Introducing Quest GPOADmin
Configuring GPOADmin
Configuring the Version Control server
Setting permissions on AD LDS
Setting permissions when using SQL as the configuration store
Port requirements
Editing the Version Control server properties
Editing the Version Control server configuration store
Replacing the Version Control server configuration settings
Migrating from AD/AD LDS to a SQL configuration store
Changing the Service Account
Root container assignment
Restricting GPO management for specific domains
Configuring role-based delegation
Restricting access to objects
Adding notifications for users
Selecting events on which to be notified
Restricting inheritance on notifications
Creating email templates
Working with Protected Settings policies
Using GPOADmin
Rights and role for Protected Settings for GPOs
Create a Protected Settings policy
Protecting policy settings based on extensions
Generating Protected Settings policies reports
Using Protected Settings policies
Checking a GPO against a Protected Settings policies and blocked extensions
Validating a GPO against a Protected Settings policies and blocked extensions before a check-in
Connecting to the Version Control system
Navigating the GPOADmin console
Search folders
Accessing the GPMC extension
Configuring user preferences
Working with the live environment
Working with controlled objects (version control root)
Creating Reports
Creating a custom container hierarchy
Selecting security, levels of approval, and notification options
Viewing the differences between objects
Copying/pasting objects
Proposing the creation of controlled objects
Checking compliance
Editing objects
Creating Group Policy Objects (GPOs)
Creating starter GPOs
Creating WMI filters
Creating scripts
Creating Desired State Configuration (DSC) PowerShell scripts
Merging GPOs
Restoring an object to a previous version
Restoring links to a previous version
Managing your links with search and replace
Linking GPOs to multiple Scopes of Management
Managing compliance issues automatically with remediation rules
Validating GPOs
Managing GPO revisions with lineage
Setting when users can modify objects
Working with registered objects
Creating labels
Cloaking a GPO
Locking a GPO
Establishing Management for an Object
Viewing history
Deleting version history
Clearing account names in version history
Viewing and editing object properties
Applying keywords on containers
Creating a report
Working with available objects
Enabling/disabling workflow
Checking out objects
Requesting the deletion of an object
Unregistering GPOs and removing history
Requesting approval
Working with checked out objects
Working with objects pending approval and deployment
Editing GPOs
Editing Intune objects (configuration profiles and compliance policies)
Editing WMI filters
Editing scripts
Linking GPOs
Synchronizing GPOs
Exporting and importing
Available reports
Appendix: Windows PowerShell Commands
Controlled object reports
Creating RSoP validation reports
Exporting registry settings
Working with report folders
Settings Report
Difference Report
Group Policy Comparison Report
History Report
Group Policy Object Settings Search Report
User Activity Report
Role Assignment Report
All Actions Report
Compliance Report
Change Auditor Report
Change Auditor Working Copies Report
Deployment Report
Protected Settings Assignment Report
Creating Controlled Object Reports
Diagnostic and troubleshooting reports
Group Policy Object Consistency Report
Software Installation Package Report
Linked/Unlinked Report
Linked/Unlinked SOMs Report
Inactive Policy Settings Report
Group Policy Object Security Report
Policy Analysis Report
GPO Synchronization Report
Group Policy Results
Group Policy Results Difference Report
Group Policy Modeling Report
Creating Diagnostic and Troubleshooting Reports
Live, working copy, latest version, and differences reports
Historical Settings Reports
Introduction
GPOADmin scripts
Available commands
Using the GPOADmin PowerShell commands (Examples)
Appendix: GPOADmin Event Log
Appendix: GPOADmin Backup and Recovery Procedures
Appendix: Customizing your workflow
Loading the GPOADmin modules
Extracting help for GPOADmin commands
Managing objects
Get information on all GPOs
Get information for all managed objects
Get unregistered objects
Register an object
Check out an object
Check in an object
Undo the check out of an object
Request approval for changes
Withdraw an approval request
Approve changes
Reject changes
Withdraw approval on an object
Deploy an object
Deploy an object at a future time and date
Check for pending deployments
Cancel pending deployment
Gathering object and GPOADmin information
Identify which objects are checked out
Identify which objects are checked out to me
What are the properties of an object
What objects are available
What objects are checked out
Utility commands
Gather GPOADmin license information
Install a GPOADmin license
Get logging options
Set logging options
Get notifications
Set notifications on objects
Administrative commands
Approval workflow information
Set the approval workflow
Identify user accounts
Identify user roles
Modify a role
Add a role
Get an object's security
Set an object's security
Overwrite a GPOs security filter
Protected Settings commands
What is a custom workflow action?
Working with custom workflow actions in the Version Control system
Working with the custom workflow actions xml file
Troubleshooting custom workflow actions
Appendix: GPOADmin Silent Installation Commands
Installing GPOADmin with msiexec.exe
Appendix: Configuring Gmail for Notifications
Appendix: Registering GPOADmin for Office 365 Exchange Online
Appendix: GPOADmin with SQL Replication
About Us
All components (Complete GPOADmin installation)
Client and components
Server and client
Client only
Client and PowerShell provider (Client Only button on Installation dialog)
PowerShell provider only
Watcher Service
Watcher Service on localhost
Watcher Service on another computer
Watcher Service and GPMC Extension on another computer
Watcher Service and Client only on another computer
Watcher Service, Client, and GPMC Extension on another computer
GPMC Extension
Creating a Gmail Credentials File
For best practice information on securely using API keys see the Google Support documentation (https://support.google.com/googleapi/answer/6310037?hl=en&ref_topic=7013279).
|
2 |
Open https://console.cloud.google.com/apis/credentials. Review the Terms of Service and click Agree and Continue. |
|
3 |
Select a project and click New Project. |
|
5 |
Click Create Credentials | OAuth client ID. |
|
6 |
Click CONFIGURE CONSENT SCREEN. |
|
7 |
Select the user type and click CREATE. |
|
8 |
Enter the application name on the OAuth consent screen and click SAVE AND CONTINUE. Although some fields are optional, the following information is required: |
|
• |
|
9 |
To add the GMAIL API from the library, select ADD OR REMOVE SCOPES, click Google API Library link, enter GMAIL API in the Filter field, choose Gmail API, and click Enable. |
|
11 |
Check the Read, compose, send, and permanently delete all your email from Gmail checkbox, then click UPDATE. |
|
12 |
Click SAVE AND CONTINUE to select your test users. |
|
13 |
Click ADD USERS. |
|
14 |
Enter the required account’s email and click ADD. (At a minimum, the account used to connect must be assigned as the test user.) |
|
15 |
Click SAVE AND CONTINUE to review your settings. |
|
16 |
Click BACK TO DASHBOARD. |
|
17 |
|
18 |
Click CREATE CREDENTIALS. |
|
19 |
|
20 |
|
21 |
Click Download to download the credential information in JSON format. |
This file location will be entered under the Version Control server properties when you select the Enable Workflow Approval through Gmail option.
Appendix: Registering GPOADmin for Office 365 Exchange Online
Appendix: Registering GPOADmin for Office 365 Exchange Online
|
1 |
Log into the Azure Active Directory portal (https://portal.azure.com/) with your global administrator user account. |
|
2 |
In the Microsoft Azure dashboard, go to Azure Active Directory | App registrations, and click New Registration. |
|
4 |
Under Supported account types, select Accounts in this organizational directory only (Single tenant) for the accounts that can access the application API. |
|
5 |
Leave the Redirect URI (optional) field empty. |
|
6 |
Click Register. |
|
7 |
On the Overview tab, go to View API Permissions. Click Add a permission, click Microsoft Graph | Application Permissions and add the Mail.ReadWrite and Mail.Send permissions. See Microsoft documentation for details on limiting permissions to specific Exchange Online mailboxes. (Note: The Enforce approver account validation option found when configuring email notifications will not function if you select to follow the Microsoft article to restrict access to a single mailbox.) |
|
8 |
Click Add Permission. |
|
9 |
|
10 |
Click Yes to confirm. |
|
11 |
On the preview screen, click Overview, and note the application ID and the directory ID. (You will need these values when setting up OAuth authentication.) |
|
12 |
Go to Azure Active Direc tory - Roles and administrators and assign the Exchange Administrator role for the application ou created in step 3. |
|
13 |
Appendix: GPOADmin with SQL Replication
Appendix: GPOADmin with SQL Replication
Before setting up SQL replication, ensure the following is in place:
|
1 |
Right-click the required server and select Configure Database Replication (or Remove Replication if it is no longer required.) |
|
2 |
If configuring replication, select the subscribers to replicate the database with using the Add or Remove buttons, and click OK. |
|
NOTE: Upgrade considerations
|
|
f |
Choose Full Mesh topology. |
|
a |
Right-click the Replication node and Configure Distribution -> This machine should be its own Distributor. |
|
b |
Publication Type page: Choose Merge publication. |
|
c |
Subscriber Types page: Choose SQL Server 2008 or later. |
|
i |
Wizard actions: Select Create the publication. |
|
7 |
Refresh the Local Publications node, then expand and select the new publication. |
|
8 |
Right-click the publication and choose View Snapshot Agent Status. |
The agent should start automatically. If not, you can start it from this dialog. Watch for the status message to become: [100%] A snapshot of x article(s) was generated.
|
9 |
Right-click the publication and choose New Subscriptions. (All subscriptions can be created from here.) |
|
a |
|
b |
Merge Agent Location page: Choose Run all agents at the Distributor to create a similar replication path as the peer-to-peer setup. |
|
c |
Subscribers page: Click Add SQL Server Subscriber once for each SQL server in the replication. Choose the database on the target server for replication. |
|
e |
|
f |
|
g |
Subscription Type page: The Subscription Type should be Server. Set the Priority for Conflict Resolution to a different number for each subscription. |
About Us
Quest creates software solutions that make the benefits of new technology real in an increasingly complex IT landscape. From database and systems management, to Active Directory and Office 365 management, and cyber security resilience, Quest helps customers solve their next IT challenge now. Around the globe, more than 130,000 companies and 95% of the Fortune 500 count on Quest to deliver proactive management and monitoring for the next enterprise initiative, find the next solution for complex Microsoft challenges and stay ahead of the next threat. Quest Software. Where next meets now. For more information, visit www.quest.com.
For sales or other inquiries, visit www.quest.com/contact.
Technical support is available to Quest customers with a valid maintenance contract and customers who have trial versions. You can access the Quest Support Portal at https://support.quest.com.
This product contains the following third-party components. For third-party license information, go to https://www.quest.com/legal/license-agreements.aspx. Source code for components marked with an asterisk (*) is available at https://opensource.quest.com.