- Knowledge base
- Active Directory management
- Active Directory reports
- Active Directoy integrations
- Active Directory automation
- Active Directory delegation
- Governance, risk, and compliance
- Microsoft 365 management and reporting
- AD migration
- Access certification
- Identity risk assessment
- Risk exposure management
- FAQs
- Pricing
- Online demo
- Request support
- Get quote
AGPM, or Advanced Group Policy Management, is a Microsoft Desktop Optimization (MDOP) add-on for the Group Policy Management Console (GPMC). It adds to the native GPMC capabilities with features such as change control, offline editing, role-based delegation, and an approval workflow for Group Policy Object (GPO) management. AGPM, in short, offers capabilities that are absent from the standard Windows Server tooling.
What is AGPM?
AGPM is a set of tools available to Software Assurance customers. AGPM adds to the native GPMC with an AGPM Server component that acts as a centralized archive for GPOs.
Consider this scenario: In the absence of AGPM, any admin with the right Active Directory permissions can edit a GPO and push it live immediately. This GPO doesn't need any review, approval, or rollback capability. AGPM offers a controlled change management process for GPOs.
Key concepts in AGPM
- AGPM Server: A Windows service that hosts the controlled GPO archive. All GPO changes are made against this archive, not directly in Active Directory.
- AGPM Archive: A secure, centralized store for all GPO versions and history. This is separate from the live production GPOs in SYSVOL.
- AGPM Client: A GPMC snap-in extension installed on administrator workstations. It provides the interface for checking GPOs in and out of the archive.
- Check-in and Check-out: AGPM uses a check-out model similar to version control. An admin checks out a GPO, edits it offline, and checks it back in—preventing simultaneous conflicting edits.
Key functions of AGPM
- Offline GPO editing without affecting production settings
- Version history and rollback of GPO changes
- Change approval workflow before GPOs go live
- Role-based access control for GPO management tasks
- A comprehensive audit trail of who changed what and when
- GPO templates for standardizing policy configurations
- Search and filtering across GPOs in the archive
AGPM vs. GPMC
The native Microsoft tool for creating, linking, and managing GPOs is the GPMC. It is built into Windows Server and is available to users without any additional cost. AGPM is a paid add-on. This tool extends GPMC with governance and change control capabilities
| Feature | GPMC | AGPM |
|---|---|---|
| Offline GPO editing | No | Yes |
| Change tracking and version history | No | Yes |
| Approval workflows | No | Yes |
| Role-based delegation | Limited | Granular |
| Audit trail | Basic | Detailed |
| GPO templates | No | Yes |
For a small organization, where there is just a single trusted admin that manages GPOs, the GPMC is enough. But when multiple admins are involved, regulatory compliance requires an audit trail, or unapproved changes to production GPOs pose a risk, AGPM comes to play.
How to install AGPM
AGPM has two components that must be installed separately: the AGPM Server and the AGPM Client.
Prerequisites
- An active Software Assurance subscription (AGPM is part of MDOP)
- Windows Server 2012 or later for the AGPM Server
- GPMC installed on the server and all client workstations
- .NET Framework 3.5 or later
- An account with Domain Admin privileges for installation
Installing the AGPM Server
- Download MDOP from the Microsoft Volume Licensing Service Center.
- Run the AGPM Server installer on the designated server.
- Specify the archive path, which is the location where AGPM will store all GPO versions.
- Configure the AGPM service account. This account requires Read and Write permissions on the archive path.
- Specify the AGPM port (default: 4600) and confirm the installation.
Installing the AGPM Client
- Run the AGPM Client installer on each administrator workstation.
- Open the GPMC. You will see a new Change Control node in the console tree.
- Right-click Change Control and select Configure.
- Enter the AGPM Server name and port.
- Connect and begin managing GPOs through the AGPM interface.
Key features and capabilities
Change control and version history
AGPM records every change made to a GPO as a new version in the archive. Admins can view the complete history of all the changes made, compare any two versions side by side, and roll back to a previous version at any given time. This is the most crucial capability that AGPM offers over the native GPMC.
In a standard GPMC environment, there is no built-in undo option. If a misconfigured GPO causes issues in production, the only recovery option is to reconfigure the policy manually—and this is often done without understanding the original settings.
With AGPM, rolling back a bad change is just a matter of selecting the last known good version in the archive and deploying it in your environment.
Offline editing
Modifying a GPO in the GPMC updates it in your Active Directory. There is no staging environment. The check-out model in AGPM solves this issue.
- An administrator checks out a GPO from the AGPM archive.
- The GPO is locked in the archive. No other admin can edit it simultaneously.
- The admin makes changes in an offline copy, isolated from the production environment.
- The changes are checked back in to the archive and submitted for review.
- Only after approval is the GPO deployed to Active Directory.
This capability prevents any accidental changes to live policies during the editing process and eliminates conflicts when multiple admins work on GPOs concurrently.
Role-based delegation
AGPM defines four default roles that can be assigned to users and groups:
- AGPM Administrator: Has full control over all AGPM settings, roles, and the archive.
- Approver: Can deploy GPOs to production, approve or reject change requests, and create or delete GPOs.
- Editor: Can check GPOs in and out, make changes, and submit them for approval but cannot deploy directly.
- Reviewer: Can view GPO settings and history but cannot make changes.
These roles are independent of native Active Directory permissions. This means you can delegate specific GPO management tasks to junior admins or help desk staff without granting them broad Active Directory rights. Roles can also be scoped to individual GPOs rather than applied globally.
Audit trail and reporting
AGPM logs all GPO activity in a structured audit trail, including:
- Who checked out and checked in a GPO
- What settings were changed and when
- Who submitted a change for approval
- Who approved or rejected a change
- Who deployed a GPO to production
This audit trail supports compliance requirements and simplifies post-incident investigation. Administrators can generate reports that show what changed between any two GPO versions with AGPM.
GPO templates
Administrators can save GPOs as templates in the archive with AGPM. A template is a GPO configuration that can be used when creating new GPOs. It helps ensure consistent baseline settings across your environment.
For example, an organization can create and maintain templates for standard workstation security policies, server hardening baselines, or department-specific desktop configurations. New GPOs created from a template will inherit all of its configurations. This reduces setup time and the risk of missing necessary policy entries.
Search and filtering
The AGPM archive can grow large in complex environments. AGPM includes search and filtering capabilities. This allows admins to locate GPOs by name, status, or history without manually going through the entire archive or GPMC tree.
This is extremely useful when an administrator needs to quickly identify all GPOs that have been modified within a specific time period or by a specific user during a compliance audit.
AGPM best practices
- Always use the check-out workflow. Avoid bypassing AGPM to edit GPOs directly in the GPMC, because doing so breaks the version history for that GPO.
- Back up the AGPM archive regularly. The archive is a separate store from SYSVOL. Include it in your backup strategy.
- Assign roles with least privilege. Not every admin needs Approver or Editor rights. Reviewers and read-only access are sufficient for most monitoring tasks.
- Establish an approval policy. Define who can approve GPO changes and set expectations for review time before deployment.
- Document the purpose of every GPO. Use the AGPM comment field when checking in changes to record why each change was made.
- Test in a lab or non-production OU. Do this before deploying changes that affect critical systems.
AGPM deprecation
Microsoft has deprecated AGPM as part of the broader deprecation of the MDOP. MDOP reached end of support on Jan. 14, 2025. Therefore, Microsoft no longer provides security updates, patches, or technical support for AGPM.
Existing AGPM deployments will continue to function after end of support, but organizations relying on AGPM for GPO change control should look for alternative solutions. Running unsupported software in a production environment introduces security and compliance risks over time.
The leading AGPM alternative
ADManager Plus is a purpose-built Active Directory management and reporting solution that covers the GPO management use cases that AGPM addressed, and extends them significantly.
ADManager Plus provides:
- GPO creation, linking, and management across domains from a single console
- Bulk GPO operations, including deletion, enforcement, and inheritance management
- GPO backup, restore, and migration across domains
- Role-based delegation for GPO tasks without modifying native AD permissions
- Detailed GPO reports for compliance auditing
- Forced GPO updates at scale
Unlike AGPM, ADManager Plus is actively maintained, does not require a Software Assurance subscription, and works alongside modern Active Directory environments including hybrid configurations with Microsoft Entra ID.
Troubleshooting tips
AGPM Server connection fails
Verify the AGPM service is running on the server. Check that the port (default: 4600) is open in the firewall and that the AGPM Client is pointing to the correct server name and port in the Change Control configuration.
GPO changes are not appearing in the archive
Confirm the administrator is using the AGPM check-out workflow and not editing the GPO directly in GPMC. Direct GPMC edits bypass AGPM entirely and will not appear in version history.
Approved GPO is not applying to clients
Verify the GPO was deployed from the archive to Active Directory after approval. Approval in AGPM only moves the GPO to the ready state in the archive—a separate Deploy action is required to write it to SYSVOL. Check that the GPC and GPT are in sync using Get-GPO -All in PowerShell.
Version mismatch errors in the archive
This typically occurs if a GPO was edited outside of AGPM. Use the AGPM difference report to identify what changed, bring the GPO back into the archive with a check-in, and restore consistency.
FAQ
- Is AGPM free?
No. AGPM is part of MDOP, which is available only to organizations with an active Microsoft Software Assurance agreement. It is not available as a stand-alone purchase or download.
- Can AGPM manage GPOs across multiple domains?
Yes. AGPM can manage GPOs across multiple domains, but each domain requires its own AGPM Server instance. There is no single-pane-of-glass view spanning all domains natively.
- What is the difference between AGPM and the GPMC?
The GPMC is the native, built-in tool for managing Group Policy. AGPM is a paid add-on that layers change control, version history, offline editing, and role-based delegation on top of the GPMC. AGPM requires the GPMC to be installed and works through a GPMC snap-in extension.
- What happens to my AGPM deployment after end of support?
AGPM will continue to function after the January 2025 MDOP end-of-support date, but Microsoft will no longer provide security patches or technical assistance. Organizations should plan migration to a supported alternative.
- Can I roll back a GPO change in AGPM?
Yes. Any version stored in the AGPM archive can be redeployed to production. Select the desired historical version in the Change Control tab, and use the Deploy action to push it back to Active Directory.
