Chat now with support
Chat with Support

GPOADmin 5.13.5 - Getting Started Guide

Quest GPOADmin Quick Start Guide

About this guide

This document has been prepared to assist you in becoming familiar with Quest GPOADmin. The Quick Start Guide contains information required to install and use GPOADmin and is intended for network administrators, consultants, analysts, and any other IT professionals using the product.

Product overview

Security issues are becoming paramount within organizations. Within Active Directory, Group Policy Objects (GPOs) are at the forefront of an organization's ability to roll out functional security. Core aspects such as password policies, logon hours, software distribution, and other crucial security settings are handled through GPOs. Organizations need methods to control the settings of these GPOs and to deploy GPOs in a meaningful and safe manner with confidence. Since GPOs are so important to the proper operating of the Active Directory, organizations also need methods to restore GPOs when they are either incorrectly updated or corrupt. Windows Group Policy is powerful but difficult to manage. Uncontrolled changes can have disastrous consequences. For example, unplanned effects of a GPO change could prohibit hundreds of users from logging on, exclude access to critical software applications, or expose system settings. The Group Policy Management Console (GPMC) from Microsoft is a useful tool for the individual administrator, but additional functionality—such as GPO check in/check out, change control, and rollback—is needed to effectively manage GPOs across the enterprise.

GPOADmin offers a mechanism to control this highly important component of Active Directory. GPOs, Scope of Management links, and WMI filters are backed up in a secure, distributed manner and then placed under version control. When changes are made a backup of the object is made. Changes are then managed from the Version Control system, and approval for change is required. GPOADmin also offers two methods of ensuring GPO consistency. The stored object can be retrieved if the current object in the directory is not valid for any reason. This means that objects become managed and deployed with a sense of security. If issues do arise, recovery time is reduced between the discovery of an issue and the resolution by restoring to a previous version of the object. GPOADmin:

GPOADmin architecture

GPOADmin is a directory-enabled application and all of its configuration information is stored in the configuration container of either Active Directory Domain Services (ADDS), Active Directory Lightweight Directory Services (AD/LDS).

Active Directory deployments

For all Active Directory deployments, the application information along with the GPOADmin Version Control System is stored in the configuration container of Active Directory in the following location:

CN=QGPM,CN=Quest,CN=Services,CN=Configuration,DC=Domain,DC=com

Where if you drilled down on the GPOADmin container you will find the following directories:

- CN=QGPM

Since this information is stored in the configuration container of Active Directory, it is replicated to all other DCs within your forest. However, the Master Version Control is unique and the authoritative source for all version control actions. The Master Version Control role is normally held by the DC specified during the initial run of the Server Configuration wizard shortly after the GPOADmin server and service have been installed.

Active Directory Lightweight Directory Services (AD/LDS) deployments

For all AD LDS deployments, the application information, along with the GPOADmin Version Control system, follows the same format as the Active Directory deployment with the exception that the application information and Version Control system is stored in the configuration of the AD LDS instance. The information is not replicated to other AD LDS servers (unless manually set up) like Active Directory replicates information with the configuration container.

SQL storage

During configuration of the Version Control server, you now have the option to select to store GPOADmin data in a SQL database. If you select this option, the data can be found in the following tables:

 

Table 1.  

AclTable

Contains access control list information when cloaking or locking GPOs.

ApprovalWorkflow

Contains approval workflow information.

BackupData

Contains backup information such as date, location, and storage type.

CustomSearchFolders

Contains custom search folder information.

Domains

Contains registered domain names, their Id, and whether or not they are visible in the live environment.

DomainSecurity

Contains a mapping of which rights a user has for a registered domain.

EmailTemplateAttachments

Contains a mapping of which attachments are to be include with what email template for a given notification type.

EmailTemplates

Contains email template information.

GPOLineage

Contains a mapping of GPO lineage for a given registered GPO, when the lineage was assigned, and by whom.

GPOLinks

Contains a mapping of GPO links between the GPO and the SOM.

History

Contains a historical list of actions for any registered object or container.

KeywordList

Contains a mapping of keywords to registered object.

LiveEnvironmentAccess

Contains a list of trustees who have access to the live environment.

MasterKeywordList

Contains a list of all keywords.

Notifications

Contains a mapping of which notifications are enabled for a given user on a given registered object or container.

ObjectData

Contains registered object information.

ProtectedSettingsAssignments

Contains a mapping of which protected settings policies are assigned to a specific container.

ProtectedSettingsExclusions

Contains a list of policies that are excluded from verification of a given protected settings policy.

Remediation

Contains remediation information for a given registered object or container.

Roles

Contains default and custom role information.

RootContainerAssignments

Contains a mapping between a trustee and their root container assignment.

ScheduledTasks

Contains a list of all scheduled deployment tasks.

Security Security

Contains a list of GPOADmin permissions assignments for a given registered object or container.

ServiceIDs

Contains a list GPOADmin service host names and UIDs.

ServiceOptions

Contains the list of service options and there current values.

SOMLinks

Contains the list of GPO links for a given SOM.

SynchronizationResults

Contains a list of the results for a given GPO synchronization.

SynchronizationTargets

Contains a mapping between a source GPO and it synchronization targets.

Trustees

Contains a list of trustees who have been granted access to GPOADmin as either a user or administrator.

VersionControlContainers

Contains a mapping of child and parent version control containers.

WatcherData

Contains a temporary list of newly created or registered items for the watcher service to monitor.

WorkingCopy

Contains a mapping between a registered object and its working copy.

 

 

 

 

The client/server architecture facilitates granular security and delegation. GPOADmin runs under the security context of a privileged service account that must have full access to GPOs in the managed forest.
Clients can connect to any deployed server within any Active Directory forest.
GPOADmin maintains a most recently used (MRU) list of servers to which the users have previously connected to facilitate quick subsequent server connections.

Self Service Tools
Knowledge Base
Notifications & Alerts
Product Support
Software Downloads
Technical Documentation
User Forums
Video Tutorials
RSS Feed
Contact Us
Licensing Assistance
Technical Support
View All
Related Documents