do that, the original owner is changed to SYSTEM or the AGPM-OWNER account (or whatever you called it during setup).
Moreover, consider putting in place the extra "fences" so that no one can create GPOs outside the AGPM system. That way, you won't turn around one day asking, "How come all the machines ...
Get Group Policy: Fundamentals, Security, and Troubleshooting now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
