サポートと今すぐチャット
サポートとのチャット

GPOADmin 5.17 - User Guide

Introducing Quest GPOADmin Configuring GPOADmin Using GPOADmin
Connecting to the Version Control system Navigating the GPOADmin console Search folders Accessing the GPMC extension Configuring user preferences Working with the live environment Working with controlled objects (version control root)
Creating a custom container hierarchy Selecting security, levels of approval, and notification options Viewing the differences between objects Copying/pasting objects Proposing the creation of controlled objects Merging GPOs Restoring an object to a previous version Restoring links to a previous version Managing your links with search and replace Linking GPOs to multiple Scopes of Management Managing compliance issues automatically with remediation rules Validating GPOs Managing GPO revisions with lineage Setting when users can modify objects Working with registered objects Working with available objects Working with checked out objects Working with objects pending approval and deployment
Checking compliance Editing objects Synchronizing GPOs Exporting and importing
Creating Reports Appendix: Windows PowerShell Commands Appendix: GPOADmin Event Log Appendix: GPOADmin Backup and Recovery Procedures Appendix: Customizing your workflow Appendix: GPOADmin Silent Installation Commands Appendix: Configuring Gmail for Notifications Appendix: Registering GPOADmin for Office 365 Exchange Online Appendix: GPOADmin with SQL Replication About Us

Editing the Version Control server configuration store

Users logged on with an account that is a member of the GPOADmin administrators group can edit the type of configuration store.

To edit the configuration store
1
Right-click the forest, and select Re-configure Version Control server.
2
In the Select a Configuration Store dialog, select Active Directory, AD LDS, or SQL Server for your configuration storage location.
* 
NOTE: Configuration Store Selection

The best practice is to use AD LDS as the configuration store. However, in large environments, SQL server is the recommended option. Quest uses the following criteria to define large environments:

Domains with more than 500 registered objects that run searches on a regular basis.
More than 500 registered containers.
Containers with objects nested more than 3 levels deep.

These are guidelines and should not be considered as an exhaustive list.

a
If you select Active Directory, select the Domain Controller (DC) to be the Version Control server, and click Next.
Any DC in any domain of the selected forest can be specified as the primary version control server. This server can be thought of as another FSMO role in the Microsoft sense (such as Schema master, PDC Emulator, and RID master).
GPOADmin is a directory-enabled application and all its application information is stored in the configuration container of Active Directory. Because of how the information is stored, all information is automatically replicated to all other DCs. However, the primary version control server is the authoritative source for all version control actions. If it goes offline, users cannot perform actions such as check-in a desired group policy object change until the problem has been rectified.
b
If you select AD LDS, enter the NetBIOS name of the computer you are installing to and the port number in the format: server_name:port, and click Next.
For example, gpoadmin_svr: 389.
* 
NOTE: The username/port/server (but not password) will be cached, so the next time you open the console you will not need to enter this information.
c
If you select SQL Server, choose the required SQL server, enter a name for the database, select the authentication method to access the server, and click Next.
* 
NOTE: See the Release Notes for supported SQL Server versions. (Supported version include 2012, 2012R2, 2014, 2016, 2017 and 2019.)
* 
NOTE: To protect your environment from a SQL Injection attack, you can mark which SQL statement inputs are not permitted. See Editing the Version Control server properties. By default, all of the inputs are marked as not permitted.

If you allow these inputs, malicious code may be inserted in a SQL statement resulting in security vulnerabilities.
To connect as the current user, select NT Authentication.
To connect using SQL credentials, select SQL Authentication and enter the user name and password.
3
Click through the rest of the Service Configuration Wizard and click Finish.

Replacing the Version Control server configuration settings

In some cases, you may want to keep the majority of the Version Control server settings the same throughout the deployment and have only select settings unique for each server.

If this is the case, you can copy the settings from an existing sever and then update where required rather than having to enter all the settings required during a reconfiguration.

To edit the Version Control configuration using another servers settings
1
Right-click the forest, and select Copy Server Configuration.
2
Select the server configuration that you want to copy and click OK.
3
Right-click the forest, and select Options to update where required.

Migrating from AD/AD LDS to a SQL configuration store

A configuration utility (GPOADmin.ConfigMig.exe) is available in the GPOADmin install directory that allows you to migrate the configuration store to SQL from an AD/AD LDS. You can migrate all objects or specify users, custom folders, keywords, email templates, roles, domains, containers, version control items, scheduled deployments, synchronization targets and synchronization results data as required.

* 
NOTE:  
The Migration utility migrates configuration store data; it does not migrate backups. To ensure the migration completes without issue, we recommend that you continue to use the same backup store.
To ensure the configuration utility is running against the latest version of GPOADmin, login and configure for the existing AD/AD LDS configuration store prior to migrating to SQL. This also ensures that AD/AD LDS configuration store is up-to-date and reduces possible migration issues.

The output from the configuration utility is written to the screen as well as to a Migration.txt file located in the install directory.

* 
IMPORTANT: The configuration utility must be:
Run on the GPOADmin server host computer.
Run as an account that has access to the AD/AD LDS configuration store and the new SQL database. In most cases this will be the service account.
Pointed to a GPOADmin 5.14 or above configuration storage location.
After the migration, you need to restart the Watcher Service so that it will use the correct configuration store.

Before running the configuration utility, you need to configure the version control server to use SQL as the configuration store. See Editing the Version Control server configuration store to change the storage from AD/AD LDS to SQL.

SQL Injection inserts malicious code into SQL statements which can lead to security vulnerabilities. To protect your environment from a SQL Injection attack, you can mark SQL statement inputs that are not permitted. See Editing the Version Control server properties. By default, we have marked the following inputs as not permitted. If you allow these inputs, malicious code may be inserted in a SQL statement resulting in security vulnerabilities:

Table 8. SQL inputs
Input
Description

:

Denotes the end of a SQL query. Allowing this character can permit malicious queries to be included in user input.

--

All trailing input is interpreted as a comment until the new line character.

/*

The character combination used to denote the start of a block comment. All trailing input is interpreted as a comment until the comment end delimiter.

*/

The character combination used to denote the end of a block comment. Input between the comment start delimiter and the comment end delimiter is interpreted as a comment.

xp_

Extended procedures are routines residing in DLLs that function similarly to regular stored procedures. The extended stored procedure function is run under the security context of Microsoft SQL Server.

\AUX

Generally, the AUX port on a PC is computer port 1 (COM1), which is the first serial port with a preconfigured assignment for serial devices. File paths can be constructed using this input.

\CLOCK$

The system clock. File paths can be constructed using this input.

\COM1

The first Communications port. File paths can be constructed using this input.

\COM2

The second Communications port. File paths can be constructed using this input.

\COM3

The third Communications port. File paths can be constructed using this input.

\COM4

The forth Communications port. File paths can be constructed using this input.

\COM5

The fifth Communications port. File paths can be constructed using this input.

\COM6

The sixth Communications port. File paths can be constructed using this input.

\COM7

The seventh Communications port. File paths can be constructed using this input.

\COM8

The eighth Communications port. File paths can be constructed using this input.

\CON

A common device name for the keyboard and screen. File paths can be constructed using this input.

\CONFIG$

A configuration information file. File paths can be constructed using this input.

\LPT1

The first line print terminal. File paths can be constructed using this input.

\LPT2

The second line print terminal. File paths can be constructed using this input.

\LPT3

The third line print terminal. File paths can be constructed using this input.

\LPT4

The fourth line print terminal. File paths can be constructed using this input.

\LPT5

The fifth line print terminal. File paths can be constructed using this input.

\LPT6

The sixth line print terminal. File paths can be constructed using this input.

\LPT7

The seventh line print terminal. File paths can be constructed using this input.

\LPT8

The eighth line print terminal. File paths can be constructed using this input.

\NUL

The NUL port. File paths can be constructed using this input.

\PRN

The DOS name for the first connected parallel port. File paths can be constructed using this input.

 

Before migrating the configuration store, Quest suggests that you test the migration to ensure that all objects migrate according to your specifications. To validate the migration, run the command with the /t option. This gathers all the information that will be committed to the SQL database but does not commit any changes.

To run the configuration utility:
From a command prompt, browse to and run Program Files\Quest\GPOAdmin>GPOADmin.ConfigMig.exe “FQDN of the AD/AD LDS server hosting the source configuration store.”
The following switches and options are available: (If none are specified, all objects are migrated.)
O = Service Options
U = Users
F = Custom Search Folders
K = Keywords
E = Email Templates
R = Roles
D = Domains
C = Version Control Containers
I = Version Control Items
S = Scheduled Deployments
T = Synchronization Targets
Y = Synchronization Results
/T = Testing only. Validates the object data from the source configuration store. Nothing is written to the database.
/H:<GPOADmin Host>] = The FQDN of the source GPOADmin host (Used to migrate Service Options stored in the registry)
/S:<domain\account> = The GPOADmin service account name. If not specified, the current user account is used.
/R = Re-migrate items. Items are logged to their own log file in a timestamped directory based on when the migration was started. It is located in the Configuration Migration folder of the installation directory. The file name is a combination of the item name and its Version Control Id.
/G = Grant the specified service account access.

Changing the Service Account

Changing the Service Account

To change the GPOADmin service account in an existing deployment, consider the following:
Existing live GPOs
Must have their ownership and delegation updated with the new service account. You can update the service account by running the GPOADmin.AddServiceAccountToAllGPOs PowerShell script found in the Scripts folder of the GPOADmin install directory.
Existing registered GPO backups
The Watcher service may detect and report GPOs as non-compliant because they contain the previous service account as the owner and as a delegate with the edit settings, delete, and modify security Group Policy Management Console permissions. To prevent this, stop the Watcher service monitoring the forest before changing the service account. Note: Running a manual compliance check by right-clicking the object and selecting to Check Compliance will also report GPOs as non-compliant.

To bring GPOs back into compliance complete the one of the following:
GPOs with a major version less than 1.0 should be copied and deployed. This corrects the security and ownership to reflect the new service account. Once the copied GPO has been successfully deployed, delete the original.
GPOs with any version greater than 1.0, when deployed, display a message indicating the policy is not compliant. This is expected behavior since the owner and delegation for the GPO have changed. The deployment can proceed; however, the security on the policy template in SYSVOL may become "out of sync". To address this, locate the policy in question in GPMC and select the service account from the Delegation tab. Right-click and select Edit settings and OK. Right-click again and select Edit settings, delete, modify security and OK.
To ensure that service account has proper access to any registered policies, we recommend that you enable the "Ensure service account access prior to deployment" option within GPOADmin.
関連ドキュメント

The document was helpful.

評価を選択

I easily found the information I needed.

評価を選択