Chat now with support
Chat with Support

GPOADmin 5.13.5 - Getting Started Guide

AD LDS storage method

Using AD LDS as the backup repository (storage method) the service account will need the following minimum requirements:

For more information, see Setting Permissions on AD LDS .

Network share storage method

Using Network Share as the backup repository (storage method) the service account will need the following minimum requirements:


GPOADmin supports both NTLM and Kerberos authentication by using Windows Communication Foundation (WCF) configuration elements. By default, GPOADmin will use Kerberos.

Managing client connections

GPOADmin uses the Default.Client.Connection.config file when connecting to a GPOADmin service. This file is located in the Connections sub-directory of the install directory. It contains the basic parameters that you can manipulate along with a link to Microsoft’s complete list of adjustable settings.

To change settings on a global scale, you simply edit this file. However, to adjust only a specific server connection, you need to copy the file, and rename it to the FQDN of the target server ensuring that you retain the .config file extension.

Editing connection options

An environment has multiple GPOADmin servers and one remote GPOADmin server called The remote server is on the other side of a slow WAN link and users frequently receive connection timeout messages while connected. To solve this issue, the administrator can make a copy of the Default.Client.Connection.config file to target just the remote server and adjust the connection timeout parameters using the following process:

Connecting to GPOADmin using NTLM authentication

To override the default settings and use NTLM authentication, you can edit the configuration file by navigating to configuration/Settings/ForceNTLM and setting the value to “true”.

Installing GPOADmin in a disjointed domain

When GPOADmin is installed in a disjointed domain environment, you may encounter errors with configuring, connecting, and in general usage. This is most likely due to the DNS name of the domain not matching the Active Directory name.

To resolve this, edit the Default.Client.Connection.config file in the Connections directory located in the install directory. Add the following to the <Settings> section below the <ForceNTLM value="false" /> entry: <DomainName value=”ACTIVE_DIRECTORY_FULLY_QUALIFIED_DOMAIN_NAME” />

Deploying with Multiple service accounts

By default, GPOADmin uses a domain unique SPN for connections which forces the use of a single service account in the domain, reducing the number of elevated accounts.

However, if required, you can configure GPOADmin to use multiple service accounts in your domain.

Related Documents