Life of a GPO.
- Idea – if it comes in through Service now (SNOW), or an improvement you thought of, there needs to be a Ticket created and documented in SNOW. Link this ticket to the "parent ticket" CHG0031690 .
- Create an uncontrolled GPO using "change management" utility found in GPO editor. Name it appropriately, see below for guidance. (Creating GPO Walkthrough)
- Check the new GPO out, then edit it and check it back in. After each change, it will need to be checked back in and deployed before the changes are reflected in production, see below for guidance. (Editing GPO Walkthrough)
- Edit, test using normal procedures. Currently testing procedures is to choose is a test GPO of your choice that is small, then it moves to ITS, then to Campus/Department OU when it is ready for production.
- When ready for final production to the final destination, it needs to be "checked-out" and renamed (removing the "_dev/test" part of the name) then checked back in and submitted via a SNOW TICKET (or the same one as from the earlier steps) to MENSA or whomever is responsible for linking the GPO.
- OR in some cases, these changes will be rolled into another "parent" GPO to help with performance. Either way, this is to be documented in the SNOW TICKET. If it is rolled into another GPO, MENSA or DCIS will edit the "parent GPO" by checking out, editing, checking in, then deploying it. (Just as was done above) Remember to delete the Testing GPO in this case, as it is no longer needed. DELETE it using the same "change management" tool. The GPO will be placed in Recycle Bin. To complete the deletion you must choose the Destroy action from within the Recycle Bin.
- The point at which it is "deployed", it will be LIVE on the domain and will be implemented by all currently linked OUs immediately.
Naming Scheme for GPOs: (NO Special Characters, No Spaces. )
- "Sunset" GPOS (GPOs that should expire after a certain date): YYMMDD_Dept_Team_Description_/INC#_dev/test/(prd)
- Example: 191226_ITS_MENSA_BackgroundPicture_INC9999 (this is production version)
- 191226_ITS_MENSA_BackgroundPicture_INC9999_dev (This is the dev version)
- Enterprise-wide: GPOs: ResponsibleTeam_Description_dev/test/(prd)
- Example: MENSA_BackgroundPicture (this is production version)
- MENSA_BackgroundPicture_dev (This is the development version)
- Department Specific GPOs: Dept_Team_Description_dev/test/(prd)
- Edge unit GPOs: Dept_Description_dev/test/(prd)
DCIS roles in Advanced Group Policy Manager:
All full time staff have R/E/A of almost all GPOs. Excluded are "default domain policy, MENSA default server policies, ect"
DCIS student worker - Editor - They create group named "ITS-DCIS-GPO-Editor"
Edge case units R/E/A of all GPOs that start with their Dept name. This is based upon a group named Dept_GPOowners. Preferable to use Priv Accounts for this.
Student worker workflow DCIS
Assigned task to make GPO.
Full time staff creates GPO (as they are Approvers) for student to work on, and links to appropriate OU.
Student checks out GPO
Student edits GPO
Student Checks in GPO
Full time staff Reviews GPO created, then Deploys it. Since already linked, changes take effect immediately.
IF you need to change WMI filters or "scoping" of the GPO:
- Check GPO out using AGPM (Change control).
- Go to "group policy objects" and look for the GPO Prefixed with [AGPM]. (May take a few Refresh actions for this to show up.)
- Open that [AGPM]GPO by double clicking it, and change the filtering and/or scoping.
- Close GPO window, or click away from it.
- Check the GPO back in. This will incorporate the changes into the checked-In GPO.
- Finally, Deploy GPO. (The GPO will be active in production when the last modified date and time matches your deployment action.)
Creating a controlled GPO in AGPM: Advanced Group Policy Management
- Right Click on Change Control in Remote APP 'Group Policy Management".
- Choose New Controlled GPO.
- Create New GPO.
- Remember Naming Convention guidelines, suggest in "Archive Only" until you are ready to move it to "Deploy" it to Production. With Production will deploy the GPO when approved.
- If you have "Exported" a GPO previously, you may import it to this GPO. See Export-Import workflow.
- After successful creation or importation of GPO, you are ready to edit your new GPO.
GPO Export, Import and Deletion Workflow
All operations must be performed on the Change Control interface. You cannot delete a GPO from the production Group Policy Objects folder. You may backup a GPO from this folder, but you cannot restore the backup to production only Export/Import. Export of GPO objects may only take place in Controlled tab in Change Control folder. One caveat to the Importation process is that the GPO is placed in a Recycle bin after deletion. This leaves a copy in the Archive. If you try to Import a GPO and give it the same name, the process will error. You must give it a new name if you wish to preserve the recycle copy and versions or Destroy it and delete all versions of the GPO. These are screen shots of the workflow used.
Export: Note Path. Saving must be external to Server.
Right Click to Import New Controlled GPO:
Note: Create in Archive button. Probably best as you will make changes and Deploy after finishing GPO.
Launch Import Wizard:
Note Path. Saving must be external to Server.
You may view the settings of the policy in .htm file.
Note: Failure due to duplicate name. Must delete from Recycle bin etc..
After Destroying GPO from Recycle Bin the Import process completed successfully.
Right click on the deleted GPO and choose if you wish to "Destroy" all archived copies.
Note: Will not affect Deployed GPOs. (See Above for Deletion of Deployed GPO's)
Deletion: Note (To delete a production GPO, you must disable and remove its Links and delete it from the Controlled interface.)
Editing Controlled GPO
Right click on GPO to be edited and select check out. A comment is added to aid in tracking.
The GPO will show with a Red icon and create a temporary [AGPM} GPO Name in Group Policy Objects.
Note: The [AGPM] GPO Name object in the "Group Policy Objects" folder. This is the copy of your GPO created to edit before the settings are copied back over with Check-IN.
You may also Cancel your Check-Out. This will erase any changes made and revert to previous version.
When you right click on the Checked-Out GPO and choose edit you are actually editing the [AGPM] temporary copy.
The permissions assigned to the [AGPM] copy allow you to edit the GPO.
When edits have been completed the GPO must be right clicked in the Controlled tab of the Change Control interface and Check IN selected. A comment would be added.
Success would be shown with the completion screen.
After Check In has completed to get it in production you must Deploy the changes. The GPO will restore all links unless you go to the advanced button and deselect any or all links.