지금 지원 담당자와 채팅
지원 담당자와 채팅

GPOADmin 5.13.5 - User Guide

Introducing Quest GPOADmin Configuring GPOADmin Using GPOADmin
Connecting to the Version Control system Navigating the GPOADmin console Search folders Accessing the GPMC extension Configuring user preferences Working with the live environment Working with controlled objects (version control root) Checking compliance Editing objects Synchronizing GPOs Exporting and importing
Creating Reports Working with the GPOADmin Dashboard Appendix: Windows PowerShell Commands Appendix: GPOADmin Event Log Appendix: GPOADmin Backup and Recovery Procedures Appendix: Customizing your workflow Appendix: GPOADmin Silent Installation Commands About Us

Editing the Version Control server properties

Users logged on with an account that is a member of the GPOADmin administrators group can edit the properties of the Version Control server when required. Specifically, they can:

1
Right-click the forest, and select Options.
Select Administrators and add and remove users who can connect to and alter the Version Control server-specific settings.
Select Users and add and remove users who can connect to the Version Control server, but can only perform those actions assigned by an administrator.
Backup store location: This option stores the backups in Active Directory if you selected it during the initial setup of GPOADmin as the storage method for your configuration.
AD LDS: This option stores the backups in Active Directory Lightweight Directory Services (AD LDS).
NOTE: To use the same AD LDS instance for both the configuration and backup store, select the “Configuration store location” option on the Backup location page.
Network Share: Enter or browse to a network share or directory.
SQL Server: This option stores the backups in SQL Server. Enter the database name and the required authentication.
a
To protect your environment from a SQL Injection attack, choose the SQL Input Filters option to specify which SQL statement inputs are not permitted within your deployment. By default, all of the inputs are marked as not permitted.
b
Choose the SQL Timeouts option to configure how long GPOADmin will wait to connect to the SQL server or to process a command.
5
Select Desired State Configuration | Root directory to specify a DSC root directory for each domain that supports DSC scripts. This root directory serves as the starting point for the DSC script enumeration and deployment location. DSC scripts cannot be registered until this option is enabled.
6
Select Delegation | Roles to create and edit roles that are used to delegate rights over the Version Control system.
7
Select Notifications to configure email notifications on Version Controlled events. Notifications help you to stay informed of the latest changes to objects under version control and can be enabled for both Exchange on-premises and Office 36 Exchange Online.
Select SMTP to modify the global SMTP notification options.
a
Select to Enabled SMTP notifications.

When connecting to Office 365 for standard SMTP notifications, the  From  account must have access to the mailbox of the authentication account.

If you want to enable Workflow Approval through email, select Exchange to modify the mailbox and server information.
a
Uncheck the Use the service accounts mailbox option and enter the mailbox that you want to the service to monitor.
c
Enter the Exchange Server Url or select Autodiscover Exchange Server Url to locate the Exchange server that is hosting the specified mailbox. For Office 365 Exchange Online enter https://outlook.office365.com/ews/exchange.asmx as the Exchange Server Url.
NOTE:  
8
Select Logging | Configuration to enter the log location and the type of information you want to track.
9
Select Options to configure various settings.
Select General to configure the following options:

Perform Group Policy Management version check

Check to ensure the version of GPMC on the client is compatible with the GPMC version used within GPOADmin.

Disable all workflow options for Group Policy Objects

Disable all workflow on GPOs.

Keep in mind, if you disable the workflow, any changes made are immediately deployed in the live environment. To bring the GPO back under version control, enable the workflow.

Set default link state to enable when adding new links

This enables the default link state for any new links added to a SOM.

Enable Protected Settings for Group Policy Objects

This enables the ability to have Protected Settings policies that contain settings that you want to control. They are protected in the sense that they contain and identify the settings that cannot be altered by users. This provides an added level of security for the policies within your organization. If a user attempts to create, edit, or remove the flagged settings they are stopped.

Enable Group Policy Object Synchronization

Synchronizing GPOs allows you to automatically push out predefined “master GPO” settings to specified targets both within a forest and between two forests. This allows you to ensure specific GPOs, which are required in every domain, contain the same settings without having to link to a GPO outside of the domain.

You are able to select one or more GPOs from various domains as synchronization targets for the source GPO. When the source GPO has been successfully deployed, the settings from the last major backup are imported into each synchronization target GPO.

Enable Unique Name

This ensures that GPOs and WMI filters cannot be created with the same name as an existing GPOs or WMI filter in a domain, select the Enforce Unique Names option. If a non-deployed GPO indicates that a duplicate name exists, run a full compliance check to determine if any GPOs were modified outside of GPOADmin. For more info see, Checking compliance .

Enable unregistered Scopes of Management linking

To allows users to link to unregistered Scopes of Management, select the Enable unregistered Scope of Management linking option. If this option is not selected, the policy and the SOM must be registered and the user linking the policy must have the Link right on both objects.

Display only the WMI Filters a user has Read access to when editing a GPO

Users are restricted to only the WMI Filters they have Read access.

Ensure service account access before deployment

This option must be enabled if you want users to be able to automatically deploy an object’s associated items. See Deploying objects (scheduling and associated items) .

It ensures that the service account has the Edit settings, delete, modify security rights on the working copy before deployment.

Allow the service account to synchronize Group Policy Objects during deployment

Provides the ability to control whether the service account can perform a GPO synchronization during deployment.

Enable the identification of associated items during deployment

Provides users with the option to identify and deploy associated items in a pending deployment state.

Prevent approval requester from approving their own changes

Ensures that a user cannot approve their own changes, even if they are in the approver's list for the object.

Enable the processing of custom workflow actions

Clicking the Launch Editor button starts the Custom Workflow Editor.

Select SQL Input Filters to view the allowed strings and characters for SQL statements.
Select Comments to enforce comments to all actions and naming conventions for newly created objects. Set a minimum comment length greater than 0. Leaving the value at 0 means comments are optional for all actions. Any value greater than zero makes comments mandatory for all actions and all users.
Select Deployment Failure to enable an automatic retry on failed deployments. Enable the option and select the number of attempts (maximum of 10) and the interval in minutes (maximum of 1440). Re-deployment attempts are done as scheduled deployments.
Select Preferred Domain Controllers and click Add to configure the domain controller that GPOADmin will use for all Active Directory actions. By default, GPOADmin uses the Primary Domain Controller.
Select Naming Standards to enforce naming conventions for newly created objects. Select to apply the conventions to GPOs and WMI filters, and enter the pattern that you want to use.
You can test your rule, by entering a name that conforms to your desired naming standard and selecting Verify. If you validate the rule here, users see both the rule and your sample text if they try to use a non-conforming name.
NOTE: Example rule

^[a-z]+[0-9]+_GPO$


The caret character (^) means the start of the line.

The grouping [a-z]+ means at least one or more lower-case characters between a and z.

The grouping [0-9]+ means at least one or more numeric characters between 0 and 9.

The dollar sign character ($) means the end of the line.

 

This rule states that from the start of the line there must be at least one or more lower-case characters immediately followed by at least one or more numeric characters immediately followed by the literal string “_GPO” and nothing after that.

 

a1_GPO passes

abc123_GPO passes

_a1_GPO fails

a1_GPO_ fails

A1_GPO fails

A1_gpo fails

10
Select License | Current License to view the current license information.
Select the Update License check box and then click Browse and go to the new license location.
11
Select Integration to configure settings that apply to a Quest Change Auditor™ integration.

Editing the Version Control server configuration store

Users logged on with an account that is a member of the GPOADmin administrators group can edit the type of configuration store.

1
Right-click the forest, and select Re-configure Version Control server.
2
In the Select a Configuration Store dialog, select Active Directory, AD LDS, or SQL Server for your configuration storage location.
NOTE: To protect your environment from a SQL Injection attack, you can mark which SQL statement inputs are not permitted. See Editing the Version Control server properties. By default, all of the inputs are marked as not permitted.

If you allow these inputs, malicious code may be inserted in a SQL statement resulting in security vulnerabilities.

Migrating from AD/AD LDS to a SQL configuration store

A configuration utility (configmig.exe) is available in the GPOADmin install directory that allows you to migrate the configuration store to SQL from an AD/AD LDS. You can migrate all objects or specify users, custom folders, keywords, email templates, roles, domains, containers, version control items, scheduled deployments, synchronization targets and synchronization results data as required.

The output from the configuration utility is written to the screen as well as to a Migration.txt file located in the install directory.

Before running the configuration utility, you need to configure the version control server to use SQL as the configuration store. See Editing the Version Control server configuration store to change the storage from AD/AD LDS to SQL.

SQL Injection inserts malicious code into SQL statements which can lead to security vulnerabilities. To protect your environment from a SQL Injection attack, you can mark SQL statement inputs that are not permitted. See Editing the Version Control server properties. By default, we have marked the following inputs as not permitted. If you allow these inputs, malicious code may be inserted in a SQL statement resulting in security vulnerabilities:

Table 5. SQL inputs

:

Denotes the end of a SQL query. Allowing this character can permit malicious queries to be included in user input.

--

All trailing input is interpreted as a comment until the new line character.

/*

The character combination used to denote the start of a block comment. All trailing input is interpreted as a comment until the comment end delimiter.

*/

The character combination used to denote the end of a block comment. Input between the comment start delimiter and the comment end delimiter is interpreted as a comment.

xp_

Extended procedures are routines residing in DLLs that function similarly to regular stored procedures. The extended stored procedure function is executed under the security context of Microsoft SQL Server.

\AUX

Generally, the AUX port on a PC is computer port 1 (COM1), which is the first serial port with a preconfigured assignment for serial devices. File paths can be constructed using this input.

\CLOCK$

The system clock. File paths can be constructed using this input.

\COM1

The first Communications port. File paths can be constructed using this input.

\COM2

The second Communications port. File paths can be constructed using this input.

\COM3

The third Communications port. File paths can be constructed using this input.

\COM4

The forth Communications port. File paths can be constructed using this input.

\COM5

The fifth Communications port. File paths can be constructed using this input.

\COM6

The sixth Communications port. File paths can be constructed using this input.

\COM7

The seventh Communications port. File paths can be constructed using this input.

\COM8

The eighth Communications port. File paths can be constructed using this input.

\CON

A common device name for the keyboard and screen. File paths can be constructed using this input.

\CONFIG$

A configuration information file. File paths can be constructed using this input.

\LPT1

The first line print terminal. File paths can be constructed using this input.

\LPT2

The second line print terminal. File paths can be constructed using this input.

\LPT3

The third line print terminal. File paths can be constructed using this input.

\LPT4

The fourth line print terminal. File paths can be constructed using this input.

\LPT5

The fifth line print terminal. File paths can be constructed using this input.

\LPT6

The sixth line print terminal. File paths can be constructed using this input.

\LPT7

The seventh line print terminal. File paths can be constructed using this input.

\LPT8

The eighth line print terminal. File paths can be constructed using this input.

\NUL

The NUL port. File paths can be constructed using this input.

\PRN

The DOS name for the first connected parallel port. File paths can be constructed using this input.

Before migrating the configuration store, Quest suggests that you test the migration to ensure that all objects migrate according to your specifications. To validate the migration, run the command with the /t option. This gathers all the information that will be committed to the SQL database but does not commit any changes.

Changing the Service Account

To change the GPOADmin service account in an existing deployment, consider the following:

To bring GPOs back into compliance complete the one of the following:

관련 문서