AGPM and security filtering

Question

Hello,

We encountered an incident after switching the security filtering from authenticated users to a test security group with only two computers, prior to linking it. The policy was unintentionally deployed to all computers across our organization, when it was intended for the test group. What might have gone wrong between AGPM and GPMC, and do we need to perform an import from production after altering the security filtering?

Thanks

Answer 1

Hello Saeid.A,

Thank you for posting in Microsoft Community forum.

Based on the description "changing the security filtering from authenticated users to a test security group before linking it, the policy got deployed to all organization still.":

1.What policy did you configure? User configuration or computer configuration?
2.What does all organization mean? all users in the domain or all machines in the domain?
3.What does test security group include? some users or some machines or both some users and some machines?
4.Did you restart machine or sign out and sign in the user account after you change the security filtering?
5.How did you check "the policy got deployed to all organization still."?

I hope the information above is helpful.

If you have any question or concern, please feel free to let us know.

Best Regards,
Daisy Zhou

Answer 2

Please find the answers to your questions below:

Thank you for posting in Microsoft Community forum.

Based on the description "changing the security filtering from authenticated users to a test security group before linking it, the policy got deployed to all organization still.":

1.What policy did you configure? User configuration or computer configuration? Computer configuration
2.What does all organization mean? all users in the domain or all machines in the domain?  All computers in our organization
3.What does test security group include? some users or some machines or both some users and some machines? The test security group only had two lab computers in it
4.Did you restart machine or sign out and sign in the user account after you change the security filtering? I am not sure why you are asking this question , this is GPMC and AGPM we are talking about that don’t need to be rebooted.
5.How did you check "the policy got deployed to all organization still."? We had about 1700 ticket submitted to our helpdesk and the gpo deployment was the only change was made .

Answer 3

I found the answer to my question HERE

Answer 4

Hello Saeid.A,

Thank you for your update and sharing.

I think it will be very helpful to the persons that have similar questions.

Thanks again. Have a nice day!

Best Regards,
Daisy Zhou

Answer 5

This solution doesn't work and doesn't address the core problem in the first place. Approving a change to a production policy and having AGPM replace all the security filtering settings with the production delegation settings is a huge problem and makes the check out/in / approval features of AGPM completely useless. Having to fix the security filtering upon every approval breaks every policy every time. Even assuming one knows what security filtering settings are appropriate to the policy and fixes them as quickly as humanly possible, devices/users are going process policy in unintended ways during the intervening time. Once you factor domain replication cadence, it's possible to have total bogus settings, applying to devices all over the organization, for as long as your site replication intervals. This can't possibly be the intended behavior of the feature.