Chat now with support
Chat with Support

GPOADmin 5.21 - User Guide

Introducing Quest GPOADmin Configuring GPOADmin Using GPOADmin
Connecting to the Version Control system Navigating the GPOADmin console Search folders Accessing the GPMC extension Configuring user preferences Working with the live environment Working with controlled objects (version control root)
Creating a custom container hierarchy Selecting security, levels of approval, and notification options Viewing the differences between objects Copying/pasting objects Proposing the creation of controlled objects Merging GPOs Restoring an object to a previous version Restoring links to a previous version Managing your links with search and replace Linking GPOs to multiple Scopes of Management Managing compliance issues automatically with remediation rules Validating GPOs Managing GPO revisions with lineage Setting the change window for specific actions Working with registered objects Working with available objects Working with checked out objects Working with objects pending approval and deployment
Checking compliance Editing objects Synchronizing GPOs Exporting and importing
Creating Reports Appendix: Windows PowerShell Commands Appendix: GPOADmin Event Log Appendix: GPOADmin Backup and Recovery Procedures Appendix: Customizing your workflow Appendix: GPOADmin Silent Installation Commands Appendix: Configuring Gmail for Notifications Appendix: Registering GPOADmin for Microsoft 365 Exchange Online Appendix: GPOADmin with SQL Replication About Us

Linking GPOs to multiple Scopes of Management

If required, you can easily take existing registered GPOs and link them to any number of SOMs within your deployment.

* 
NOTE: GPOADmin does not support cross-domain GPO linking; these links will appear as deleted. To achieve similar functionality, we recommend using GPO synchronization.
To link GPOs to multiple SOMs
1
Select two or more registered SOMs, right-click and choose Apply Link.
2
Click the browse button to open the Choose a Group Policy Object dialog.
3
Select the required GPO and click OK.
By default, the links will be applied to all selected Scopes of Management. You can, however, select to remove the application for specific SOMs by clearing the individual check box.
The way in which the link is applied is set through the available options:
If the GPO is not currently linked to a SOM, the default settings are enabled:
Enabled: This settings reflects the setting in the Version Control Server properties.
Enforced: Not enforced.
Link Order: Append link order.
If the GPO is currently linked to one of the selected SOMs, the existing settings for that SOM are displayed.
6
If required, you can change the individual options or use the top level check box to set the options for all the selected SOMs.
* 
NOTE: To set the link as a specific link order, uncheck the check box for the specified SOM under the Link Order column, set the required link order using the up and down arrow. If the link order is set to a higher number than the current link count, the link will be appended.
7
Once you have all your settings in place, click OK.
When the link action completes, the results are displayed in the Link Results dialog. If any of the links failed or an SOM was skipped, an error message displays the details so that you can take corrective action.

Managing compliance issues automatically with remediation rules

You have the option to setup an automatic way to deal with objects that have become non-complaint due to a modification or deletion performed outside of GPOADmin.

By default, the remediation option is set to None (no automatic resolution) at the Version Control Root level. Any remediation option set at this level will filter down to all child objects and containers unless you have specifically configured them to override their parents settings.

 

* 

Watcher Service requirements
The Watcher service is required to perform the compliance remediation actions. If the service is not running all remediation settings will be ignored.
If the Watcher service account is not the same account as the GPOADmin service, it must be added to GPOADmin as and Administrative account.
Remediation is not support on Protected Settings policies and WMI Filters as these objects are not monitored by the Watcher service.
To configure compliance remediation
* 
NOTE: Only users with the Set Remediation Rule can set these options.
1
Right-click the required object or container and select Properties.
2
Select the Remediation tab and choose how you want to handle objects that have become non-compliant due to a modification or deletion.
If an object has become non-compliant due to:
Available options to resolve the compliance issue

Modification

NOTE: Rollback with links and restore with links only apply to GPOs. All other objects will perform either a rollback or a restore remediation action.
Rollback
Rollback with links
Incorporate live
Unregister

Deletion

NOTE: Restore and Restore with links remediation is not supported on Scopes of Management.
Restore
Restore with links
Unregister
3
Click OK. Once a rule has been set it will be applied when the object is flagged as non-compliant. If the object does not have a remediation rule applied then the first rule found on a parent container will be applied.

Validating GPOs

To ensure that the GPOs within your system are still required, you can setup an attestation process. If a GPO has not been deployed within the specified date range, an email will be sent to the account designated as its manager to attest to its validity. This option is supported for SQL and AD / AD LDS as a configuration store and all backup stores.

Administrators can also attest to the validity of a GPO without having to re-deploy it. An email, which includes a Settings report, is sent when the GPO is attested or when the attestation date has expired.

To configure GPO attestation
1
Right-click the required object or container and select Properties.
2
Select the Attestation tab.
3
Select Enable Attestation.
4
Set the date range (days, weeks, or months) for a GPO deployment that when exceeded will trigger a notification.
5
Enter the email notification subject and message.
You can right-click and select Insert Tag to use any of the following pre-defined tags: Action, Comment, Domain Name, Full Path, ID, Last Backup ID, Name, Status, Sub status, Trustee Name, Trustee SID, Type, Version, Version Control ID, Last Deployed On. (See Predefined Tags for tag details.)
6
Click OK.
The version control system is polled every 24 hours to identify GPOs that have not been deployed within the specified date range. Once identified, the attestaion email notification is sent to the account that is designated as its manager (Managed By property).
* 
NOTE: If you have GPOs that you do not want to validate, you can select to Override Inherited Attesatation and click to clear the Enable Attestation option.
To attest to the validity of GPOs without re-deploying it
* 
NOTE: Only GPOADmin administrators and GPO managers (account specified in the Managed By field) can attest a GPO and only if attestation is enabled for that GPO.
1
Right-click the required object or container and select Attest.
2
Enter a comment and click OK.
The attestation properties (Last attested date, Last attested by, and Attestation Due date) are found on the GPO General properties tab.
The Attest action is also included in the GPO’s history.
To attest GPOs through email
1
Ensure the Enable Workflow Approval through email or Enable Workflow Approval through Gmail option has been configured by the administrator. See Configuring the Version Control server.
2
Ensure the Enable Attestation for Group Policy Objects option has been configured either on the GPOs or on the container and that the GPOs Managed By property is set to either a mail-enabled account or a valid email address.
Attesters will receive an email with the specified subject line and message. The email contains a Settings report that can be reviewed before making a decision.
3
Click the Attest button in the received email and enter a comment as the body of the new email message to perform the attestation for the GPO.

Managing GPO revisions with lineage

If required, you can manage GPO revisions through lineage by selecting a specific GPO to revert to when a rollback is performed. When this is configured, every SOM linked to the GPO will be updated the lineage GPO.

* 
NOTE: Only users with the Set Lineage right can set the lineage.
To configure GPO lineage
1
Right-click the GPO that you want to manage and select Properties.
2
Select the Lineage tab and choose Enable Lineage.
3
Select the browse button and choose the GPO to revert to when a rollback is performed.
4
Click OK. Once this is set, a GPO rollback will unlink the GPO and re-link with the assigned lineage GPO.
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating