Performing AGPM Administrator Tasks

An AGPM Administrator (Full Control) configures domain-wide options and delegates permissions to Approvers, Editors, Reviewers, and other AGPM Administrators. By default, an AGPM Administrator is an individual with Full Control (all Advanced Group Policy Management [AGPM] permissions) and therefore can also perform tasks associated with any role.

In an environment in which multiple people develop Group Policy objects (GPOs), you can choose whether all Advanced Group Policy Management (AGPM) users perform the same tasks and have the same level of access or whether AGPM Administrators delegate permissions to Editors who make changes to GPOs and to Approvers who deploy GPOs to the production environment. AGPM Administrators can configure permissions to meet the needs of your organization.

• Configure the AGPM Server Connection

• Configure E-Mail Notification

• Delegate Domain-Level Access

• Delegate Access to an Individual GPO

• Configure Logging and Tracing

• Managing the AGPM Service

  • Start and Stop the AGPM Service

  • Modify the Archive Path

  • Modify the AGPM Service Account

  • Modify the Port on Which the AGPM Service Listens

Also, because the AGPM Administrator role includes the permissions for all other roles, an AGPM Administrator can perform the tasks normally associated with any other role.

• Performing Approver Tasks, such as creating, deploying, or deleting GPOs

• Performing Editor Tasks, such as editing, renaming, labeling, or importing GPOs, creating templates, or setting a default template

• Performing Reviewer Tasks, such as reviewing settings and comparing GPOs

Additional considerations

By default, the AGPM Administrator role has Full Control—all AGPM permissions:

• List Contents

• Read Settings

• Edit Settings

• Create GPO

• Deploy GPO

• Delete GPO

• Modify Options

• Modify Security

• Create Template

The Modify Options and Modify Security permissions are unique to the role of AGPM Administrator.