Release Notes for Microsoft Advanced Group Policy Management 4.0

October 2009

About Microsoft Advanced Group Policy Management 4.0

Microsoft Advanced Group Policy Management (AGPM) 4.0 extends the capabilities of the Group Policy Management Console (GPMC). AGPM provides comprehensive change control and improved management of Group Policy Objects (GPOs).

The following documents can help you get started with AGPM 4.0.

More information

For more information about AGPM, see the following:

Providing feedback

You can post feedback or questions about AGPM to the Group Policy Forum (

Known issues with AGPM 4.0

Import from Production command does not import settings into a GPO that is checked out

If you edit a GPO in the production environment, you must import the GPO from production to update the GPO in the offline archive. The Import from Production command is intended to let you perform a final production backup before you finish editing so that you can roll back to the production backup if it is necessary.

If the GPO is checked out when you run the Import from Production command, then the production changes are not incorporated into the checked out version of the GPO. However, the imported version of the GPO is added to the history of the GPO even though that version is not available to be edited. When the GPO is checked in, that version will supersede the imported version in the archive, but both are available in the history of the GPO.

Workaround: Make sure that the GPO is checked in before you import it from production. If the GPO was not checked in before you imported it, you can use the Undo Check Out command to discard your changes and roll back to the version of the GPO that you imported from production.

Checked out GPOs cannot be edited for several minutes in an environment that uses a multiple site Active Directory topology

AGPM uses a client/server model. The AGPM Server and the AGPM Client each determine their own closest domain controller for Group Policy operations. When you check out a GPO by using an AGPM Client, it is actually the AGPM Server that checks the GPO out from the offline archive to a temporary folder in the SYSVOL folder.

If the AGPM Server and the AGPM Client are in different sites, then the temporary checked out GPO may not be present on the local site's domain controller for several minutes or up to 30 minutes due to SYSVOL replication latency. In this situation, you cannot edit the checked out GPO using the GPMC on an AGPM Client until SYSVOL replication of the checked out GPO has occurred.

Workaround: As a best practice, you should position AGPM Clients in the same site as the AGPM Server to which they connect so that you do not have to wait for SYSVOL replication to occur before you can edit a checked out GPO.

AGPM cannot read the backup limit if your account does not have permissions for the archive

On an AGPM Client, if you log on by using an account that has not been delegated permissions to the AGPM archive, start the Group Policy Management Console (GPMC), and then click Change Control, you receive the following error.

Failed to read backup purge limit for this domain. 

The following error occurred: 
You do not have sufficient permissions to perform this operation. 
Microsoft.Agpm.AccessDeniedException (80070005)

Workaround: Contact an AGPM Administrator (Full Control) and request that they delegate access to AGPM for your account. If you are an AGPM Administrator, log on by using an account to which the AGPM Administrator role is assigned so that you can delegate access for the additional account. For more information, see "Delegate Domain-Level Access to the Archive" in the AGPM Help.

Information in this document, including URL and other Internet Web site references, is subject to change without notice, and is provided for informational purposes only. The entire risk of the use or results of the use of this document remains with the user, and Microsoft Corporation makes no warranties, either express or implied. The example companies, organizations, products, people and events depicted herein are fictitious. No association with any real company, organization, product, person or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.

Microsoft, MS-DOS, Windows, Windows Server, and Windows Vista are either registered trademarks or trademarks of Microsoft Corporation in the U.S.A. and/or other countries.

The names of actual companies and products mentioned herein may be the trademarks of their respective owners.