Chat now with support
Chat with Support

GPOADmin 5.15 - Quick Start Guide

Port requirements

The following ports must be open for the application to function correctly:

Name resolution can be achieved using DNS on port 53 or WINS (downlevel) on port 137.

Between the client and the GPOADmin Server:

From the GPOADmin Server:

Configuration storage

GPO Archives

Configuring GPOADmin to use a Group Managed Service Account (GMSA)

7
Follow the Minimum permissions required for the service accounts and replace the service account with the group the GMSA member of create in step 4.

Minimum permissions required for the service accounts

2
Ensure the service account is a member of the Group Policy Creator Owners group.
3
Grant this account Log on as a Service on the computer where GPOADmin is installed.
4
Grant the service account Full Control to the installation directory.
2
Select the Security tab and click Advanced.
3
Click Add and select the service account. The applies to option should be This object and all descendant objects.
4
Delegate the following permissions in the Advanced Security Settings: List Contents, Read all Properties, Write all Properties, Delete Subtree, Read Permissions, Modify Permissions, Modify Owner, All Validated Writes, Create All Child Objects, and Delete All Child Objects.
3
Browse to the Member attribute and click Edit. Add the GPOADmin service account as a Windows Account.
a
In Microsoft SQL Server Management Studio, select File | Open | File or press the control key and the O key (Ctrl + O).
b
In the Open File dialog, select the GPOADmin.sql file and press OK. This file is located in the GPOADmin server install directory by default, but if your SQL server is on a different computer, the file can be copied.
d
Click the Execute button or press F5 to create the database.
b
Set the available database to the name of your GPOADmin database or type USE [DATABASE_NAME] where DATABASE_NAME is the name of your GPOADmin database.
c
On the next line, type EXEC InitializeDatabase.
d
When ready, click the Execute button or press F5 to run the command.
b
Right-click Logins and select New Login.
e
Set the Default database property to the name of your GPOADmin database.
g
On the User Mapping page, under Users mapped to this login, check the name of your GPOADmin database. Under Database role membership for the selected database, check db_owner and public. Click OK to close the properties page.
7
Grant the service account Full Control on each WMI Filter that will be managed by GPOADmin.
8
Using GPMC, delegate Link GPOs to the service account on the Site and Domain level (or even on the OU level depending on where GPOADmin is required to manage GPOs), for This container and all child containers, if child containers are needed.
9
For the service account to run RSoP reports, the Read Group Policy Results data right must be granted. Using GPMC, delegate Read Group Policy Results Data to the service account on the Domain level (or even on the OU level, depending on where GPOADmin is required to perform the RSoP analysis), for This container and all child containers, if child containers are needed.
10
Using GPMC, delegate Create GPOs to the service account on the Group Policy Objects Level.
11
Using GPMC, delegate Edit settings, Delete, and Modify security to the service account for each existing GPO that will be managed by GPOADmin using GPMC.
To do so, open ADSIedit.msc or DSA.msc and connect to the Active Directory domain. Navigate to the computer where GPOADmin will installed, the computer properties, and select the Security tab. Grant the service account the following permissions: Create serviceConnectionPoint objects and Delete serviceConnectionPoint objects for This object and all descendant objects.
18
Once the product has been configured, connect to the GPOADmin console using the service account. Configure any additional administrators and users (trustees) that will connect to the product by
right- clicking the connected domain and selecting
Options and then Access. Delegate any roles required by these users through the Version Control Root properties, or any registered OU/GPO within the Version Control Root as necessary.

HKEY_LOCAL_MACHINE\SOFTWARE\Quest\
GPOADmin

 

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Diagnostics

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\EventLog

21
3
Click the Advanced button on the Security tab.
4
Click Change at the top of the Advanced Security Settings page and select the service account.
5
Click OK three times.
3
Click the Advanced button on the Security tab and click Add.
5
Ensure Read servicePrincipalName and Write servicePrincipalName are selected.
6
Click OK three times.
Add the GPOADmin service account to the Distributed COM Users security group in each domain that will be reported on.
b
Right-click the CN=Partitions object and select Properties.
c
Select the Security tab, click Add, and add the GPOADmin service account.
d
Under Permissions for <Service Account>, enable Allow for the following permissions:
e
Click Advanced, select the service account, and click Edit.
f
Set Applies to to This object and all descendant objects and enable the following permissions:
g
Click OK to close the Permission Entry for Partitions dialog.
h
Click OK to close the Advanced Security Settings for Partitions dialog.
i
Click OK to close the CN=Partitions Properties dialog.
b
d
f
At the partition management command prompt, type the following: create nc dc=staging,dc=gpoadmin DomainController.
c
Select the DC=Staging,DC=GPOADmin context in the left pane.
d
Right-click the DC=Staging,DC=GPOADmin domainDNS object in the right pane, and select Properties.
e
Click the Security tab, click Add, and add the GPOADmin service account.
f
Under Permissions for <Service Account>, enable Allow for the following permissions:
g
Click Advanced, select the service account, and click Edit.
h
Set Applies to to This object and all descendant objects, and enable the following permissions:
i
Click OK to close the Permission Entry for Staging dialog.
j
Click OK to close the Advanced Security Settings for Staging dialog.
k
Click OK to close the DC=Staging,DC=GPOADmin Properties dialog.

Additional Service Account requirements

Consider the following additional Service Account requirements:

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating