Chatee ahora con Soporte
Chat con el soporte

GPOADmin 5.18 - User Guide

Introducing Quest GPOADmin Configuring GPOADmin Using GPOADmin
Connecting to the Version Control system Navigating the GPOADmin console Search folders Accessing the GPMC extension Configuring user preferences Working with the live environment Working with controlled objects (version control root)
Creating a custom container hierarchy Selecting security, levels of approval, and notification options Viewing the differences between objects Copying/pasting objects Proposing the creation of controlled objects Merging GPOs Restoring an object to a previous version Restoring links to a previous version Managing your links with search and replace Linking GPOs to multiple Scopes of Management Managing compliance issues automatically with remediation rules Validating GPOs Managing GPO revisions with lineage Setting the change window for specific actions Working with registered objects Working with available objects Working with checked out objects Working with objects pending approval and deployment
Checking compliance Editing objects Synchronizing GPOs Exporting and importing
Creating Reports Appendix: Windows PowerShell Commands Appendix: GPOADmin Event Log Appendix: GPOADmin Backup and Recovery Procedures Appendix: Customizing your workflow Appendix: GPOADmin Silent Installation Commands Appendix: Configuring Gmail for Notifications Appendix: Registering GPOADmin for Office 365 Exchange Online Appendix: GPOADmin with SQL Replication About Us

Root container assignment

If necessary, the GPOADmin administrator can assign a specific container as a user’s or group’s “Root Container”. When the user or group member logs in they will only have access to the container they have been assigned, rather than the default "Version Control Root". This allows for the administration of containers and sub containers to be assigned to specific users or groups without those users being able to access or change managed objects in any other containers.

This assignment is also valid for the PowerShell commands and the GPOADmin snap-in for GPMC.

2
Select the Root Container Assignment tab and assign the users or groups who are going to see this as their Root Container.

Restricting GPO management for specific domains

If necessary, you can restrict access to domains to ensure that only specified individuals or groups can view, register, create, and report on items in a domain. You can fine-tune the level of available management based on the level of security.

By default, the Domain Users group is assigned all domain rights to their corresponding domain. To take advantage of the new level of security, you must remove Domain Users and assign rights as appropriate.

1
Expand the Live Environment, right-click the required domain, and select Properties.

Read

A base right that you must apply as it is used with other rights.

This right works with, but does not replace, the delegated custom user Read right that controls whether users and groups can see a version control container’s contents.

Register

Apply this right to users and groups that are assigned the Domain Read right to allow them to register/unregister objects from the selected domain.

This right works with, but does not replace, the delegated custom user Register and Unregister rights that controls whether a user can register objects into a specific version control container or unregister objects.

Create Group Policy Objects

Apply this right to users and groups that are assigned the Domain Read right to allow them to create Group Policy Objects in the selected domain.

This right works with, but does not replace, the delegated custom user Create right that controls whether a user can create an object in a specific version control container.

The Edit right on the Version Control container is also required.

Create WMI Filters

Apply this right to users and groups that are assigned the Domain Read right to enable them to create WMI Filters in the selected domain.

This right works with, but does not replace, the delegated custom user Create right that controls whether a user can create an object in a specific version control container.

The Edit right on the Version Control container is also required.

Create Scripts (Logon/Logoff Startup/Shutdown)

 

Apply this right to users and groups that are assigned the Domain Read right to enable them to create a script in the selected domain.

This right works with, but does not replace, the delegated custom user Create right that controls whether a user can create an object in a specific version control container.

The Edit right on the Version Control container is also required.

Create Desired State Configuration Scripts

Apply this right to users and groups that are assigned the Domain Read right to enable them to create Desired State Configuration scripts in the selected domain.

This right works with, but does not replace, the delegated custom user Create right that controls whether a user can create an object in a specific version control container.

The Edit right on the Version Control container is also required.

Report

Apply this right to users and groups that are assigned the Domain Read right to enable them to report on objects within the selected domain.

Once applied, they will only see the "Live" report option for objects which exist in the associated domain and only the domains for which the user has this right is displayed in the report wizard.

This right works with, but does not replace, the delegated custom user Run Reports right that controls whether a user can run the “New Report” wizard, and the Run Contextual Reports right which controls whether a user can run the “Live”, “Working Copy”, “Latest”, and “Difference” from the context menu.

Create Starter GPO

Apply this right to users and groups that are assigned the Domain Read right to allow them to create Starter GPOsin the selected domain.

This right works with, but does not replace, the delegated custom user Create right that controls whether a user can create an object in a specific version control container.

The Edit right on the Version Control container is also required.

Configuring role-based delegation

NOTE:  

GPOADmin Administrators can create custom roles that can be applied to specific users to allow them to perform certain functions within the Version Control system. For more information about users with permissions to create roles see Configuring the Version Control server .

When building custom roles, keep in mind the rights must also have the dependent permissions assigned.

Block Inheritance for SOM links

Read and Edit

Block Notification Inheritance

Read

Cloak / Uncloak

Read

Compliance Action

Read

Create

Read and Edit

Delegate Security

Read

Delete

Read

Delete links outside of workflow

Read, Edit, Link and Deploy (User must be the sole approver on linked Scopes of Management)

Deploy

Read

Edit

Read

Edit Linage

Read

Enable/Disable Approvals

Read

Enable / Disable Workflow

Read

Export

Read

Label

Read

List Folders

None

Link

Read and Edit (For managed Scopes of Management)

Lock / Unlock

Read

Modify Approval Workflow

Read

Modify Keywords

Read

Modify Change Window

Read

Modify Link Properties

Read and Edit (For managed Scopes of Management)

Modify Managed By

Read

Modify System-Provided Security Right

Read, Edit and Modify Security Filter

Modify Security Filter

Read and Edit

Move

Read

Read

None

Register

Read

Reject Change

Read

Request Approval

Read

Run Contextual Reports

Read

Run Reports

Read

Set Notifications

Read

Set Remediation Rules

Read

Synchronize

Read

Undo Check-out

Read

Unregister

Read

Unregister and Remove History

Read

View Cloaked

Read

Create Subcontainers

Read

Delegate Container Security

Read

Delete Container

Read

Rename Container

Read

Block Protected Settings Inheritance

Read and Modify Protected Settings Assignments

Export Group Policy Objects as Protected Settings Policies

Read and Register (On the target Protected Settings Container)

Modify Protected Settings

Read

Modify Protected Settings Assignments

Read

Modify Protected Settings Exclusions

Read

Modify Intune Assignments

Read

See also:

 

System Administrator

System Administrators can perform any action in the Version Control system.

Version Controlled Object Rights include:

 

 

System Administrator (continued)

Version Control Container Rights include:

Protected Settings Rights include:

Moderator

Moderator (Moderators can perform every action a user can, plus undoing check outs from other users and running the compliance wizard.) They can also:

User

User (Users can perform all the basic actions of the Version Control system, such as check in, check out, edit.) They can also:

Creating roles

You can easily create roles with any of the customized rights.

2
Select Delegation | Roles.
3
Click Add New Role.
Documentos relacionados

The document was helpful.

Seleccionar calificación

I easily found the information I needed.

Seleccionar calificación