Chat now with support

Get Live Help
Complete Registration

Sign In

Request Pricing

Contact Sales

GPOADmin 5.13.5 - User Guide

Table of Contents

Introducing Quest GPOADmin

GPOADmin features

Client/server architecture Multiforest support Group Policy Management Console extension Version control Change approval process Role-based delegation Notification system GPO ACL editor Reporting options Customized views Offline GPO testing Custom workflow actions GPOADmin Dashboard

Configuring GPOADmin

Configuring the Version Control server Setting permissions on AD LDS Setting permissions when using SQL as the configuration store Port requirements Editing the Version Control server properties Editing the Version Control server configuration store Migrating from AD/AD LDS to a SQL configuration store Changing the Service Account Root container assignment Restricting GPO management for specific domains Configuring role-based delegation

Creating roles Editing roles Delegating roles

Restricting access to objects Adding notifications for users Selecting events on which to be notified Creating email templates Working with Protected Settings policies

Rights and role for Protected Settings for GPOs Create a Protected Settings policy Protecting policy settings based on extensions Generating Protected Settings policies reports Using Protected Settings policies Checking a GPO against a Protected Settings policies and blocked extensions Validating a GPO against a Protected Settings policies and blocked extensions before a check-in

Connecting to the Version Control system

Working with multiple connections

Navigating the GPOADmin console Search folders

Creating custom search folders

Accessing the GPMC extension Configuring user preferences Working with the live environment

Registering objects Registered status Removing registered objects Viewing the live environment

Working with controlled objects (version control root)

Creating a custom container hierarchy Selecting security, levels of approval, and notification options Viewing the differences between objects Copying/pasting objects Proposing the creation of controlled objects

Creating Group Policy Objects (GPOs) Creating starter GPOs Creating WMI filters Creating scripts Creating Desired State Configuration (DSC) PowerShell scripts

Restoring an object to a previous version Restoring links to a previous version Managing your links with search and replace Linking GPOs to multiple Scopes of Management Managing compliance issues automatically with remediation rules Managing GPO revisions with lineage Working with registered objects

Creating labels Cloaking a GPO Locking a GPO Establishing Management for an Object Viewing history Deleting version history Clearing account names in version history Viewing and editing object properties Creating a report

Working with available objects

Enabling/disabling workflow Checking out objects Requesting the deletion of an object Requesting approval

Working with checked out objects

Undoing a check out Checking in controlled objects

Working with objects pending approval and deployment

Withdrawing an approval request Enhanced workflow approval Changing the approval workflow Withdrawing approval Approving and rejecting edits Deploying objects (scheduling and associated items)

Checking compliance Editing objects

Removing persistent registry settings

Editing WMI filters Editing scripts Linking GPOs

Synchronizing GPOs

Enabling synchronization Working with GPO synchronizations Generating Synchronized GPO report

Exporting and importing

Export objects Exporting GPO registry settings as a Desired State Configuration resource file Import objects

Creating Reports

Available reports

Controlled object reports

Settings Report Difference Report Group Policy Object Settings Search Report History Report User Activity Report Compliance Report Change Auditor Report Change Auditor Working Copies Report Deployment Report Protected Settings Assignment Report Creating Controlled Object Reports

Diagnostic and troubleshooting reports

Group Policy Object Consistency Report Software Installation Package Report Linked/Unlinked Report Inactive Policy Settings Report Group Policy Object Security Report Policy Analysis Report GPO Synchronization Report Group Policy Results Group Policy Results Difference Report Group Policy Modeling Report Creating Diagnostic and Troubleshooting Reports

Live, working copy, latest version, and differences reports

Creating live, working copy, latest version, and differences reports

Historical Settings Reports

Creating historical settings reports

Exporting registry settings Working with report folders

Managing report folders

Working with the GPOADmin Dashboard

Overview and installation notes Working within the Dashboard

Accessing and configuring the dashboard Connections view Unauthorized Modifications view Checked Out view Pending Approvals view Deployments view

Appendix: Windows PowerShell Commands

Introduction GPOADmin scripts Available commands

GPOADmin PowerShell provider extensions

Using the GPOADmin PowerShell commands (Examples)

Loading the GPOADmin modules Extracting help for GPOADmin commands Managing objects

Get information on all GPOs Get information for all managed objects Get unregistered objects Register an object Check out an object Check in an object Undo the check out of an object Request approval for changes Withdraw an approval request Approve changes Reject changes Withdraw approval on an object Deploy an object Deploy an object at a future time and date Check for pending deployments Cancel pending deployment

Gathering object and GPOADmin information

Identify which objects are checked out Identify which objects are checked out to me What are the properties of an object What objects are available What objects are checked out

Utility commands

Gather GPOADmin license information Install a GPOADmin license Get logging options Set logging options Get notifications Set notifications on objects

Administrative commands

Approval workflow information Set the approval workflow Identify user account s Identify user roles Modify a role Add a role Get an object's security Set an object's security Overwrite a GPOs security filter

Protected Settings commands

Gather Protected Settings information Enable and disable Protected Settings Get a list of Protected Settings Add Protected Settings

Appendix: GPOADmin Event Log

What is the GPOADmin event log? Interpreting the GPOADmin event log

Example GPOADmin events

Appendix: GPOADmin Backup and Recovery Procedures

GPOADmin Backup Requirements Restoring GPOADmin

Appendix: Customizing your workflow

What is a custom workflow action? Working with custom workflow actions in the Version Control system Working with the custom workflow actions xml file

Actions Predefined Tags Conditions Example of a complete pre-action

Troubleshooting custom workflow actions

Appendix: GPOADmin Silent Installation Commands

Installing GPOADmin with msiexec.exe

All components (Complete GPOADmin installation) Client and components

Server and client Client only Client and PowerShell provider (Client Only button on Installation dialog) PowerShell provider only

Watcher Service

Watcher Service on localhost Watcher Service on another computer Watcher Service and GPMC Extension on another computer Watcher Service and Client only on another computer Watcher Service, Client, and GPMC Extension on another computer

GPMC Extension on a localhost GPMC Extension on another computer

GPOADmin Dashboard

Dashboard Service and Client Dashboard Client only Dashboard Service only Client, Dashboard (no service), and GPMC Extension

Root container assignment

If necessary, the GPOADmin administrator can assign a specific container as a user’s or group’s “Root Container”. When the user or group member logs in they will only have access to the container they have been assigned, rather than the default "Version Control Root". This allows for the administration of containers and sub containers to be assigned to specific users or groups without those users being able to access or change managed objects in any other containers.

This assignment is also valid for the PowerShell commands, the GPOADmin Dashboard, and the GPOADmin snap-in for GPMC.


	NOTE: A user or group can only be directly assigned one root container at a time, however, they may have access to multiple root containers through their group membership.

To assign a container to a user or group

1

Right-click the container to be the root, and select Properties.

2

Select the Root Container Assignment tab and assign the users or groups who are going to see this as their Root Container.


	IMPORTANT: The security for the container must be set so the users or group members have the User, Moderator, Administrator, or some specially created role. If the security is not set for the assigned users of the Root Container, they will not be able to see, create, or manage any objects in the container and sub containers.

Restricting GPO management for specific domains

If necessary, you can restrict access to domains to ensure that only specified individuals or groups can view, register, create, and report on items in a domain. You can fine-tune the level of available management based on the level of security.

By default, the Domain Users group is assigned all domain rights to their corresponding domain. To take advantage of the new level of security, you must remove Domain Users and assign rights as appropriate.


	IMPORTANT: These rights refer to domain access and work with the existing GPOADmin delegated user rights that are in place; they do not replace them.

To manage the security on a domain

1

Expand the Live Environment, right-click the required domain, and select Properties.

2

Add and remove the user or groups that you want to apply the restrictions to.

3

Select to allow (or remove previously applied) rights and click Apply.

Table 6. Available rights


Right	Description
Read	A base right that you must apply as it is used with other rights. This right works with, but does not replace, the delegated custom user Read right that controls whether users and groups can see a version control container’s contents.
Register	Apply this right to users and groups that are assigned the Domain Read right to allow them to register/unregister objects from the selected domain. This right works with, but does not replace, the delegated custom user Register and Unregister rights that controls whether a user can register objects into a specific version control container or unregister objects.
Create Group Policy Objects	Apply this right to users and groups that are assigned the Domain Read right to allow them to create Group Policy Objects in the selected domain. This right works with, but does not replace, the delegated custom user Create right that controls whether a user can create an object in a specific version control container. The Edit right on the Version Control container is also required.
Create WMI Filters:	Apply this right to users and groups that are assigned the Domain Read right to enable them to create WMI Filters in the selected domain. This right works with, but does not replace, the delegated custom user Create right that controls whether a user can create an object in a specific version control container. The Edit right on the Version Control container is also required.
Create Scripts (Logon/Logoff Startup/Shutdown):	Apply this right to users and groups that are assigned the Domain Read right to enable them to create a script in the selected domain. This right works with, but does not replace, the delegated custom user Create right that controls whether a user can create an object in a specific version control container. The Edit right on the Version Control container is also required.
Create Desired State Configuration Scripts	Apply this right to users and groups that are assigned the Domain Read right to enable them to create Desired State Configuration scripts in the selected domain. This right works with, but does not replace, the delegated custom user Create right that controls whether a user can create an object in a specific version control container. The Edit right on the Version Control container is also required.
Report	Apply this right to users and groups that are assigned the Domain Read right to enable them to report on objects within the selected domain. Once applied, they will only see the "Live" report option for objects which exist in the associated domain and only the domains for which the user has this right is displayed in the report wizard. This right works with, but does not replace, the delegated custom user Run Reports right that controls whether a user can run the “New Report” wizard, and the Run Contextual Reports right which controls whether a user can run the “Live”, “Working Copy”, “Latest”, and “Difference” from the context menu.
Create Starter GPO	Apply this right to users and groups that are assigned the Domain Read right to allow them to create Starter GPOsin the selected domain. This right works with, but does not replace, the delegated custom user Create right that controls whether a user can create an object in a specific version control container. The Edit right on the Version Control container is also required.

Configuring role-based delegation

NOTE:

•

The predefined roles cannot be altered.

•

You must perform all role-related tasks in the GPOADmin console.

•

When using the Link right, you must have Link right on the GPO and the SOM.

GPOADmin Administrators can create custom roles that can be applied to specific users to allow them to perform certain functions within the Version Control system. For more information about users with permissions to create roles see Configuring the Version Control server .

•

•

•

Delegating roles

Table 7. Roles and rights

Rights included in the role

System Administrator

System Administrators can perform any action in the Version Control system.

Version Controlled Object Rights include:

•

Block Inheritance for SoM links

•

•

Compliance Action

•

•

Delegate Security

•

•

Delete links outside of workflow

•

•

•

•

Enable/Disable Workflow

•

•

•

•

•

Modify Approval Workflow

•

Modify Keywords

•

Modify Managed By

•

Modify Native Security

•

Modify Security Filter

•

•

•

•

Run Contextual Reports

•

•

Set Remediation Rules

•

Set Notification

•

•

•

•

Rights included in the role

System Administrator (continued)

Version Control Container Rights include:

•

Create Subcontainers

•

Delegate Container Security

•

Delete Container

•

Rename Container

Protected Settings Rights include:

•

Block Protected Settings Inheritance

•

Export Group Policy Objects as Protected Settings Policies

•

Modify Protected Settings

•

Modify Protected Settings Assignments

•

Modify Protected Settings Exclusions

Moderator (Moderators can perform every action a user can, plus undoing check outs from other users and running the compliance wizard.) They can also:

•

•

•

•

•

•

•

Run Contextual Reports

•

•

User (Users can perform all the basic actions of the Version Control system, such as check in, check out, edit.) They can also:

•

•

•

•

•

•

•

Run Contextual Reports

•

•

Set Notification

Creating roles

You can easily create roles with any of the customized rights.

To create a role


	NOTE: You must use the GPOADmin console to create roles, not the GPMC Extension.

1

Right-click the forest, and select Options.

2

Select Delegation | Roles.

3

Click Add New Role.

4

Enter a name and description for the role, and click Next.

You can create a role that is based on an existing role. (To see which rights are assigned to a particular role, hover the cursor over it.)

5

Select the role or roles you want to copy and click Next.

If you want to create the role from scratch, do not select an existing role before clicking Next.

6

Select the rights that you want included in the role, and click Finish.

Related Documents

© 2020 Quest Software Inc. ALL RIGHTS RESERVED. Feedback Terms of Use Privacy