Chat now with support
Chat with Support

GPOADmin 5.15 - User Guide

Introducing Quest GPOADmin Configuring GPOADmin Using GPOADmin
Connecting to the Version Control system Navigating the GPOADmin console Search folders Accessing the GPMC extension Configuring user preferences Working with the live environment Working with controlled objects (version control root) Checking compliance Editing objects Synchronizing GPOs Exporting and importing
Creating Reports Working with the GPOADmin Dashboard Appendix: Windows PowerShell Commands Appendix: GPOADmin Event Log Appendix: GPOADmin Backup and Recovery Procedures Appendix: Customizing your workflow Appendix: GPOADmin Silent Installation Commands Appendix: Configuring Gmail for Notifications Appendix: Registering GPOADmin for Office 365 Exchange Online Appendix: GPOADmin with SQL Replication About Us

Checking compliance

GPOADmin provides two options to determine if an object has been changed outside the scope of the system in the live enterprise environment. You can manually check any object for compliance (GPOs, Scopes of Management, scripts, DSC scripts, and WMI filters), and you can let the GPOADmin Watcher Service detect unauthorized modifications to GPOs, Scripts, and Scopes of Management. For more information on configuring the Watcher service, see the GPOADmin Quick Start Guide.

If you are running the Watcher Service, noncompliant GPOs, scripts, and Scopes of Management are automatically flagged with a yellow exclamation point, regardless of their status.

If a delta is determined between the last historical backup and the live object, a user with the appropriate permissions will be able to either:

If an object has been deleted in the live environment, a user with the appropriate permissions will be able to:

2
Right-click the Version Control Root node or subcontainer, and select Check Compliance.
3
Click Next to run the compliance check.
5
If you are restoring GPO links, select the More (...) button to see the details of the links you will be restoring.
6
Click OK save the Restore Links settings.
7
Click Finish.
3
Select the Restore GPO Links option in the Comment box.
4
In the Restore Links box, review the settings that will be restored (right side) and use the toolbar buttons at the top to change the link order, remove links, or set other group policy properties.
5
Click OK save the Restore Links settings.

When a Group Policy Object is deleted in the live environment, its status shows as Noncompliant - Deleted in GPOADmin.

2
Select the Restore GPO Links option in the Comment box.
4
Click OK save the Restore Links settings. At this point the modified SOMs affected by the restored links, if registered, are put into a Pending Approval State. If not registered, the changes are made in the live environment.

If needed, you can use a registry key to prevent the watcher service from flagging a Scope of Management as non-compliant when modifying the security outside of GPAODmin.

If you select to enable this, you need to redeploy all registered scopes of management to ensure that security is either included or excluded (depending on the value) in the latest backup used to perform the comparison. If you do not redeploy the SOMs, they will be flagged as non-compliant.

1
Set the ExcludeSOMSecurityFromHash registry value to 1. By default this is set to 0.

Editing objects

Editing GPOs

Once you have a GPO checked out, you can edit its settings within the Group Policy Editor, create security and WMI filters, and enable/disable computer and user settings.

Because you can only link GPOs to sites, domains, and OUs, setting up security filters helps you to refine the application of GPO settings to a group, user, or computer.

When you check out a GPO, the changes you make are to a copy of the live GPO. The changes that you make do not affect the GPO settings in the enterprise until it is approved and deployed.

See also Removing persistent registry settings.

2
Click Launch Editor, make the required changes, and close the Group Policy Editor.
4
If required, select the Security tab and click Add, enter or search for the required user, computer, or group, and click OK.
5
Click the Advanced button to select advanced permissions.
7

Removing persistent registry settings

Some GPO settings create registry entries when they are processed. When these settings are removed and the policy is processed, their corresponding registry entries may not be removed from client computers.

GPOADmin notifies you when potentially persistent registry values exist and allows you to remove them.

2
Click the Registry Cleanup button.
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating