Chat now with support
Chat with Support

GPOADmin 5.13.5 - User Guide

Introducing Quest GPOADmin Configuring GPOADmin Using GPOADmin
Connecting to the Version Control system Navigating the GPOADmin console Search folders Accessing the GPMC extension Configuring user preferences Working with the live environment Working with controlled objects (version control root) Checking compliance Editing objects Synchronizing GPOs Exporting and importing
Creating Reports Working with the GPOADmin Dashboard Appendix: Windows PowerShell Commands Appendix: GPOADmin Event Log Appendix: GPOADmin Backup and Recovery Procedures Appendix: Customizing your workflow Appendix: GPOADmin Silent Installation Commands About Us

Deploying objects (scheduling and associated items)

Deploying changes within the system is a critical process that affects the live environment. To minimize the impact of disruption, this process should be done during a time period when the impact to users is minimal as the changes may alter the behavior of particular systems.

To reduce any issues, you can schedule the deployment of the changes for a specific date and time that best suits your needs. You can also schedule a deployment based on a different time zone, for example if the client is not in the same time zone as the server and you want to deploy based on the client’s time zone.

If you have multiple approvers:

During the deployment of an object, you have the option to identify and deploy any associated items (in the pending deployment state). When the associated objects are deployed they are subject to all regular compliance checks (including security checks).

1
Expand the Version Control Root node, and the required container.
5
Enable the Identify associated items option to see a list of all associated pending deployment items that you have Read access to.
6
Enable the Deploy associated items option to deploy the associated items.

You can only deploy GPOs using the GPMC Extension. To deploy SOMs or WMI filters, use the GPOADmin console.

1
Select the GPO and click Workflow | Deploy.
Select the GPO in the Pending Deployment state and click Workflow | Deploy, then select Cancel pending deployment.

Checking compliance

GPOADmin provides two options to determine if an object has been changed outside the scope of the system in the live enterprise environment. You can manually check any object for compliance (GPOs, Scopes of Management, scripts, DSC scripts, and WMI filters), and you can let the GPOADmin Watcher Service detect unauthorized modifications to GPOs and Scopes of Management. For more information on configuring the Watcher service, see the GPOADmin Quick Start Guide.

If you are running the Watcher Service, noncompliant GPOs, scripts, and Scopes of Management are automatically flagged with a yellow exclamation point, regardless of their status.

If a delta is determined between the last historical backup and the live object, a user with the appropriate permissions will be able to either:

If an object has been deleted in the live environment, a user with the appropriate permissions will be able to:

2
Right-click the Version Control Root node or subcontainer, and select Check Compliance.
3
Click Next to run the compliance check.
5
If you are restoring GPO links, select the More (...) button to see the details of the links you will be restoring.
6
Click OK save the Restore Links settings.
7
Click Finish.
3
Select the Restore GPO Links option in the Comment box.
4
In the Restore Links box, review the settings that will be restored (right side) and use the toolbar buttons at the top to change the link order, remove links, or set other group policy properties.
5
Click OK save the Restore Links settings.

When a Group Policy Object is deleted in the live environment, its status shows as Noncompliant - Deleted in GPOADmin.

2
Select the Restore GPO Links option in the Comment box.
4
Click OK save the Restore Links settings. At this point the modified SOMs affected by the restored links, if registered, are put into a Pending Approval State. If not registered, the changes are made in the live environment.

If needed, you can use a registry key to prevent the watcher service from flagging a Scope of Management as non-compliant when modifying the security natively.

If you select to enable this, you need to redeploy all registered scopes of management to ensure that security is either included or excluded (depending on the value) in the latest backup used to perform the comparison. If you do not redeploy the SOMs, they will be flagged as non-compliant.

1
Set the ExcludeSOMSecurityFromHash registry value to 1. By default this is set to 0.

Editing objects

Editing GPOs

Once you have a GPO checked out, you can edit its settings within the Group Policy Editor, create security and WMI filters, and enable/disable computer and user settings.

Because you can only link GPOs to sites, domains, and OUs, setting up security filters helps you to refine the application of GPO settings to a group, user, or computer.

When you check out a GPO, the changes you make are to a copy of the live GPO. The changes that you make do not affect the GPO settings in the enterprise until it is approved and deployed.

See also Removing persistent registry settings.

2
Click Launch Editor, make the required changes, and close the Group Policy Editor.
4
If required, select the Security tab and click Add, enter or search for the required user, computer, or group, and click OK.
5
Click the Advanced button to select advanced permissions.
7
Related Documents