Introducing Quest GPOADmin
Configuring GPOADmin
Configuring the Version Control server
Setting permissions on AD LDS
Setting permissions when using SQL as the configuration store
Port requirements
Editing the Version Control server properties
Editing the Version Control server configuration store
Replacing the Version Control server configuration settings
Migrating from AD/AD LDS to a SQL configuration store
Changing the Service Account
Root container assignment
Restricting GPO management for specific domains
Configuring role-based delegation
Restricting access to objects
Adding notifications for users
Selecting events on which to be notified
Restricting inheritance on notifications
Creating email templates
Working with Protected Settings policies
Using GPOADmin
Rights and role for Protected Settings for GPOs
Create a Protected Settings policy
Protecting policy settings based on extensions
Generating Protected Settings policies reports
Using Protected Settings policies
Checking a GPO against a Protected Settings policies and blocked extensions
Validating a GPO against a Protected Settings policies and blocked extensions before a check-in
Connecting to the Version Control system
Navigating the GPOADmin console
Search folders
Accessing the GPMC extension
Configuring user preferences
Working with the live environment
Working with controlled objects (version control root)
Creating Reports
Creating a custom container hierarchy
Selecting security, levels of approval, and notification options
Viewing the differences between objects
Copying/pasting objects
Proposing the creation of controlled objects
Checking compliance
Editing objects
Synchronizing GPOs
Exporting and importing
Creating Group Policy Objects (GPOs)
Creating starter GPOs
Creating WMI filters
Creating scripts
Creating Desired State Configuration (DSC) PowerShell scripts
Merging GPOs
Restoring an object to a previous version
Restoring links to a previous version
Managing your links with search and replace
Linking GPOs to multiple Scopes of Management
Managing compliance issues automatically with remediation rules
Validating GPOs
Managing GPO revisions with lineage
Setting when users can modify objects
Working with registered objects
Creating labels
Cloaking a GPO
Locking a GPO
Establishing Management for an Object
Viewing history
Deleting version history
Clearing account names in version history
Viewing and editing object properties
Creating a report
Working with available objects
Enabling/disabling workflow
Checking out objects
Requesting the deletion of an object
Unregistering GPOs and removing history
Requesting approval
Working with checked out objects
Working with objects pending approval and deployment
Available reports
Appendix: Windows PowerShell Commands
Controlled object reports
Exporting registry settings
Working with report folders
Settings Report
Difference Report
Group Policy Comparison Report
History Report
Group Policy Object Settings Search Report
User Activity Report
Role Assignment Report
All Actions Report
Compliance Report
Change Auditor Report
Change Auditor Working Copies Report
Deployment Report
Protected Settings Assignment Report
Creating Controlled Object Reports
Diagnostic and troubleshooting reports
Group Policy Object Consistency Report
Software Installation Package Report
Linked/Unlinked Report
Linked/Unlinked SOMs Report
Inactive Policy Settings Report
Group Policy Object Security Report
Policy Analysis Report
GPO Synchronization Report
Group Policy Results
Group Policy Results Difference Report
Group Policy Modeling Report
Creating Diagnostic and Troubleshooting Reports
Live, working copy, latest version, and differences reports
Historical Settings Reports
Introduction
GPOADmin scripts
Available commands
Using the GPOADmin PowerShell commands (Examples)
Appendix: GPOADmin Event Log
Appendix: GPOADmin Backup and Recovery Procedures
Appendix: Customizing your workflow
Loading the GPOADmin modules
Extracting help for GPOADmin commands
Managing objects
Get information on all GPOs
Get information for all managed objects
Get unregistered objects
Register an object
Check out an object
Check in an object
Undo the check out of an object
Request approval for changes
Withdraw an approval request
Approve changes
Reject changes
Withdraw approval on an object
Deploy an object
Deploy an object at a future time and date
Check for pending deployments
Cancel pending deployment
Gathering object and GPOADmin information
Identify which objects are checked out
Identify which objects are checked out to me
What are the properties of an object
What objects are available
What objects are checked out
Utility commands
Gather GPOADmin license information
Install a GPOADmin license
Get logging options
Set logging options
Get notifications
Set notifications on objects
Administrative commands
Approval workflow information
Set the approval workflow
Identify user accounts
Identify user roles
Modify a role
Add a role
Get an object's security
Set an object's security
Overwrite a GPOs security filter
Protected Settings commands
What is a custom workflow action?
Working with custom workflow actions in the Version Control system
Working with the custom workflow actions xml file
Troubleshooting custom workflow actions
Appendix: GPOADmin Silent Installation Commands
Installing GPOADmin with msiexec.exe
Appendix: Configuring Gmail for Notifications
Appendix: Registering GPOADmin for Office 365 Exchange Online
Appendix: GPOADmin with SQL Replication
About Us
All components (Complete GPOADmin installation)
Client and components
Server and client
Client only
Client and PowerShell provider (Client Only button on Installation dialog)
PowerShell provider only
Watcher Service
Watcher Service on localhost
Watcher Service on another computer
Watcher Service and GPMC Extension on another computer
Watcher Service and Client only on another computer
Watcher Service, Client, and GPMC Extension on another computer
GPMC Extension
Setting permissions on AD LDS
To use GPOADmin with an AD LDS deployment, users must be assigned the Administrators role.
|
3 |
Setting permissions when using SQL as the configuration store
Perform the following after installing GPOADmin and before configuring the GPOADmin server.
|
a |
In Microsoft SQL Server Management Studio, select File | Open | File or press the control key and the O key (Ctrl + O). |
|
b |
In the Open File dialog, select the GPOADmin.sql file and press OK. This file is located in the GPOADmin server install directory by default, but if your SQL server is on a different computer, the file can be copied. |
|
d |
|
a |
Create a new query by pressing the New Query button. |
|
b |
Set the available database to the name of your GPOADmin database or type USE [DATABASE_NAME] where DATABASE_NAME is the name of your GPOADmin database. |
|
c |
On the next line, type EXEC InitializeDatabase. |
|
d |
|
a |
|
b |
|
c |
On the General page, enter the name of the service account in the Login name field. |
|
e |
Set the Default database property to the name of your GPOADmin database. |
|
f |
On the Server Roles page, check the public server role. |
|
g |
On the User Mapping page, under Users mapped to this login, check the name of your GPOADmin database. Under Database role membership for the selected database, check db_owner and public. |
|
h |
Click OK to close the properties page. |
Port requirements
The following ports must be open for the application to function correctly:
Name resolution can be achieved using DNS on port 53 or WINS (downlevel) on port 137.
Between the client and the GPOADmin Server:
|
• |
Editing the Version Control server properties
|
1 |
|
2 |
Select Administrators and add and remove users who can connect to and alter the Version Control server-specific settings.
Select Users and add and remove users who can connect to the Version Control server, but can only perform those actions assigned by an administrator.
|
3 |
Backup store location: This option stores the backups in Active Directory if you selected it during the initial setup of GPOADmin as the storage method for your configuration.
AD LDS: This option stores the backups in Active Directory Lightweight Directory Services (AD LDS).
|
NOTE: To use the same AD LDS instance for both the configuration and backup store, select the “Configuration store location” option on the Backup location page. |
Network Share: Enter or browse to a network share or directory.
SQL Server: This option stores the backups in SQL Server. Enter the database name and the required authentication.
|
a |
To protect your environment from a SQL Injection attack, choose the SQL Input Filters option to specify which SQL statement inputs are not permitted within your deployment. By default, all of the inputs are marked as not permitted. |
|
b |
Choose the SQL Timeouts option to configure how long GPOADmin will wait to connect to the SQL server or to process a command. |
|
5 |
Select Desired State Configuration | Root directory to specify a DSC root directory for each domain that supports DSC scripts. This root directory serves as the starting point for the DSC script enumeration and deployment location. DSC scripts cannot be registered until this option is enabled. |
|
6 |
Select Scripts to set the file types that will be returned when enumerating Scripts in the live environment. Add and remove the file extensions as required and click OK. |
|
7 |
Select Delegation | Roles to create and edit roles that are used to delegate rights over the Version Control system. The built-in roles and descriptions are displayed. Add, edit, and delete roles as required. For complete information about creating and delegating roles, see Configuring role-based delegation . |
|
8 |
Select Notifications to configure email notifications on Version Controlled events. Notifications help you to stay informed of the latest changes to objects under version control and can be enabled for Exchange on-premises, Office 365 Exchange Online, and Gmail. |
|
Select Workflow to enable workflow approval through email, set the authentication method, and modify the mailbox and server information.
|
To use Exchange for notifications, select Basic Authentication and enter the account to use to connect to the mailbox and password. Enter the Exchange Server Url or select Autodiscover Exchange Server Url to locate the Exchange server that is hosting the specified mailbox.
To ensure that approvals are processed only by users who have the rights to do so, check the Enforce approver account validation option.
By default, GPOADmin uses the mailbox associated with the service account. If necessary, you can specify a different mailbox for the service to use when processing approvals and rejections through email. To do so, uncheck the Use the service accounts mailbox option and enter the mailbox that you want to the service to monitor. To connect as the service, leave the account blank and password blank.
To use Office 365 and Exchange Online for notifications, select OAuth 2.0 Authentication. Enter the mailbox. application Id, tenant Id, client secret key, and https://outlook.office365.com/ews/exchange.asmx as the Exchange Server Url.
(The application ID, tenant ID, and client secret key are set when you register GPOADmin to use Office 365 Exchange Online through Azure Active Directory. See Appendix: Registering GPOADmin for Office 365 Exchange Online.)
|
|
9 |
Select Logging | Configuration to enter the log location and the type of information you want to track. |
|
10 |
Select Options to configure various settings. |
Select General to configure the following options:
|
This enables the default link state for any new links added to a SOM. | |
|
Allow the service account to synchronize Group Policy Objects during deployment |
|
|
This ensures that GPOs and WMI filters cannot be created with the same name as an existing GPOs or WMI filter in a domain, select the Enforce Unique Names option. If a non-deployed GPO indicates that a duplicate name exists, run a full compliance check to determine if any GPOs were modified outside of GPOADmin. For more info see, Checking compliance . | |
|
This ensures that roles cannot be created with the same name as an existing role. | |
|
To allows users to link to unregistered Scopes of Management, select the Enable unregistered Scope of Management linking option. If this option is not selected, the policy and the SOM must be registered and the user linking the policy must have the Link right on both objects. | |
|
Display only the WMI Filters a user has Read access to when editing a GPO |
Users are restricted to only the WMI Filters they have Read access. |
|
This option must be enabled if you want users to be able to automatically deploy an object’s associated items. See Deploying objects (scheduling and associated items) . | |
|
Enable the identification of associated items during deployment |
|
|
Clicking the Launch Editor button starts the Custom Workflow Editor. | |
Select SQL Input Filters to view the allowed strings and characters for SQL statements.
Select Comments to enforce comments to all actions and naming conventions for newly created objects. Set a minimum comment length greater than 0. Leaving the value at 0 means comments are optional for all actions. Any value greater than zero makes comments mandatory for all actions and all users.
Select Deployment Failure to enable an automatic retry on failed deployments. Enable the option and select the number of attempts (maximum of 10) and the interval in minutes (maximum of 1440). Re-deployment attempts are done as scheduled deployments.
Select Preferred Domain Controllers and click Add to configure the domain controller that GPOADmin will use for all Active Directory actions. By default, GPOADmin uses the Primary Domain Controller.
Select Backups Retention to configure a retention schedule for backups. You can select to limit the backups to keep based on a specified number, age, or date. Backup retention settings apply to SQL configuration stores only.
|
11 |
Select License | Current License to view the current license information. |
|
12 |
Select Intune | Configuration to enable support for Intune and enter the information to connect to the required Azure Active Directory tenant. This includes the application ID, tenant ID, tenant name, and certificate for the tenant where Intune is installed. See the GPOADmin Quick Start Guide for minimum permission requirements. |
|
13 |
Select Integration to configure settings that apply to a Quest Change Auditor™ integration. |
|
14 |
Select Enable FIPS Mode. The Federal Information Processing Standards (FIPS) are government set guidelines and standards published by the National Institute of Standards and Technology. To run a Windows environment in FIPS compliant mode, the Microsoft Policy “System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing” must be enabled. |
Select Enable FIPS mode to ensures that GPOADmin uses cryptographic algorithms that are FIPS compliant.
Select Allow self-signed certificates when communicating with Exchange servers if required.