To use GPOADmin with an AD LDS deployment, users must be assigned the Administrators role.
3 |
Perform the following after installing GPOADmin and before configuring the GPOADmin server.
a |
In Microsoft SQL Server Management Studio, select File | Open | File or press the control key and the O key (Ctrl + O). |
b |
In the Open File dialog, select the GPOADmin.sql file and press OK. This file is located in the GPOADmin server install directory by default, but if your SQL server is on a different computer, the file can be copied. |
d |
a |
Create a new query by pressing the New Query button. |
b |
Set the available database to the name of your GPOADmin database or type USE [DATABASE_NAME] where DATABASE_NAME is the name of your GPOADmin database. |
c |
On the next line, type EXEC InitializeDatabase. |
d |
a |
b |
c |
On the General page, enter the name of the service account in the Login name field. |
e |
Set the Default database property to the name of your GPOADmin database. |
f |
On the Server Roles page, check the public server role. |
g |
On the User Mapping page, under Users mapped to this login, check the name of your GPOADmin database. Under Database role membership for the selected database, check db_owner and public. |
h |
Click OK to close the properties page. |
The following ports must be open for the application to function correctly:
Name resolution can be achieved using DNS on port 53 or WINS (downlevel) on port 137.
Between the client and the GPOADmin Server:
• |
1 |
2 |
3 |
NOTE: To use the same AD LDS instance for both the configuration and backup store, select the “Configuration store location” option on the Backup location page. |
a |
To protect your environment from a SQL Injection attack, choose the SQL Input Filters option to specify which SQL statement inputs are not permitted within your deployment. By default, all of the inputs are marked as not permitted. |
b |
Choose the SQL Timeouts option to configure how long GPOADmin will wait to connect to the SQL server or to process a command. |
5 |
Select Desired State Configuration | Root directory to specify a DSC root directory for each domain that supports DSC scripts. This root directory serves as the starting point for the DSC script enumeration and deployment location. DSC scripts cannot be registered until this option is enabled. |
6 |
Select Scripts to set the file types that will be returned when enumerating Scripts in the live environment. Add and remove the file extensions as required and click OK. |
7 |
Select Delegation | Roles to create and edit roles that are used to delegate rights over the Version Control system. The built-in roles and descriptions are displayed. Add, edit, and delete roles as required. For complete information about creating and delegating roles, see Configuring role-based delegation . |
8 |
Select Notifications to configure email notifications on Version Controlled events. Notifications help you to stay informed of the latest changes to objects under version control and can be enabled for Exchange on-premises, Office 365 Exchange Online, and Gmail. |
Select Attachments to embed report content in the body of the email. |
Select Workflow to enable workflow approval through email, set the authentication method, and modify the mailbox and server information.
|
To use Exchange for notifications, select Basic Authentication and enter the account to use to connect to the mailbox and password. Enter the Exchange Server Url or select Autodiscover Exchange Server Url to locate the Exchange server that is hosting the specified mailbox.
To ensure that approvals are processed only by users who have the rights to do so, check the Enforce approver account validation option. (This option will not function if you select to follow the Microsoft documentation that restricts access to a single mailbox.)
By default, GPOADmin uses the mailbox associated with the service account. If necessary, you can specify a different mailbox for the service to use when processing approvals and rejections through email. To do so, uncheck the Use the service accounts mailbox option and enter the mailbox that you want to the service to monitor. To connect as the service, leave the account blank and password blank.
To use Office 365 and Exchange Online for notifications, select OAuth 2.0 Authentication. Enter the mailbox. application Id, tenant Id, https://outlook.office365.com/ews/exchange.asmx as the Exchange Server Url. and a valid certificate and password.
| ||||||||||
|
2 |
Select Logging | Configuration to enter the log location and the type of information you want to track. |
3 |
Select Options to configure various settings. |
This enables the default link state for any new links added to a SOM. | |
NOTE: If you have GPOADmin configured with SQL as the configuration store, you can select to Enable Policy Baselines. Selecting this option allows Protected Setting policies to be assigned to individual GPOs as policy baselines. See Working with Protected Settings Policy Baselines for details. | |
Allow the service account to synchronize Group Policy Objects during deployment |
|
This ensures that GPOs and WMI filters cannot be created with the same name as an existing GPOs or WMI filter in a domain, select the Enforce Unique Names option. If a non-deployed GPO indicates that a duplicate name exists, run a full compliance check to determine if any GPOs were modified outside of GPOADmin. For more info see, Checking compliance . | |
This ensures that roles cannot be created with the same name as an existing role. | |
To allows users to link to unregistered Scopes of Management, select the Enable unregistered Scope of Management linking option. If this option is not selected, the policy and the SOM must be registered and the user linking the policy must have the Link right on both objects. | |
Display only the WMI Filters a user has Read access to when editing a GPO |
Users are restricted to only the WMI Filters they have Read access. |
This option must be enabled if you want users to be able to automatically deploy an object’s associated items. See Deploying objects (scheduling and associated items) . | |
Enable the identification of associated items during deployment |
|
When this option is enabled, the objects are refreshed when they are selected in the client. | |
Enabling this option will log any changes made to the version control server configuration options. | |
Clicking the Launch Editor button starts the Custom Workflow Editor. | |
4 |
Select License | Current License to view the current license information. |
5 |
Select Intune | Configuration to enable support for Intune and enter the information to connect to the required Microsoft Entra tenant. This includes the application ID, tenant ID, tenant name, certificate, and certificate password for the tenant where Intune is installed. See the GPOADmin Quick Start Guide for minimum permission requirements. |
6 |
Select Integration to configure settings that apply to a Quest Change Auditor™ integration. |
7 |
Select Enable FIPS Mode. The Federal Information Processing Standards (FIPS) are government set guidelines and standards published by the National Institute of Standards and Technology. To run a Windows environment in FIPS compliant mode, the Microsoft Policy “System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing” must be enabled. |
© ALL RIGHTS RESERVED. 利用規約 プライバシー Cookie Preference Center