Chat now with support
Chat mit Support

GPOADmin 5.19 - Quick Start Guide

GPOADmin watcher service

The watcher service protects an organization from unauthorized changes by automatically detecting changes to GPOs, scripts, and Scopes of Management made outside of the Version Control system. An optional component of GPOADmin, the watcher service will monitor registered GPOs, scripts, configuration profiles, and Scopes of Management outside of the GPOADmin console for changes and display them as non compliant with an icon change. If the change is valid, an administrator can either incorporate the change into the version control system or roll back the change to the previous deployed version.

The GPOADmin watcher service must be run using credentials with sufficient network permissions.

* 
NOTE: The watcher service requires the Replicating directory changes permission on the Default Naming Context and the Configuration Context for an object and all its descendants.
* 
TIP:  
Quest recommends installing only one GPOADmin watcher service per forest. If multiple watcher services are used, the timing of changes made to objects could get out of sync.
It is recommended that you do not install the Watcher Service on a domain controller.

For example, if you have a GPO checked out and it is flagged as non compliant by the Watcher Service, this indicates that the GPO settings in the live environment have changed since you checked out and started working on that GPO.

Once you have selected GPOs for check-in, the Non compliant Objects Detected dialog box shows you a list of the non-compliant objects, alerting you of any GPOs that have been modified outside of the version control system of GPOADmin, and providing you with the following options:
Cancel pending check in for all objects.
Cancel pending check in for non compliant objects and proceed with check in for compliant objects.
Accept unauthorized modifications and discard local changes. (Checks in the unauthorized and discards the local changes made within GPOADmin.)
Accept local changes and discard unauthorized modifications. (Checks in only the local changes made within GPOADmin.)
* 
NOTE: If the GPOs were in an Available state (not Checked out) and flagged as non compliant, you would not get this dialog box; you would see the regular compliance actions – Incorporate Live or Rollback.
* 
NOTE: The Remote Registry service must be running on the targeted GPOADmin service when installing the Watcher service standalone.

Watcher service polling interval

The default polling interval is 45000 milliseconds (45 seconds). If required, you can alter this to meet your needs.

To adjust the Watcher Service polling interval
1
Update the DWORD value named “Interval” under the following registry key:
HKLM\Software\Quest\GPOADmin\WatcherConfig
2
Select Decimal as the Base when editing the value.
3
Enter the desired value under Value data. (The value is in milliseconds where there is 1000 milliseconds to a second.)

Excluding security modifications on Scopes of Management from the watcher service

If needed, you can use a registry key to prevent the watcher service from flagging a Scope of Management as non-compliant when modifying the system-provided security.

If you select to enable this, you need to redeploy all registered scopes of management to ensure that security is either included or excluded (depending on the value) in the latest backup used to perform the comparison. If you do not redeploy the SOMs, they will be flagged as non-compliant.

To exclude security modifications on Scopes of Management from the watcher service
1
Set the ExcludeSOMSecurityFromHash registry value to 1. By default this is set to 0.
2
Set this to the same value on all GPOADmin service hosts and the watcher service host that share a common configuration store.
GPOADmin service key location: HKEY_LOCAL_MACHINE\SOFTWARE\Quest\GPOADmin\VCConfig
Watcher service key location: HKEY_LOCAL_MACHINE\SOFTWARE\Quest\GPOADmin\WatcherConfig
* 
NOTE: You will see the following event in the GPOADmin event log if the ExcludeSOMSecurityFromHash is set to 1: The Scope of Management '<distinguished name of the scope of management>' has been brought back into compliance.

This is a standard message displayed by the Watcher service when a change is made to a registered object. In this case, the compliance is not affected because the metadata for the live and stored objects has not been changed.

Port requirements

* 
CAUTION: It is recommended to conduct a thorough threat analysis before opening these services to an untrusted network.

The following ports must be open for the application to function correctly:

Name resolution can be achieved using DNS on port 53 or WINS (downlevel) on port 137.

Between the client and the GPOADmin Server:
Kerberos TCP/UDP port 88
Kerberos Password TCP\UDP port 464
Inbound: Port 40200 (default)
Outbound: TCP ports within the following range (1024-65535) (For more details on default dynamic port range for TCP/IP see https://support.microsoft.com/en-us/kb/929851.)
* 
NOTE: To run the Version Control server on a custom port, you must set the following registry value:

Key: HKLM\Software\Quest\GPOADmin\Remoting
Value Name: Port
Value Type: DWord
Valid Values: 1-65536

If this value is not set, the default (port 40200) will be used.

From the GPOADmin Server:

Configuration storage
LDAP Service - TCP/UDP - 389 -or- AD LDS port (defaults to 389 or 50000)
If you are using SQL Server for GPO backup storage, the appropriate ports will need to be open. SQL Server’s default port is 1433.
If you are using Named Pipes with SQL, arbitrary ports may be required. SQL Named Pipes is not a recommended configuration through firewalls.

GPO Archives
If you are using a network share for GPO backup storage, you may require open ports on 135, 138, 139, and/or 445.
If you are using SQL Server for GPO backup storage, the appropriate ports will need to be open. SQL Server’s default port is 1433.
If you are using Named Pipes with SQL, arbitrary ports may be required. SQL Named Pipes is not a recommended configuration through firewalls.
If you are using AD LDS for GPO backup storage or configuration data, AD LDS will default to port 389 if not coexisting with AD. If AD is already installed, AD LDS will default to port 50000.
Verwandte Dokumente

The document was helpful.

Bewertung auswählen

I easily found the information I needed.

Bewertung auswählen