Chat now with support
Chat with Support

GPOADmin 5.13.5 - Getting Started Guide

Port requirements

The following ports must be open for the application to function correctly:

Name resolution can be achieved using DNS on port 53 or WINS (downlevel) on port 137.

Between the client and the GPOADmin Server:

From the GPOADmin Server:

Configuration storage

GPO Archives

Minimum permissions required for the service accounts

2
Ensure the service account is a member of the Group Policy Creator Owners group.
3
Grant this account Log on as a Service on the computer where GPOADmin is installed.
2
Select the Security tab and click Advanced.
3
Click Add and select the service account. The applies to option should be This object and all child objects (in Windows Server 2003) or This object and all descendant objects (in Windows Server 2008).
4
Delegate the following permissions in the Advanced Security Settings: List Contents, Read all Properties, Write all Properties, Delete Subtree, Read Permissions, Modify Permissions, Modify Owner, All Validated Writes, Create All Child Objects, and Delete All Child Objects.
3
Browse to the Member attribute and click Edit. Add the GPOADmin service account as a Windows Account.
a
In Microsoft SQL Server Management Studio, select File | Open | File or press the control key and the O key (Ctrl + O).
b
In the Open File dialog, select the GPOADmin.sql file and press OK. This file is located in the GPOADmin server install directory by default, but if your SQL server is on a different computer, the file can be copied.
d
Click the Execute button or press F5 to create the database.
b
Set the available database to the name of your GPOADmin database or type USE [DATABASE_NAME] where DATABASE_NAME is the name of your GPOADmin database.
c
On the next line, type EXEC InitializeDatabase.
d
When ready, click the Execute button or press F5 to run the command.
b
Right-click Logins and select New Login.
e
Set the Default database property to the name of your GPOADmin database.
g
On the User Mapping page, under Users mapped to this login, check the name of your GPOADmin database. Under Database role membership for the selected database, check db_owner and public.
h
Click OK to close the properties page.
4
Grant the service account Full Control on each WMI Filter that will be managed by GPOADmin.
5
Using GPMC, delegate Link GPOs to the service account on the Site and Domain level (or even on the OU level depending on where GPOADmin is required to manage GPOs), for This container and all child containers, if child containers are needed.
6
For the service account to run RSoP reports, the Read Group Policy Results data right must be granted. Using GPMC, delegate Read Group Policy Results Data to the service account on the Domain level (or even on the OU level, depending on where GPOADmin is required to perform the RSoP analysis), for This container and all child containers, if child containers are needed.
7
Using GPMC, delegate Create GPOs to the service account on the Group Policy Objects Level.
8
Using GPMC, delegate Edit settings, Delete, and Modify security to the service account for each existing GPO that will be managed by GPOADmin using GPMC.
To do so, open ADSIedit.msc or DSA.msc and connect to the Active Directory domain. Navigate to the computer where GPOADmin will installed, the computer properties, and select the Security tab. Grant the service account the following permissions: Create serviceConnectionPoint objects and Delete serviceConnectionPoint objects for This object and all descendant objects.
15
Once the product has been configured, connect to the GPOADmin console using the service account. Configure any additional administrators and users (trustees) that will connect to the product by
right- clicking the connected domain and selecting
Options and then Access. Delegate any roles required by these users through the Version Control Root properties, or any registered OU/GPO within the Version Control Root as necessary.

HKEY_LOCAL_MACHINE\SOFTWARE\Quest\
GPOADmin

 

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Diagnostics

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\EventLog

18
3
Click the Advanced button on the Security tab and click Add.
5
Ensure Read servicePrincipalName and Write servicePrincipalName are selected.
6
Click OK three times.
Add the GPOADmin service account to the Distributed COM Users security group in each domain that will be reported on.
b
Right-click the CN=Partitions object and select Properties.
c
Select the Security tab, click Add, and add the GPOADmin service account.
d
Under Permissions for <Service Account>, enable Allow for the following permissions:
e
Click Advanced, select the service account, and click Edit.
f
Set Applies to to This object and all descendant objects and enable the following permissions:
g
Click OK to close the Permission Entry for Partitions dialog.
h
Click OK to close the Advanced Security Settings for Partitions dialog.
i
Click OK to close the CN=Partitions Properties dialog.
b
d
f
At the partition management command prompt, type the following: create nc dc=staging,dc=gpoadmin DomainController.
c
Select the DC=Staging,DC=GPOADmin context in the left pane.
d
Right-click the DC=Staging,DC=GPOADmin domainDNS object in the right pane, and select Properties.
e
Click the Security tab, click Add, and add the GPOADmin service account.
f
Under Permissions for <Service Account>, enable Allow for the following permissions:
g
Click Advanced, select the service account, and click Edit.
h
Set Applies to to This object and all descendant objects, and enable the following permissions:
i
Click OK to close the Permission Entry for Staging dialog.
j
Click OK to close the Advanced Security Settings for Staging dialog.
k
Click OK to close the DC=Staging,DC=GPOADmin Properties dialog.

Additional Service Account requirements

Consider the following additional Service Account requirements:

SQL storage method

Using SQL as the backup repository (storage method), the service account will need the following minimum requirements:

NOTE: Database Creator’s right is only required for the initial creation of the GPOADmin_Backups database. If the database has been pre-created (see Configuring the GPOADmin Server ) by your DB Administrators team then only the following database roles and permissions are required by the GPOADmin service account to access and update the Database:

db_datareader, db_datawriter: Permissions to Execute the following GPOADmin stored procedures:

quest_qgpm_add_group_to_role
quest_qgpm_domainid_pr
quest_qgpm_gpoid_pr
quest_qgpm_insbackup_p
Related Documents