Let’s start with the bad news…because there’s a lot of good news in this appendix, and I don’t want anyone to say, “Hey! I’m 30 pages into this and he didn’t tell me [this very important fact I’m about to tell you].”
That is, to use the stuff we’re going to talk about in this appendix, you have to pay Microsoft a little extra. That’s right. Everything we’ve talked about in this book so far is “free,” inasmuch as it’s in the box when you buy Windows and spin up an Active Directory, install your Windows clients, perform some downloads, and so on.
But this appendix is different. We’re going to talk about a Microsoft tool called Advanced Group Policy Management (AGPM). Its goal is to help bigger companies with the challenge of GPO management. There’s no “Are you sure you really want to do this?” inside the GPMC and Group Policy Object Editor. Everything happens in real time. If you make a mistake, there’s no “Group Policy Undo” short of disabling or deleting the GPO and hoping you only have a few desktops to clean up.
AGPM puts a “Change Management” system around Group Policy within the GPMC. Change Management is the art of “not screwing things up.” The idea is that some people request changes, others make editing choices, and others approve their changes. AGPM is involved with ensuring that your overall philosophy of Group Policy management is embraced. Here are the main things it’s meant to do: