Chatee ahora con Soporte
Chat con el soporte

GPOADmin 5.17 - User Guide

Introducing Quest GPOADmin Configuring GPOADmin Using GPOADmin
Connecting to the Version Control system Navigating the GPOADmin console Search folders Accessing the GPMC extension Configuring user preferences Working with the live environment Working with controlled objects (version control root)
Creating a custom container hierarchy Selecting security, levels of approval, and notification options Viewing the differences between objects Copying/pasting objects Proposing the creation of controlled objects Merging GPOs Restoring an object to a previous version Restoring links to a previous version Managing your links with search and replace Linking GPOs to multiple Scopes of Management Managing compliance issues automatically with remediation rules Validating GPOs Managing GPO revisions with lineage Setting when users can modify objects Working with registered objects Working with available objects Working with checked out objects Working with objects pending approval and deployment
Checking compliance Editing objects Synchronizing GPOs Exporting and importing
Creating Reports Appendix: Windows PowerShell Commands Appendix: GPOADmin Event Log Appendix: GPOADmin Backup and Recovery Procedures Appendix: Customizing your workflow Appendix: GPOADmin Silent Installation Commands Appendix: Configuring Gmail for Notifications Appendix: Registering GPOADmin for Office 365 Exchange Online Appendix: GPOADmin with SQL Replication About Us

Deploying objects (scheduling and associated items)

Deploying changes within the system is a critical process that affects the live environment. To minimize the impact of disruption, this process should be done during a time period when the impact to users is minimal as the changes may alter the behavior of particular systems.

To reduce any issues, you can schedule the deployment of the changes for a specific date and time that best suits your needs. You can also schedule a deployment based on a different time zone, for example if the client is not in the same time zone as the server and you want to deploy based on the client’s time zone.

If you have multiple approvers:
Scheduling will only be available during the final approval and deployment.
If the scheduled approval fails due to non-compliance or for any other reason, the Deployer will be notified.
Only the Deployer can cancel the scheduled deployment.
* 
NOTE: Before you deploy a GPO, ensure that it is not cloaked. If you deploy a cloaked GPO, and then later deploy it uncloaked, it will be flagged as noncompliant.

During the deployment of an object, you have the option to identify and deploy any associated items (in the pending deployment state). When the associated objects are deployed they are subject to all regular compliance checks (including security checks).

* 
NOTE: This availability of the associated items option must be configured on the server by the administrator. For details, Configuring the Version Control server.
To deploy an approved object using the GPOADmin console
1
Expand the Version Control Root node, and the required container.
2
Right-click an object in the Approved state, and select Deploy.
3
Enter a comment.
4
Select the deployment time frame.
You have the option to deploy the changes immediately or at a specified time.
* 
NOTE: To synchronize during an immediate deployment (a non-scheduled deployment), the user deploying the GPO must have the Synchronize right.
If you select Schedule deployment for a later date, set the date and time, select an appropriate time zone if required, enter a comment, and click OK.
After you have scheduled a time, a clock icon appears beside the object and the Deployment Time column reflects the scheduled deployment.
* 
NOTE: If a scheduled deployment fails for any reason, the deployment is canceled and the object remains in the Pending Deployment state.
You now have the option to identify and deploy associated items.
5
Enable the Identify associated items option to see a list of all associated pending deployment items that you have Read access to.
Any items that you do not have access to and can therefore not deploy, will display in grayed out text.
6
Enable the Deploy associated items option to deploy the associated items.
* 
NOTE: You must have been delegated the Deploy right on the associated items to deploy them.
NOTE: If this is a scheduled deployment, all associated objects in a pending deployment state will be deployed even if the scheduling user does not has the rights to deploy them. In this case, the service account will be doing the deployment and it will have the required rights to all objects.
To deploy an approved GPO using the GPMC Extension

You can only deploy GPOs using the GPMC Extension. To deploy SOMs or WMI filters, use the GPOADmin console.

1
Select the approved GPO and click Workflow | Deploy.
2
Enter a comment.
3
Select the deployment time frame, including a time zone if required, and click OK.
To reschedule a deployment using the GPOADmin console
1
Right-click the required controlled object and select Deploy.
2
Select the date and time, select an appropriate time zone if required, enter a comment, and click OK.
To reschedule a deployment using the GPMC Extension:
1
Select the GPO and click Workflow | Deploy.
2
Select the date and time, select an appropriate time zone if required, enter a comment, and click OK.
To cancel a deployment using the GPOADmin console
Right-click an object in the Pending Deployment state and choose Cancel Deployment.
Right-click an object in the Pending Deployment state and choose Deploy. Select Cancel pending deployment.
To cancel a deployment using the GPMC Extension
Select the GPO in the Pending Deployment state and click Workflow | Cancel Deployment.
Select the GPO in the Pending Deployment state and click Workflow | Deploy, then select Cancel pending deployment.

Checking compliance

GPOADmin provides two options to determine if an object has been changed outside the scope of the system in the live enterprise environment. You can manually check any object for compliance (GPOs, Scopes of Management, scripts, DSC scripts, Intune objects, and WMI filters), and you can let the GPOADmin Watcher Service detect unauthorized modifications to objects. For more information on configuring the Watcher service, see the GPOADmin Quick Start Guide.

If you are running the Watcher Service, non compliant objects are automatically flagged with a yellow exclamation point, regardless of their status.

* 
NOTE: To ensure that you are notified immediately of non compliant objects, ensure that the Watcher Service is running.
NOTE: You can view a list of all objects that have been flagged as non compliant in the Unauthorized Modifications Search Folder in the GPOADmin console.
NOTE: When the Watcher Service detects a non compliant object under version control, it creates a backup of the change and increases the minor version number by one. If the non compliant object is workflow disabled, it creates a backup of the change and increases the major version number by one. For details on enabling or disabling workflow, see Enabling/disabling workflow .
NOTE: DSC scripts are not monitored by the Watcher Service.

If a delta is determined between the last historical backup and the live object, a user with the appropriate permissions will be able to either:

Roll back: Restore the object in the live environment from the most current backup found in the system to overwrite the unauthorized live change.
Roll back with Links: Restore a Group Policy Object in the live environment from the most current backup, including its links to Scopes of Management, and overwrite the unauthorized live change.
* 
IMPORTANT: If the GPO has lineage enabled, during a rollback the GPO lineage takes precedence. To see if lineage has been enabled and a hierarchal overview of the applied lineage, view the GPO properties.

For more information see, Validating GPOs .
You can also roll back links from a different history version. For information, see Restoring links to a previous version .
Incorporate Live: Accept the live changes as being authorized and more up-to-date than what is currently already in the system. This will automatically back up those changes into the system and increment the version number of the backup to the next major number.
Leave the live object alone in its noncompliant state.
* 
NOTE: If the change to the live environment occurs while the GPO is checked out, when you check it in you can choose which version of the GPO to accept.

If an object has been deleted in the live environment, a user with the appropriate permissions will be able to:
Restore the object in the live environment
Restore a Group Policy Object in the live environment and restore its links to Scopes of Management.
Unregister the object from the Version Control system
* 
NOTE: If a SOM has been deleted, you will only have the option to Unregister.
To check if any registered objects have been changed since their last backup
1
Right-click the required object in the Available state and select Check Compliance.
2
Right-click the Version Control Root node or subcontainer, and select Check Compliance.
* 
NOTE: If you are using the GPMC Extension you can select the GPO and click Workflow | Check Compliance.
3
Click Next to run the compliance check.
The objects that are not compliant are displayed.
4
Select the required course of action by clicking in the Action field to open the list of options, and click Next.
5
If you are restoring GPO links, select the More (...) button to see the details of the links you will be restoring.
In the Restore Links box, you can review the settings that will be restored (right side) and use the toolbar buttons at the top to change the link order, remove links, or set other group policy properties.
6
Click OK save the Restore Links settings.
7
Click Finish.
At this point the modified SOMs affected by the restored links, if registered, are put into a Pending Approval State. If not registered, the changes are made in the live environment.
* 
NOTE: If you attempt to deploy a noncompliant compliant GPO, you have the option of running the Compliance Wizard or proceeding with the deployment.
To make a flagged GPO compliant
1
Right-click the noncompliant GPO and choose one of the following
Incorporate Live
Rollback
If you choose Incorporate Live, you cannot restore links.
2
Enter a comment and click OK.
3
Select the Restore GPO Links option in the Comment box.
4
In the Restore Links box, review the settings that will be restored (right side) and use the toolbar buttons at the top to change the link order, remove links, or set other group policy properties.
Hover over a link to get more information. If a link has an exclamation mark beside it, the Scope of Management Object is not Available.
5
Click OK save the Restore Links settings.
At this point the modified SOMs affected by the restored links, if registered, are put into a Pending Approval State. If not registered, the changes are made in the live environment.
To restore a deleted GPO with links

When a Group Policy Object is deleted in the live environment, its status shows as Noncompliant - Deleted in GPOADmin.

1
Right-click the noncompliant GPO and select Restore.
2
Select the Restore GPO Links option in the Comment box.
3
In the Restore Links box, review the settings that will be restored (right side) and use the toolbar buttons at the top to change the link order, remove links, or set other group policy properties.
Hover over a link to get more information. If a link has an exclamation mark beside it, the Scope of Management Object is not Available.
4
Click OK save the Restore Links settings. At this point the modified SOMs affected by the restored links, if registered, are put into a Pending Approval State. If not registered, the changes are made in the live environment.
To exclude security modifications on Scopes of Management from the watcher service

If needed, you can use a registry key to prevent the watcher service from flagging a Scope of Management as non-compliant when modifying the security outside of GPAODmin.

If you select to enable this, you need to redeploy all registered scopes of management to ensure that security is either included or excluded (depending on the value) in the latest backup used to perform the comparison. If you do not redeploy the SOMs, they will be flagged as non-compliant.

1
Set the ExcludeSOMSecurityFromHash registry value to 1. By default this is set to 0.
2
Set this to the same value on all GPOADmin service hosts and the watcher service host that share a common configuration store.
GPOADmin service key location: HKEY_LOCAL_MACHINE\SOFTWARE\Quest\GPOADmin\VCConfig
Watcher service key location: HKEY_LOCAL_MACHINE\SOFTWARE\Quest\GPOADmin\WatcherConfig
* 
NOTE: You will see the following event in the GPOADmin event log if the ExcludeSOMSecurityFromHash is set to 1: The Scope of Management '<distinguished name of the scope of management>' has been brought back into compliance.

This is a standard message displayed by the Watcher service when a change is made to a registered object. In this case, the compliance is not affected because the metadata for the live and stored objects has not been changed.

Editing objects
Editing GPOs
Editing Intune objects (configuration profiles and compliance policies)
Editing WMI filters
Editing scripts
Linking GPOs

Editing GPOs

Editing GPOs

Once you have a GPO checked out, you can edit its settings within the Group Policy Editor, create security and WMI filters, and enable/disable computer and user settings.

* 
NOTE: The editor will first attempt to be launched as the user logged into GPOADmin. If that fails, you need to select to Run As and specify credentials of a user who has access to GPMC.

Because you can only link GPOs to sites, domains, and OUs, setting up security filters helps you to refine the application of GPO settings to a group, user, or computer.

* 
NOTE: The users and computers that you select while setting up security filtering must have both Read and Apply Group Policy (AGP) permissions on the GPO.

When you check out a GPO, the changes you make are to a copy of the live GPO. The changes that you make do not affect the GPO settings in the enterprise until it is approved and deployed.

See also Removing persistent registry settings.To edit GPO settings
1
Right-click a checked out GPO, and select Edit.
2
Click Launch Editor, make the required changes, and close the Group Policy Editor.
When you register GPOs, the GPO status (Enabled/Disabled Computer and User settings) will be maintained. However, if required, you can also easily change these settings from within the Version Control system.
3
Select or clear the user and computer setting options as required.
4
If required, select the Security tab and click Add, enter or search for the required user, computer, or group, and click OK.
To change the current security filters, select the required entry, and click Remove.
5
Click the Advanced button to select advanced permissions.
* 
NOTE: This option will only be available to those with the Administrator role or users who have been assigned both the Modify Security Filter and Modify System-Provided Security rights.
6
To link the GPO to a pre-existing WMI filter in the domain, select the WMI Filter tab and choose the filter from the list.
* 
NOTE: You will only see the filters you have permission to access.
Upon approval the link will be added to the GPO.
To remove any existing WMI filtering select None.
If the GPO was previously linked to a WMI filter, the GPO will be unlinked from the filter upon approval.
7
Click OK.
You now have the option to check in the GPO to be stored for later use or check in and request approval of the changes. See Checking in controlled objects and Requesting approval for more information.
Documentos relacionados

The document was helpful.

Seleccionar calificación

I easily found the information I needed.

Seleccionar calificación