Chat now with support
Chat mit Support

GPOADmin 5.17 - User Guide

Introducing Quest GPOADmin Configuring GPOADmin Using GPOADmin
Connecting to the Version Control system Navigating the GPOADmin console Search folders Accessing the GPMC extension Configuring user preferences Working with the live environment Working with controlled objects (version control root)
Creating a custom container hierarchy Selecting security, levels of approval, and notification options Viewing the differences between objects Copying/pasting objects Proposing the creation of controlled objects Merging GPOs Restoring an object to a previous version Restoring links to a previous version Managing your links with search and replace Linking GPOs to multiple Scopes of Management Managing compliance issues automatically with remediation rules Validating GPOs Managing GPO revisions with lineage Setting when users can modify objects Working with registered objects Working with available objects Working with checked out objects Working with objects pending approval and deployment
Checking compliance Editing objects Synchronizing GPOs Exporting and importing
Creating Reports Appendix: Windows PowerShell Commands Appendix: GPOADmin Event Log Appendix: GPOADmin Backup and Recovery Procedures Appendix: Customizing your workflow Appendix: GPOADmin Silent Installation Commands Appendix: Configuring Gmail for Notifications Appendix: Registering GPOADmin for Office 365 Exchange Online Appendix: GPOADmin with SQL Replication About Us

Setting permissions on AD LDS

To use GPOADmin with an AD LDS deployment, users must be assigned the Administrators role.

3
To grant the user rights, right-click the Administrators role and select Properties.

Setting permissions when using SQL as the configuration store

Perform the following after installing GPOADmin and before configuring the GPOADmin server.

a
In Microsoft SQL Server Management Studio, select File | Open | File or press the control key and the O key (Ctrl + O).
b
In the Open File dialog, select the GPOADmin.sql file and press OK. This file is located in the GPOADmin server install directory by default, but if your SQL server is on a different computer, the file can be copied.
d
Click the Execute button or press F5 to create the database.
b
Set the available database to the name of your GPOADmin database or type USE [DATABASE_NAME] where DATABASE_NAME is the name of your GPOADmin database.
c
On the next line, type EXEC InitializeDatabase.
d
When ready, click the Execute button or press F5 to run the command.
b
Right-click Logins and select New Login.
e
Set the Default database property to the name of your GPOADmin database.
g
On the User Mapping page, under Users mapped to this login, check the name of your GPOADmin database. Under Database role membership for the selected database, check db_owner and public.
h
Click OK to close the properties page.

Port requirements

The following ports must be open for the application to function correctly:

Name resolution can be achieved using DNS on port 53 or WINS (downlevel) on port 137.

Between the client and the GPOADmin Server:

 

From the GPOADmin Server:

Configuration storage

GPO Archives

Editing the Version Control server properties

Users logged on with an account that is a member of the GPOADmin administrators group can edit the properties of the Version Control server when required. Specifically, they can:

1
Right-click the forest, and select Options.
Select Administrators and add and remove users who can connect to and alter the Version Control server-specific settings.
Select Users and add and remove users who can connect to the Version Control server, but can only perform those actions assigned by an administrator.
Backup store location: This option stores the backups in Active Directory if you selected it during the initial setup of GPOADmin as the storage method for your configuration.
AD LDS: This option stores the backups in Active Directory Lightweight Directory Services (AD LDS).
NOTE: To use the same AD LDS instance for both the configuration and backup store, select the “Configuration store location” option on the Backup location page.
Network Share: Enter or browse to a network share or directory.
SQL Server: This option stores the backups in SQL Server. Enter the database name and the required authentication.
a
To protect your environment from a SQL Injection attack, choose the SQL Input Filters option to specify which SQL statement inputs are not permitted within your deployment. By default, all of the inputs are marked as not permitted.
b
Choose the SQL Timeouts option to configure how long GPOADmin will wait to connect to the SQL server or to process a command.
5
Select Desired State Configuration | Root directory to specify a DSC root directory for each domain that supports DSC scripts. This root directory serves as the starting point for the DSC script enumeration and deployment location. DSC scripts cannot be registered until this option is enabled.
6
Select Scripts to set the file types that will be returned when enumerating Scripts in the live environment. Add and remove the file extensions as required and click OK.
7
Select Delegation | Roles to create and edit roles that are used to delegate rights over the Version Control system. The built-in roles and descriptions are displayed. Add, edit, and delete roles as required. For complete information about creating and delegating roles, see Configuring role-based delegation .
8
Select Notifications to configure email notifications on Version Controlled events. Notifications help you to stay informed of the latest changes to objects under version control and can be enabled for Exchange on-premises, Office 365 Exchange Online, and Gmail.

Select Attachments to embed report content in the body of the email.

 

Table 5. SMTP options

Select SMTP to modify the global SMTP notification options.

NOTE:  
If required, select Clear to delete data from SMTP and workflow notification settings.
GPOADmin supports TLS/SSL connections. When connecting to Office 365 for standard SMTP notifications, the  From  account must be a valid email address and have access to the mailbox of the authentication account.
If you want to use Microsoft Azure GCC High email for notifications, select the U.S Government GCC High option. For information on using Exchange Online for US Government environments refer to Microsoft documentation.
1
Select Basic to use Exchange for notifications.
a
Select to Enabled SMTP notifications.
2
Select Exchange Online and Office 365 to use Office 365 Exchange Online for notifications.
a
Select to Enabled SMTP notifications via Exchange.
a
Select to Enabled SMTP notifications via Gmail.
d
To navigate past the application verification warning, click Advanced and then click the Go to GPOAdmin (unsafe) link.
e
Grant GPOAdmin permissions to View and modify but not delete your email.
f
Click Allow to confirm your selection.

Select Workflow to enable workflow approval through email, set the authentication method, and modify the mailbox and server information.

NOTE:  
If required, select Clear to delete data from SMTP and workflow notification settings.
If you want to use Microsoft Azure GCC High email for approvals, select the U.S Government GCC High option. For information on using Exchange Online for US Government environments refer to Microsoft documentation. This option is only available for OAuth 2.0 Authentication.

 

1
Select Exchange, Exchange Online, & Office 365 to use Exchange, Exchange Online, or Office 365 for notifications.
a
Select Enable Workflow Approval through email.
To use Exchange for notifications, select Basic Authentication and enter the account to use to connect to the mailbox and password. Enter the Exchange Server Url or select Autodiscover Exchange Server Url to locate the Exchange server that is hosting the specified mailbox.
To ensure that approvals are processed only by users who have the rights to do so, check the Enforce approver account validation option. (This option will not function if you select to follow the Microsoft documentation that restricts access to a single mailbox.)
By default, GPOADmin uses the mailbox associated with the service account. If necessary, you can specify a different mailbox for the service to use when processing approvals and rejections through email. To do so, uncheck the Use the service accounts mailbox option and enter the mailbox that you want to the service to monitor. To connect as the service, leave the account blank and password blank.
To use Office 365 and Exchange Online for notifications, select OAuth 2.0 Authentication. Enter the mailbox. application Id, tenant Id, https://outlook.office365.com/ews/exchange.asmx as the Exchange Server Url. and a valid certificate and password.

 

a
Select to Enabled SMTP notifications via Gmail.
d
To navigate past the application verification warning, click Advanced and then click the Go to GPOAdmin (unsafe) link.
e
Grant GPOAdmin permissions to View and modify but not delete your email.
f
Click Allow to confirm your selection.
2
Select Logging | Configuration to enter the log location and the type of information you want to track.
3
Select Options to configure various settings.
Select General to configure the following options:

Perform Group Policy Management version check

Check to ensure the version of GPMC on the client is compatible with the GPMC version used within GPOADmin.

Disable all workflow options for Group Policy Objects

Disable all workflow on GPOs.

Keep in mind, if you disable the workflow, any changes made are immediately deployed in the live environment. To bring the GPO back under version control, enable the workflow.

Disable all workflow options for Scopes of Management

Disable all workflow on SOMs.

Keep in mind, if you disable the workflow, any changes made are immediately deployed in the live environment. To bring the SOM back under version control, enable the workflow.

Disable all workflow options for WMI Filters

Disable all workflow on WMI filters.

Keep in mind, if you disable the workflow, any changes made are immediately deployed in the live environment. To bring the WMI filter back under version control, enable the workflow.

Set default link state to enable when adding new links

This enables the default link state for any new links added to a SOM.

Enable Protected Settings for Group Policy Objects

This enables the ability to have Protected Settings policies that contain settings that you want to control. They are protected in the sense that they contain and identify the settings that cannot be altered by users. This provides an added level of security for the policies within your organization. If a user attempts to create, edit, or remove the flagged settings they are stopped.

Enable Group Policy Object Synchronization

Synchronizing GPOs allows you to automatically push out predefined “primary GPO” settings to specified targets both within a forest and between two forests. This allows you to ensure specific GPOs, which are required in every domain, contain the same settings without having to link to a GPO outside of the domain.

You are able to select one or more GPOs from various domains as synchronization targets for the source GPO. When the source GPO has been successfully deployed, the settings from the last major backup are imported into each synchronization target GPO.

Allow the service account to synchronize Group Policy Objects during deployment

Provides the ability to control whether the service account can perform a GPO synchronization during deployment.

Enable Unique Name

This ensures that GPOs and WMI filters cannot be created with the same name as an existing GPOs or WMI filter in a domain, select the Enforce Unique Names option. If a non-deployed GPO indicates that a duplicate name exists, run a full compliance check to determine if any GPOs were modified outside of GPOADmin. For more info see, Checking compliance .

Enable Unique Role Names

This ensures that roles cannot be created with the same name as an existing role.

Enable unregistered Scopes of Management linking

To allows users to link to unregistered Scopes of Management, select the Enable unregistered Scope of Management linking option. If this option is not selected, the policy and the SOM must be registered and the user linking the policy must have the Link right on both objects.

Display only the WMI Filters a user has Read access to when editing a GPO

Users are restricted to only the WMI Filters they have Read access.

Ensure service account access prior to deployment

This option must be enabled if you want users to be able to automatically deploy an object’s associated items. See Deploying objects (scheduling and associated items) .

It ensures that the service account has the Edit settings, delete, modify security rights on the working copy before deployment.

Enable the identification of associated items during deployment

Provides users with the option to identify and deploy associated items in a pending deployment state.

Prevent approval requester from approving their own changes

Ensures that a user cannot approve their own changes, even if they are in the approver's list for the object.

Enable the processing of custom workflow actions

Clicking the Launch Editor button starts the Custom Workflow Editor.

OU display format

Set the display format for OUs.

Select SQL Input Filters to view the allowed strings and characters for SQL statements.
Select Comments to enforce comments to all actions and naming conventions for newly created objects. Set a minimum comment length greater than 0. Leaving the value at 0 means comments are optional for all actions. Any value greater than zero makes comments mandatory for all actions and all users.
Select Deployment Failure to enable an automatic retry on failed deployments. Enable the option and select the number of attempts (maximum of 10) and the interval in minutes (maximum of 1440). Re-deployment attempts are done as scheduled deployments.
Select Preferred Domain Controllers and click Add to configure the domain controller that GPOADmin will use for all Active Directory actions. By default, GPOADmin uses the Primary Domain Controller.
Select Backups Retention to configure a retention schedule for backups. You can select to limit the backups to keep based on a specified number, age, or date. Backup retention settings apply to SQL configuration stores only.
4
Select License | Current License to view the current license information.
Select the Update License check box and then click Browse and go to the new license location.
5
Select Intune | Configuration to enable support for Intune and enter the information to connect to the required Azure Active Directory tenant. This includes the application ID, tenant ID, tenant name, and certificate for the tenant where Intune is installed. See the GPOADmin Quick Start Guide for minimum permission requirements.
6
Select Integration to configure settings that apply to a Quest Change Auditor™ integration.
7
Select Enable FIPS Mode. The Federal Information Processing Standards (FIPS) are government set guidelines and standards published by the National Institute of Standards and Technology. To run a Windows environment in FIPS compliant mode, the Microsoft Policy “System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing” must be enabled.
Select Enable FIPS mode to ensures that GPOADmin uses cryptographic algorithms that are FIPS compliant.
Select Allow self-signed certificates when communicating with Exchange servers if required.
Verwandte Dokumente

The document was helpful.

Bewertung auswählen

I easily found the information I needed.

Bewertung auswählen