• 포털 전문가 되기
• 다운로드
• 인쇄
• 내 다운로드 ()

• 지원
• 기술 문서
• GPOADmin 5.19
• GPOADmin 5.19 - User Guide

GPOADmin 5.19 - User Guide

콘텐츠 탐색  

Introducing Quest GPOADmin

GPOADmin features

Client/server architecture Multiforest support Group Policy Management Console extension Version control Change approval process Role-based delegation Notification system GPO ACL editor Reporting options Customized views Offline GPO testing Custom workflow actions

Configuring GPOADmin

Configuring the Version Control server Setting permissions on AD LDS Setting permissions when using SQL as the configuration store Port requirements Editing the Version Control server properties Editing the Version Control server configuration store Replacing the Version Control server configuration settings Migrating from AD/AD LDS to a SQL configuration store Changing the Service Account Root container assignment Restricting GPO management for specific domains Configuring role-based delegation

Creating roles Editing roles Delegating roles

Restricting access to objects Adding notifications for users Selecting events on which to be notified Restricting inheritance on notifications Creating email templates Working with Protected Settings policies

Rights and role for Protected Settings for GPOs Create a Protected Settings policy Protecting policy settings based on extensions Generating Protected Settings policies reports Using Protected Settings policies Checking a GPO against a Protected Settings policies and blocked extensions Validating a GPO against a Protected Settings policies and blocked extensions before a check-in

Working with Protected Settings Policy Baselines

Using GPOADmin

Connecting to the Version Control system

Restricting search scope Working with multiple connections Version Control data in the directory

Navigating the GPOADmin console Search folders

Creating custom search folders

Accessing the GPMC extension Configuring user preferences Working with the live environment

Registering objects Registered status Removing registered objects Viewing the live environment

Working with controlled objects (version control root)

Creating a custom container hierarchy Selecting security, levels of approval, and notification options Viewing the differences between objects Copying/pasting objects Proposing the creation of controlled objects

Creating Group Policy Objects (GPOs) Creating starter GPOs Creating WMI filters Creating scripts Creating Desired State Configuration (DSC) PowerShell scripts

Merging GPOs Restoring an object to a previous version Restoring links to a previous version Managing your links with search and replace Linking GPOs to multiple Scopes of Management Managing compliance issues automatically with remediation rules Validating GPOs Managing GPO revisions with lineage Setting the change window for specific actions Working with registered objects

Creating labels Cloaking a GPO Locking a GPO Establishing Management for an Object Viewing history Deleting version history Clearing account names in version history Viewing and editing object properties Applying keywords on containers Creating a report

Working with available objects

Enabling/disabling workflow Checking out objects Requesting the deletion of an object Unregistering GPOs and removing history Requesting approval

Working with checked out objects

Undoing a check out Checking in controlled objects

Working with objects pending approval and deployment

Withdrawing an approval request Enhanced workflow approval Changing the approval workflow Withdrawing approval Approving and rejecting edits Deploying objects (scheduling and associated items)

Checking compliance Editing objects

Editing GPOs

Removing persistent registry settings

Editing Intune objects (Configuration profiles and Compliance policies) Editing WMI filters Editing scripts Linking GPOs

Synchronizing GPOs

Enabling synchronization Working with GPO synchronizations Generating Synchronized GPO report

Exporting and importing

Export objects Exporting GPO registry settings as a Desired State Configuration resource file Import objects

Creating Reports

Available reports

Controlled object reports

Settings Report Difference Report Group Policy Comparison Report History Report Group Policy Object Settings Search Report User Activity Report Role Assignment Report All Actions Report Compliance Report Change Auditor Report Change Auditor Working Copies Report Deployment Report Protected Settings Assignment Report Attestation Report Creating Controlled Object Reports

Diagnostic and troubleshooting reports

Group Policy Object Consistency Report Software Installation Package Report Linked/Unlinked Report Linked/Unlinked SOMs Report Inactive Policy Settings Report Group Policy Object Security Report Group Policy Permission Check Report Group Policy Size Validation Report Policy Analysis Report GPO Synchronization Report Group Policy Results Group Policy Results Difference Report Group Policy Modeling Report Group Policy Object Settings Priority Report Creating Diagnostic and Troubleshooting Reports

Live, working copy, latest version, and differences reports

Creating live, working copy, latest version, and differences reports

Historical Settings Reports

Creating historical settings reports

Creating RSoP validation reports Exporting registry settings Working with report folders

Managing report folders

Appendix: Windows PowerShell Commands

Introduction GPOADmin scripts Available commands

GPOADmin PowerShell provider extensions

Using the GPOADmin PowerShell commands (Examples)

Loading the GPOADmin modules Extracting help for GPOADmin commands Managing objects

Get information on all GPOs Get information for all managed objects Get unregistered objects Register an object Check out an object Check in an object Undo the check out of an object Request approval for changes Withdraw an approval request Approve changes Reject changes Withdraw approval on an object Deploy an object Deploy an object at a future time and date Check for pending deployments Cancel pending deployment

Gathering object and GPOADmin information

Identify which objects are checked out Identify which objects are checked out to me What are the properties of an object What objects are available What objects are checked out

Utility commands

Gather GPOADmin license information Install a GPOADmin license Get logging options Set logging options Get notifications Set notifications on objects

Administrative commands

Approval workflow information Set the approval workflow Identify user accounts Identify user roles Modify a role Add a role Get an object's security Set an object's security Overwrite a GPOs security filter

Protected Settings commands

Gather Protected Settings information Enable and disable Protected Settings Get a list of Protected Settings Add Protected Settings

Appendix: GPOADmin Event Log

What is the GPOADmin event log? Interpreting the GPOADmin event log

Event ID types

Example GPOADmin events

Appendix: GPOADmin Backup and Recovery Procedures

GPOADmin Backup Requirements Restoring GPOADmin

Appendix: Customizing your workflow

What is a custom workflow action? Working with custom workflow actions in the Version Control system Working with the custom workflow actions xml file

Actions Predefined Tags Conditions Example of a complete pre-action

Troubleshooting custom workflow actions

Appendix: GPOADmin Silent Installation Commands

Installing GPOADmin with msiexec.exe

All components (Complete GPOADmin installation) Client and components

Server and client Client only Client and PowerShell provider (Client Only button on Installation dialog) PowerShell provider only

Watcher Service

Watcher Service on localhost Watcher Service on another computer Watcher Service and GPMC Extension on another computer Watcher Service and Client only on another computer Watcher Service, Client, and GPMC Extension on another computer

GPMC Extension

GPMC Extension on a localhost GPMC Extension on another computer

Appendix: Configuring Gmail for Notifications

Using Gmail for Workflow Approvals Creating a Gmail Credentials File

Appendix: Registering GPOADmin for Office 365 Exchange Online Appendix: GPOADmin with SQL Replication About Us

• Viewing Topics 253 - 256 of 257

×

Using Gmail for Workflow Approvals

To enable the ability to approve or reject changes through Gmail, you need to:

•	Create a gmail account. This account is responsible for the application activities, settings, and API credentials. See https://www.google.com/intl/en-GB/gmail/about/# for details on creating an account.

•	Create the required API credential file.

•	Enable the Enable Workflow Approval through Gmail option under the Version Control properties. See Editing the Version Control server properties.

Creating a Gmail Credentials File

IMPORTANT: To ensure that access to the Gmail account remains secured, Quest suggests that you store the configuration file in a location that is only accessible by the required administrators or delete it after activation.

The API credentials file allows GPOADmin to connect to Gmail, verify the authorization, get access and refresh tokens to retrieve and send messages.

For best practice information on securely using API keys see the Google Support documentation (https://support.google.com/googleapi/answer/6310037?hl=en&ref_topic=7013279).

To create the required credentials file:

1	Sign in to your Gmail account.

2	Open https://console.cloud.google.com/apis/credentials. Review the Terms of Service and click Agree and Continue.

3	Select a project and click New Project.

4	Enter GPOADmin as the project name. Leave the default Location, and click Create.

5	Click Create Credentials | OAuth client ID.

6	Click CONFIGURE CONSENT SCREEN.

7	Select the user type and click CREATE.

You can choose between Internal and External.

NOTE: Internal requires a Google Workspace subscription; external allows any test user with a Google Account.

8	Enter the application name on the OAuth consent screen and click SAVE AND CONTINUE. Although some fields are optional, the following information is required:

•

App name

•	User support email

•	Developer contact information

9	To add the GMAIL API from the library, select ADD OR REMOVE SCOPES, click Google API Library link, enter GMAIL API in the Filter field, choose Gmail API, and click Enable.

After the gmail api is added, you can close the secondary Overview Gmail API tab.

10	Back on the original tab, scroll to the bottom and click UPDATE.

11	Check the Read, compose, send, and permanently delete all your email from Gmail checkbox, then click UPDATE.

12	Click SAVE AND CONTINUE to select your test users.

13	Click ADD USERS.

14	Enter the required account’s email and click ADD. (At a minimum, the account used to connect must be assigned as the test user.)

15	Click SAVE AND CONTINUE to review your settings.

16	Click BACK TO DASHBOARD.

17	Select Credentials under APIs & Services.

18	Click CREATE CREDENTIALS.

19	Select Desktop app for the Application type and optionally give it a name and click Create.

20	Click OK to close the OAuth client created dialog.

21	Click Download to download the credential information in JSON format.

This file location will be entered under the Version Control server properties when you select the Enable Workflow Approval through Gmail option.

 

 

 

Appendix: Registering GPOADmin for Office 365 Exchange Online

Appendix: Registering GPOADmin for Office 365 Exchange Online

To use email notifications using Office 365 Exchange Online, you need to register GPOADmin with Azure Active Directory. During the registration process, the following variables are generated. These variables are used when you configure OAuth authentication.

•	Application ID: Required to authenticate to your Azure Active Directory tenant.

•	Tenant ID: The tenant associated with the client.

To register an application for Office 365 Exchange Online through Azure Active Directory:

1	Log into the Azure Active Directory portal (https://portal.azure.com/) with your global administrator user account.

2	In the Microsoft Azure dashboard, go to Azure Active Directory | App registrations, and click New Registration.

3	Enter a name for the application.

4	Under Supported account types, select Accounts in this organizational directory only (Single tenant) for the accounts that can access the application API.

5	Leave the Redirect URI (optional) field empty.

6	Click Register.

7

On the Overview tab, go to View API Permissions. Click Add a permission, click Microsoft Graph | Application Permissions and add the Mail.ReadWrite and Mail.Send permissions. See Microsoft documentation for details on limiting permissions to specific Exchange Online mailboxes. (Note: The Enforce approver account validation option found when configuring email notifications will not function if you select to follow the Microsoft article to restrict access to a single mailbox.)

8	Click Add Permission.

9	On the API Permissions tab, under Grant consent, click Grant admin consent for tenant name.

10	Click Yes to confirm.

11	On the preview screen, click Overview, and note the application ID and the directory ID. (You will need these values when setting up OAuth authentication.)

12	Go to Manage | Certificates & secrets, select Upload certificate and upload the required .cer file.

Appendix: GPOADmin with SQL Replication

Appendix: GPOADmin with SQL Replication

The following information details how to setup SQL replication to allow multiple GPOADmin servers in the same domain to run concurrently sharing a configuration store and a backup store.

Before setting up SQL replication, ensure the following is in place:

•	All SQL servers included in this configuration have the Replication SQL feature installed.

•	Each GPOADmin server has a local Domain Controller and local SQL server.

•	The Replication role is installed on all servers that will host a backup store share. (DFS replication is located under File and Folder Storage Services.)

•	The SQL Server agent must run as the GPOADmin service account and have the startup type set to Automatic (Delayed Start).

•	If this is an in place upgrade, ensure that the server used as the primary SQL server has a copy of the existing GPOADmin database. A separate copy should be kept as a backup.

To configure replication within GPOADmin

1	Right-click the required server and select Configure Database Replication (or Remove Replication if it is no longer required.)

2	If configuring replication, select the subscribers to replicate the database with using the Add or Remove buttons, and click OK.

Once subscribers have been selected, GPOADmin verifies that the service account has access to the subscriber and if a database with the same name as the current database exists on the subscriber.

•	If the service account does not have access, the subscriber will not be added.

•	If the service account does have access but the database does not exist, a database with the same name as the current database is created on the subscriber.

GPOADmin generates the following files in the install directory:

•	ReplicationConfiguration.sql: The SQL script used to configure replication.

•	StartReplication.bat: The batch file that can start replication if it does not start automatically after the snapshot has been generated. This batch file must be run on the publisher SQL server.

NOTE: Upgrade considerations During an upgrade, GPOADmin checks to see if the current database is configured for replication. If the database setup for replication, you have two options: • Have GPOADmin attempt to end replication, perform the database upgrade, and restore the replication after the upgrade. With this option, GPOADmin generate the following files in the install directory: • ReplicationRestoration.sql: The SQL script used to restore replication. • RestartReplication.bat: The batch file to start replication if it does not start after the snapshot has been generated. This batch file must be run on the publisher SQL server. • ReplicationSubscribers.xml: A list of the replication subscribers recorded before replication was ended. • Manually end replication before you can continue with the upgrade process.

To manually configure SQL replication for GPOADmin

1	Set up Distributed File System (DFS) for the backup store. (This creates a replicated DFS share on each GPOADmin server or a local file server to each GPOADmin server with a single Active Directory share name.)

NOTE: These instructions are derived from Microsoft documentation.

a	Create a folder on each server to be a replicate backup store host. (All folders should have the same name.)

b	On the primary server for the backup store, open the DFS Management tool.

c	Create a new domain-based namespace in Windows Server 2008 mode.

d	Create a new replication group.

e	Add all servers hosting replicated backup stores to the group as members.

f	Choose Full Mesh topology.

g	Set to replicate constantly using the specified bandwidth.

h	Select the current server as the primary member.

i	Add the path to the folders created above.

j	Complete the replication group creation.

k	Publish the replication group to the Namespace created above.

The path to the share will now be //domain.fqdn/Namespace/ReplicationGroup.

2	Install GPOADmin on all computers that will be used as GPOADmin servers.

3	On the primary GPOADmin server open the GPOADmin console and configure GPOADmin.

Ensure that all SQL configuration store upgrades have completed. (This may require multiple log out and log in cycles in GPOADmin.)

4	Stop all GPOADmin services on all GPOADmin servers.

5	Log into the SQL server to be used as the primary SQL server.

NOTE: The account used to login must have administrator privileges to all SQL servers to be added.

Ensure that a SQL Server agent is installed and running, and the distributor is set for the primary SQL server.

a	Right-click the Replication node and Configure Distribution -> This machine should be its own Distributor.

b	For the Snapshot folder, choose a network share that is visible to all other SQL servers in replication.

6	Create a new local publication by completing the wizard.

a	Publication Database page: Choose the GPOADmin database for replication.

b	Publication Type page: Choose Merge publication.

c	Subscriber Types page: Choose SQL Server 2008 or later.

d	Articles page: Choose to publish all articles.

e	Article Issues page: Read the information and click Next.

f	Filtered Table Rows page: Do not add any filters.

g	Snapshot Agent page: Choose to create immediately and set a schedule. (These scheduled snapshots are essentially rollback points.)

h	Agent Security page: Add a login for the agent. Quest recommends that this is a privileged account as it will run the agent for all replicated databases.

i	Wizard actions: Select Create the publication.

j	Name the publication.

7	Refresh the Local Publications node, then expand and select the new publication.

8	Right-click the publication and choose View Snapshot Agent Status.

The agent should start automatically. If not, you can start it from this dialog. Watch for the status message to become: [100%] A snapshot of x article(s) was generated.

9	Right-click the publication and choose New Subscriptions. (All subscriptions can be created from here.)

a	Publication page: Choose the publisher (may be already set) and the previously created publication.

b	Merge Agent Location page: Choose Run all agents at the Distributor to create a similar replication path as the peer-to-peer setup.

c	Subscribers page: Click Add SQL Server Subscriber once for each SQL server in the replication. Choose the database on the target server for replication.

Add the following values to the extended properties for any replication target databases: ProductName =GPOADmin, Version= 5.18.0.0.

d	Merge Agent Security page: Set the accounts to communicate between nodes for the replication.

e	Synchronization Schedule page: Set the Agent Schedule to Run continuously for each subscription.

f	Initialize Subscriptions page: Select Initialize and set Initialize When to Immediately.

g	Subscription Type page: The Subscription Type should be Server. Set the Priority for Conflict Resolution to a different number for each subscription.

The publisher is 99.99 by default. Higher numbers will win in an exact timing conflict over lower numbers. Choose which servers have priority and ensure this number is different for each subscription.

h	Finish the wizard,

The subscription will be created and a script saved that can be used to recreate the subscription if needed.

10	Monitor each subscription until there are no more messages other than ‘Waiting 60 seconds(s) before polling for further changes.’ within 60 seconds.

11	Start all GPOADmin server services.

12	On each GPOADmin server:

a	Set the backup store on one of the consoles to the DFS share from using the //domain.fqdn/Namespace/ReplicationGroup format.

b	Set any other desired options required for each server.

 

•  이전
• Viewing Topics 253 - 256 of 257
• 다음 

이 문서 검색 이 제품 버전에 대한 모든 문서 검색 이 제품에 대한 모든 문서 검색 모든 문서 검색

×

 지원 시작

계열사 지원 사이트에서 Quest *제품*에 대한 온라인 지원 도움말을 볼 수 있습니다. 올바른 *제품* 지원 콘텐츠 및 지원에 연결하려면 계속을 클릭하십시오.

관련 문서

The document was helpful.

평가 결과 선택

I easily found the information I needed.

평가 결과 선택

© 2024 Quest Software Inc. ALL RIGHTS RESERVED. 이용 약관 개인정보 보호정책 Cookie Preference Center