-
Título
Common Questions about GPOAdmin -
Descrição
Q: What is an easy way to register ALL objects in GPOADMIN?
Q: Why is it necessary to register Organizational Units?
Q: Can you explain the process of GPOAdmin and the check-in, check-out process?
Q: What should you NEVER do?
-
Causa
n/a
-
Resolução
Q: What is an easy way to register ALL objects in GPOADMIN?
1. Launch the GPOADMIN mmc console and login as an authorized user who is allowed to register objects into the version control.
2. Navigate to 'Live Environment', then your domain name.
3. Right-click the domain name and choose 'Register' followed by 'All'
4. Choose your version control root location, create a new container if you wish.
5. Ensure "Workflow Enabled" is checked ON and 'Specify initial major version' is configured to 1 or greater. Click OK
Wait until the MMC console is completed. If you have many GPO's (over 100) this action may take an hour or more. Please do not cancel the operation, as it could leave GPOADMIN in a state where some GPO's are half registered.
Q: Why is it necessary to register Organizational Units?
As GPOADMIN is a version control process system, in order to LINK or UN-LINK Group Policy Objects, you need to first register the Organizational Units from Active Directory into GPOADMIN. After that you can check out the OU and edit it, and assign a link, check the OU back in, and deploy the change.
Q: Can you explain the process of GPOAdmin and the check-in, check-out process?
As GPOADMIN uses a version control system, it relies on creating temporary objects (GPO's) whenever a Group Policy object is edited or checked out. These GPO's are stored in the domain controller's sysvol container and are assigned a unique GUID number upon creation. In active directory or AD LDS, a corrosponding object is created to link to the checked out GPO. Once a GPO is checked back in, the version control is incremented to a major version number (eg. 2.0) and the working copie(s) are removed from sysvol.
To summarize:
1. You check out a GPO. GPOADMIN makes a copy of the GPO which is now referred to as a "Working Copy". This GPO is stored in SYSVOL and assigned a unique GUID number.
2. The GPO is versioned from 1.0 to 1.1, indicating it has been checked out.
3. Information is also stored in either the Configuration Container of Active Directory or AD LDS. An example of this path would be:
CN=Configuration Container | CN=Services | CN=Quest | CN=CN=QGPM | CN=Wentworth
4. When you check in the GPO and deploy it, the temporary (working copy) is removed from SYSVOL and the corrosponding information in the configuration container or AD LDS gets updated.
Q: What should you NEVER do?
Never, ever edit any of the information from within the Configuration Container or AD LDS without help from Support. Making any changes to the objects located within the QGPM container may result in corrupting of the version control store and subsequently break any functionality within GPOADMIN. Prior to making any changes please ensure you have a full backup of either Active Directory or AD LDS (which ever configuration storage method you use).
Q: What do the containers below CN=Wentworth do?
CN=Roles: Contains the roles/permissions assigned to objects within GPOADMIN.
CN=Scheduled Actions: Contains the scheduled deployment tasks for GPOADMIN.
CN=Templates: Contains all access templates created in GPOADMIN.
CN=Users: Shows all users who are allowed access to GPOADMIN.
CN=VCRoot: Contains all the information on the version control system and the registered objects within GPOADMIN. Never, ever edit anything in this container without direct help and supervision from Quest Support.
CN=Version Control: Contains the information of the version control system so the MMC console can connect.