Tchater maintenant avec le support
Tchattez avec un ingénieur du support

GPOADmin 5.16 - User Guide

Introducing Quest GPOADmin Configuring GPOADmin Using GPOADmin
Connecting to the Version Control system Navigating the GPOADmin console Search folders Accessing the GPMC extension Configuring user preferences Working with the live environment Working with controlled objects (version control root) Checking compliance Editing objects Synchronizing GPOs Exporting and importing
Creating Reports Appendix: Windows PowerShell Commands Appendix: GPOADmin Event Log Appendix: GPOADmin Backup and Recovery Procedures Appendix: Customizing your workflow Appendix: GPOADmin Silent Installation Commands Appendix: Configuring Gmail for Notifications Appendix: Registering GPOADmin for Office 365 Exchange Online Appendix: GPOADmin with SQL Replication About Us

Withdrawing approval

Before the final approval has been made and the changes have been deployed, any approver has the right to withdraw their approval. When any approval is withdrawn, the process begins again from the start.

Approving and rejecting edits

Once an object has been checked in and the Approver has been notified that the offline changes are ready for approval, the changes are either approved or rejected.

* 
NOTE: Before the approval of a change takes effect, the Version Control system detects if an object was changed unknowingly or outside the scope of the system and prompts the approver with the appropriate action to take. They can choose to overwrite the object or leave it as is.
 
Table 15. Approving Changes
If the changes are approved and deployed
If the changes are rejected
The settings are applied to the live object and its major version number is incremented. (For example, v2.0)
The settings from the offline object are applied to the live object.
The next time a check out occurs, the process repeats of creating a new offline copy of the live group policy object.
Nothing happens and the status is set back to an available state so it can be checked out again.
NOTE: If the changes are only approved but not deployed, their status is changed to Pending Deployment and those GPOs can be seen in the Pending Deployment search folder.
To approve edits in the GPOADmin console
1
Expand the Version Control Root node, and the required container.
2
Right-click a controlled object in the Pending Approval state, and select Approve.
3
Enter a comment and click OK.
If you have the required permission, you can deploy the updates to the enterprise at this time. If not, the object will be set to the Pending Deployment state. For information on deploying objects, see Deploying objects (scheduling and associated items) .
To approve edits in the GPMC Extension
1
Click the GPO in the Pending Approval state, and click Workflow | Approve.
2
Enter a comment and click OK.
To approve or reject edits through email
1
If this option has been configured by the administrator (see Configuring the Version Control server), approvers will receive an email with the subject line “Approval Request Notification”.
The email contains a Settings report that you can review before making your decision.
2
Click to Approve or Reject and enter a comment as the body of the new email message to perform the selected action for the requested changes.
To reject edits in the GPOADmin console
1
Expand the Version Control Root node, and the required container.
2
Right-click a controlled object in the Pending Approval state, and select Reject.
3
Enter a comment, and click OK.
To reject edits in the GPMC Extension
1
Right-click the GPO in the Pending Approval state, and click Workflow | Reject.
2
Enter a comment, and click OK.

Deploying objects (scheduling and associated items)

Deploying changes within the system is a critical process that affects the live environment. To minimize the impact of disruption, this process should be done during a time period when the impact to users is minimal as the changes may alter the behavior of particular systems.

To reduce any issues, you can schedule the deployment of the changes for a specific date and time that best suits your needs. You can also schedule a deployment based on a different time zone, for example if the client is not in the same time zone as the server and you want to deploy based on the client’s time zone.

If you have multiple approvers:
Scheduling will only be available during the final approval and deployment.
If the scheduled approval fails due to non-compliance or for any other reason, the Deployer will be notified.
Only the Deployer can cancel the scheduled deployment.
* 
NOTE: Before you deploy a GPO, ensure that it is not cloaked. If you deploy a cloaked GPO, and then later deploy it uncloaked, it will be flagged as noncompliant.

During the deployment of an object, you have the option to identify and deploy any associated items (in the pending deployment state). When the associated objects are deployed they are subject to all regular compliance checks (including security checks).

* 
NOTE: This availability of the associated items option must be configured on the server by the administrator. For details, Configuring the Version Control server.
To deploy an approved object using the GPOADmin console
1
Expand the Version Control Root node, and the required container.
2
Right-click an object in the Approved state, and select Deploy.
3
Enter a comment.
4
Select the deployment time frame.
You have the option to deploy the changes immediately or at a specified time.
* 
NOTE: To synchronize during an immediate deployment (a non-scheduled deployment), the user deploying the GPO must have the Synchronize right.
If you select Schedule deployment for a later date, set the date and time, select an appropriate time zone if required, enter a comment, and click OK.
After you have scheduled a time, a clock icon appears beside the object and the Deployment Time column reflects the scheduled deployment.
* 
NOTE: If a scheduled deployment fails for any reason, the deployment is canceled and the object remains in the Pending Deployment state.
You now have the option to identify and deploy associated items.
5
Enable the Identify associated items option to see a list of all associated pending deployment items that you have Read access to.
Any items that you do not have access to and can therefore not deploy, will display in grayed out text.
6
Enable the Deploy associated items option to deploy the associated items.
* 
NOTE: You must have been delegated the Deploy right on the associated items to deploy them.
NOTE: If this is a scheduled deployment, all associated objects in a pending deployment state will be deployed even if the scheduling user does not has the rights to deploy them. In this case, the service account will be doing the deployment and it will have the required rights to all objects.
To deploy an approved GPO using the GPMC Extension

You can only deploy GPOs using the GPMC Extension. To deploy SOMs or WMI filters, use the GPOADmin console.

1
Select the approved GPO and click Workflow | Deploy.
2
Enter a comment.
3
Select the deployment time frame, including a time zone if required, and click OK.
To reschedule a deployment using the GPOADmin console
1
Right-click the required controlled object and select Deploy.
2
Select the date and time, select an appropriate time zone if required, enter a comment, and click OK.
To reschedule a deployment using the GPMC Extension:
1
Select the GPO and click Workflow | Deploy.
2
Select the date and time, select an appropriate time zone if required, enter a comment, and click OK.
To cancel a deployment using the GPOADmin console
Right-click an object in the Pending Deployment state and choose Cancel Deployment.
Right-click an object in the Pending Deployment state and choose Deploy. Select Cancel pending deployment.
To cancel a deployment using the GPMC Extension
Select the GPO in the Pending Deployment state and click Workflow | Cancel Deployment.
Select the GPO in the Pending Deployment state and click Workflow | Deploy, then select Cancel pending deployment.

Checking compliance

GPOADmin provides two options to determine if an object has been changed outside the scope of the system in the live enterprise environment. You can manually check any object for compliance (GPOs, Scopes of Management, scripts, DSC scripts, configuration profiles, and WMI filters), and you can let the GPOADmin Watcher Service detect unauthorized modifications to objects. For more information on configuring the Watcher service, see the GPOADmin Quick Start Guide.

If you are running the Watcher Service, non compliant objects are automatically flagged with a yellow exclamation point, regardless of their status.

* 
NOTE: To ensure that you are notified immediately of non compliant objects, ensure that the Watcher Service is running.
NOTE: You can view a list of all objects that have been flagged as non compliant in the Unauthorized Modifications Search Folder in the GPOADmin console.
NOTE: When the Watcher Service detects a non compliant object under version control, it creates a backup of the change and increases the minor version number by one. If the non compliant object is workflow disabled, it creates a backup of the change and increases the major version number by one. For details on enabling or disabling workflow, see Enabling/disabling workflow .
NOTE: DSC scripts are not monitored by the Watcher Service.

If a delta is determined between the last historical backup and the live object, a user with the appropriate permissions will be able to either:

Roll back: Restore the object in the live environment from the most current backup found in the system to overwrite the unauthorized live change.
Roll back with Links: Restore a Group Policy Object in the live environment from the most current backup, including its links to Scopes of Management, and overwrite the unauthorized live change.
* 
IMPORTANT: If the GPO has lineage enabled, during a rollback the GPO lineage takes precedence. To see if lineage has been enabled and a hierarchal overview of the applied lineage, view the GPO properties.

For more information see, Validating GPOs .
You can also roll back links from a different history version. For information, see Restoring links to a previous version .
Incorporate Live: Accept the live changes as being authorized and more up-to-date than what is currently already in the system. This will automatically back up those changes into the system and increment the version number of the backup to the next major number.
Leave the live object alone in its noncompliant state.
* 
NOTE: If the change to the live environment occurs while the GPO is checked out, when you check it in you can choose which version of the GPO to accept.

If an object has been deleted in the live environment, a user with the appropriate permissions will be able to:
Restore the object in the live environment
Restore a Group Policy Object in the live environment and restore its links to Scopes of Management.
Unregister the object from the Version Control system
* 
NOTE: If a SOM has been deleted, you will only have the option to Unregister.
To check if any registered objects have been changed since their last backup
1
Right-click the required object in the Available state and select Check Compliance.
2
Right-click the Version Control Root node or subcontainer, and select Check Compliance.
* 
NOTE: If you are using the GPMC Extension you can select the GPO and click Workflow | Check Compliance.
3
Click Next to run the compliance check.
The objects that are not compliant are displayed.
4
Select the required course of action by clicking in the Action field to open the list of options, and click Next.
5
If you are restoring GPO links, select the More (...) button to see the details of the links you will be restoring.
In the Restore Links box, you can review the settings that will be restored (right side) and use the toolbar buttons at the top to change the link order, remove links, or set other group policy properties.
6
Click OK save the Restore Links settings.
7
Click Finish.
At this point the modified SOMs affected by the restored links, if registered, are put into a Pending Approval State. If not registered, the changes are made in the live environment.
* 
NOTE: If you attempt to deploy a noncompliant compliant GPO, you have the option of running the Compliance Wizard or proceeding with the deployment.
To make a flagged GPO compliant
1
Right-click the noncompliant GPO and choose one of the following
Incorporate Live
Rollback
If you choose Incorporate Live, you cannot restore links.
2
Enter a comment and click OK.
3
Select the Restore GPO Links option in the Comment box.
4
In the Restore Links box, review the settings that will be restored (right side) and use the toolbar buttons at the top to change the link order, remove links, or set other group policy properties.
Hover over a link to get more information. If a link has an exclamation mark beside it, the Scope of Management Object is not Available.
5
Click OK save the Restore Links settings.
At this point the modified SOMs affected by the restored links, if registered, are put into a Pending Approval State. If not registered, the changes are made in the live environment.
To restore a deleted GPO with links

When a Group Policy Object is deleted in the live environment, its status shows as Noncompliant - Deleted in GPOADmin.

1
Right-click the noncompliant GPO and select Restore.
2
Select the Restore GPO Links option in the Comment box.
3
In the Restore Links box, review the settings that will be restored (right side) and use the toolbar buttons at the top to change the link order, remove links, or set other group policy properties.
Hover over a link to get more information. If a link has an exclamation mark beside it, the Scope of Management Object is not Available.
4
Click OK save the Restore Links settings. At this point the modified SOMs affected by the restored links, if registered, are put into a Pending Approval State. If not registered, the changes are made in the live environment.
To exclude security modifications on Scopes of Management from the watcher service

If needed, you can use a registry key to prevent the watcher service from flagging a Scope of Management as non-compliant when modifying the security outside of GPAODmin.

If you select to enable this, you need to redeploy all registered scopes of management to ensure that security is either included or excluded (depending on the value) in the latest backup used to perform the comparison. If you do not redeploy the SOMs, they will be flagged as non-compliant.

1
Set the ExcludeSOMSecurityFromHash registry value to 1. By default this is set to 0.
2
Set this to the same value on all GPOADmin service hosts and the watcher service host that share a common configuration store.
GPOADmin service key location: HKEY_LOCAL_MACHINE\SOFTWARE\Quest\GPOADmin\VCConfig
Watcher service key location: HKEY_LOCAL_MACHINE\SOFTWARE\Quest\GPOADmin\WatcherConfig
* 
NOTE: You will see the following event in the GPOADmin event log if the ExcludeSOMSecurityFromHash is set to 1: The Scope of Management '<distinguished name of the scope of management>' has been brought back into compliance.

This is a standard message displayed by the Watcher service when a change is made to a registered object. In this case, the compliance is not affected because the metadata for the live and stored objects has not been changed.
Documents connexes

The document was helpful.

Sélectionner une évaluation

I easily found the information I needed.

Sélectionner une évaluation