Chat now with support
Chat with Support

GPOADmin 5.16 - User Guide

Introducing Quest GPOADmin Configuring GPOADmin Using GPOADmin
Connecting to the Version Control system Navigating the GPOADmin console Search folders Accessing the GPMC extension Configuring user preferences Working with the live environment Working with controlled objects (version control root) Checking compliance Editing objects Synchronizing GPOs Exporting and importing
Creating Reports Appendix: Windows PowerShell Commands Appendix: GPOADmin Event Log Appendix: GPOADmin Backup and Recovery Procedures Appendix: Customizing your workflow Appendix: GPOADmin Silent Installation Commands Appendix: Configuring Gmail for Notifications Appendix: Registering GPOADmin for Office 365 Exchange Online Appendix: GPOADmin with SQL Replication About Us

Root container assignment

If necessary, the GPOADmin administrator can assign a specific container as a user’s or group’s “Root Container”. When the user or group member logs in they will only have access to the container they have been assigned, rather than the default "Version Control Root". This allows for the administration of containers and sub containers to be assigned to specific users or groups without those users being able to access or change managed objects in any other containers.

This assignment is also valid for the PowerShell commands and the GPOADmin snap-in for GPMC.

* 
NOTE: A user or group can only be directly assigned one root container at a time, however, they may have access to multiple root containers through their group membership.
To assign a container to a user or group
1
Right-click the container to be the root, and select Properties.
2
Select the Root Container Assignment tab and assign the users or groups who are going to see this as their Root Container.
* 
IMPORTANT: The security for the container must be set so the users or group members have the User, Moderator, Administrator, or some specially created role. If the security is not set for the assigned users of the Root Container, they will not be able to see, create, or manage any objects in the container and sub containers.

Restricting GPO management for specific domains

If necessary, you can restrict access to domains to ensure that only specified individuals or groups can view, register, create, and report on items in a domain. You can fine-tune the level of available management based on the level of security.

By default, the Domain Users group is assigned all domain rights to their corresponding domain. To take advantage of the new level of security, you must remove Domain Users and assign rights as appropriate.

* 
IMPORTANT: These rights refer to domain access and work with the existing GPOADmin delegated user rights that are in place; they do not replace them.
To manage the security on a domain
1
Expand the Live Environment, right-click the required domain, and select Properties.
2
Add and remove the user or groups that you want to apply the restrictions to.
3
Select to allow (or remove previously applied) rights and click Apply.
Table 8. Available rights
Right
Description

Read

A base right that you must apply as it is used with other rights.

This right works with, but does not replace, the delegated custom user Read right that controls whether users and groups can see a version control container’s contents.

Register

Apply this right to users and groups that are assigned the Domain Read right to allow them to register/unregister objects from the selected domain.

This right works with, but does not replace, the delegated custom user Register and Unregister rights that controls whether a user can register objects into a specific version control container or unregister objects.

Create Group Policy Objects

Apply this right to users and groups that are assigned the Domain Read right to allow them to create Group Policy Objects in the selected domain.

This right works with, but does not replace, the delegated custom user Create right that controls whether a user can create an object in a specific version control container.

The Edit right on the Version Control container is also required.

Create WMI Filters

Apply this right to users and groups that are assigned the Domain Read right to enable them to create WMI Filters in the selected domain.

This right works with, but does not replace, the delegated custom user Create right that controls whether a user can create an object in a specific version control container.

The Edit right on the Version Control container is also required.

Create Scripts (Logon/Logoff Startup/Shutdown)

 

Apply this right to users and groups that are assigned the Domain Read right to enable them to create a script in the selected domain.

This right works with, but does not replace, the delegated custom user Create right that controls whether a user can create an object in a specific version control container.

The Edit right on the Version Control container is also required.

Create Desired State Configuration Scripts

Apply this right to users and groups that are assigned the Domain Read right to enable them to create Desired State Configuration scripts in the selected domain.

This right works with, but does not replace, the delegated custom user Create right that controls whether a user can create an object in a specific version control container.

The Edit right on the Version Control container is also required.

Report

Apply this right to users and groups that are assigned the Domain Read right to enable them to report on objects within the selected domain.

Once applied, they will only see the "Live" report option for objects which exist in the associated domain and only the domains for which the user has this right is displayed in the report wizard.

This right works with, but does not replace, the delegated custom user Run Reports right that controls whether a user can run the “New Report” wizard, and the Run Contextual Reports right which controls whether a user can run the “Live”, “Working Copy”, “Latest”, and “Difference” from the context menu.

Create Starter GPO

Apply this right to users and groups that are assigned the Domain Read right to allow them to create Starter GPOsin the selected domain.

This right works with, but does not replace, the delegated custom user Create right that controls whether a user can create an object in a specific version control container.

The Edit right on the Version Control container is also required.

Configuring role-based delegation

* 
NOTE:  
The predefined roles cannot be altered.
You must perform all role-related tasks in the GPOADmin console.
When using the Link right, you must have Link right on the GPO and the SOM.

GPOADmin Administrators can create custom roles that can be applied to specific users to allow them to perform certain functions within the Version Control system. For more information about users with permissions to create roles see Configuring the Version Control server .

When building custom roles, keep in mind the rights must also have the dependent permissions assigned.

Table 9. Right dependencies
Right
Dependencies

Block Inheritance for SOM links

Read and Edit

Block Notification Inheritance

Read

Cloak / Uncloak

Read

Compliance Action

Read

Create

Read and Edit

Delegate Security

Read

Delete

Read

Delete links outside of workflow

Read, Edit, Link and Deploy (User must be the sole approver on linked Scopes of Management)

Deploy

Read

Edit

Read

Edit Linage

Read

Enable/Disable Approvals

Read

Enable / Disable Workflow

Read

Export

Read

Label

Read

Link

Read and Edit (For managed Scopes of Management)

Lock / Unlock

Read

Modify Approval Workflow

Read

Modify Keywords

Read

Modify Change Window

Read

Modify Managed By

Read

Modify System-Provided Security Right

Read, Edit and Modify Security Filter

Modify Security Filter

Read and Edit

Move

Read

Read

None

Register

Read

Run Contextual Reports

Read

Run Reports

Read

Set Notifications

Read

Set Remediation Rules

Read

Synchronize

Read

Undo Check-out

Read

Unregister

Read

Unregister and Remove History

Read

View Cloaked

Read

Create Subcontainers

Read

Delegate Container Security

Read

Delete Container

Read

Rename Container

Read

Block Protected Settings Inheritance

Read and Modify Protected Settings Assignments

Export Group Policy Objects as Protected Settings Policies

Read and Register (On the target Protected Settings Container)

Modify Protected Settings

Read

Modify Protected Settings Assignments

Read

Modify Protected Settings Exclusions

Read

Modify Intune Configuration Profile Assignments

Read

See also:
Creating roles
Editing roles
Delegating roles

 

Table 10. Roles and rights
Role
Rights included in the role

System Administrator

System Administrators can perform any action in the Version Control system.

Version Controlled Object Rights include:
Block Inheritance for SoM links
Block Notification Inheritance
Cloak/Uncloak
Compliance Action
Create
Delegate Security
Delete
Delete links outside of workflow
Deploy
Edit
Edit Lineage
Enable/Disable Workflow
Export
Label
Link
Lock/Unlock
Modify Approval Workflow
Modify Change Window
Modify Keywords
Modify Managed By
Modify System-Provided Security Right
Modify Security Filter
Move
Read
Register
Run Contextual Reports
Run Reports
Set Remediation Rules
Set Notifications
Synchronize
Undo Check-out
Unregister
Unregister and Remove History
View Cloaked

 

 

Role
Rights included in the role

System Administrator (continued)

Version Control Container Rights include:
Create Subcontainers
Delegate Container Security
Delete Container
Rename Container

Protected Settings Rights include:
Block Protected Settings Inheritance
Export Group Policy Objects as Protected Settings Policies
Modify Protected Settings
Modify Protected Settings Assignments
Modify Protected Settings Exclusions

Moderator

Moderator (Moderators can perform every action a user can, plus undoing check outs from other users and running the compliance wizard.) They can also:
Create
Delete
Edit
Export
Label
Read
Run Contextual Reports
Run Reports
Undo Check Out

User

User (Users can perform all the basic actions of the Version Control system, such as check in, check out, edit.) They can also:
Create
Delete
Edit
Export
Label
Read
Run Contextual Reports
Run Reports
Set Notifications

Creating roles

You can easily create roles with any of the customized rights.

To create a role
* 
NOTE: You must use the GPOADmin console to create roles, not the GPMC Extension.
1
Right-click the forest, and select Options.
2
Select Delegation | Roles.
3
Click Add New Role.
4
Enter a name and description for the role, and click Next.
You can create a role that is based on an existing role. (To see which rights are assigned to a particular role, hover the cursor over it.)
5
Select the role or roles you want to copy and click Next.
If you want to create the role from scratch, do not select an existing role before clicking Next.
6
Select the rights that you want included in the role, and click Finish.
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating