Chat now with support
Chat with Support

GPOADmin 5.15 - User Guide

Introducing Quest GPOADmin Configuring GPOADmin Using GPOADmin
Connecting to the Version Control system Navigating the GPOADmin console Search folders Accessing the GPMC extension Configuring user preferences Working with the live environment Working with controlled objects (version control root) Checking compliance Editing objects Synchronizing GPOs Exporting and importing
Creating Reports Working with the GPOADmin Dashboard Appendix: Windows PowerShell Commands Appendix: GPOADmin Event Log Appendix: GPOADmin Backup and Recovery Procedures Appendix: Customizing your workflow Appendix: GPOADmin Silent Installation Commands Appendix: Configuring Gmail for Notifications Appendix: Registering GPOADmin for Office 365 Exchange Online Appendix: GPOADmin with SQL Replication About Us

Working with Protected Settings policies

Protected Settings policies contain settings that you want to control. They are protected in the sense that they contain and identify the settings that may not be altered by users. This provides an added level of security for the policies within your organization. If a user attempts to create, edit, or remove the flagged settings they are stopped.

Protected Settings are identified by examining the difference report between the Protected Settings policies and the Group Policy Object being checked in. The difference is produced by using the Difference Engine in GPOADmin. Once this is completed, the protected setting function searches the difference report for matches based on the specified validation mode.

Protected Settings policies have a modified workflow and follow the typical check-out, edit, and check-in process. As with any other object, when you are ready to make the newly created Protected Settings policy active or edit an existing policy, a request approval action must be initiated.

Once the approval is granted, the Protected Settings policy is available for use.

If a protection issue is detected during check in, users with the Modify Protected Settings right on the GPO in question, have the option to continue with the check in and override the blocked setting or review a report and address the issue.

Protected settings must be:

Select Options | General and select Enable Protected Settings for Group Policy Objects.

See also:

Rights and role for Protected Settings for GPOs

The Protected Settings for GPOs requires the following rights to control the actions of the Protected Settings tab on containers and provide the ability to export GPOs to create protected settings:

These rights are automatically assigned to the System Administrator role when Protected Settings are enabled. No other roles, built in or otherwise, are given the Protected Settings rights. They must be assigned.

Create a role called Prot_All and assign rights listed above and the Read right to this role. No other rights are required for this role.
Right-click the Protected Setting container, and select the Security tab. Click Add and add the user who is going to manage the container. Give them the Prot_All role. Do not give them any other roles to the Protected Settings container. Select OK to apply the security changes.
Select the Security tab, and click Add to add the user account. Give them the User (built-in) and the Prot_All roles. Click Apply and OK.

To review why the above roles were created and assigned consider the following:

Protected Settings policies can be further controlled by delegating who has permission to modify protected settings. To secure the protected settings, you can assign a role (that contains the “Modify Protected Settings” right) to a user on the Protected Settings policy. If during the validation process, GPOADmin determines the current user possess this right, the associated Protected Settings policy is excluded from the validation allowing the modification of those protected settings to proceed.

Create a Protected Settings policy

Once the ability to use Protected Settings has been enabled, you can create the policies using one of the following methods:

Select the Protected Settings container in the tree view.
Right-click and select New | New Protected Settings Policy.
Click Finish.
Refresh the Protected Settings container.
In the Version Control Root, select the GPO you want to use for a Protected Settings policy.
Refresh the Protected Settings container.

Protecting policy settings based on extensions

If required, you can prevent users from editing policy settings based on one or more policy extensions. Once you have selected the extension to block, if a policy contains any settings from the extension, the policy will fail the validation test and will not be checked in.

Available extensions include:

Select the Protected Settings tab and the Blocked Extensions tab.
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating