Chat now with support
Chat with Support

GPOADmin 5.17 - Quick Start Guide

Quest GPOADmin Quick Start Guide

About this guide

This document has been prepared to assist you in becoming familiar with Quest GPOADmin. The Quick Start Guide contains information required to install and use GPOADmin and is intended for network administrators, consultants, analysts, and any other IT professionals using the product.

Product overview

Security issues are becoming paramount within organizations. Within Active Directory, Group Policy Objects (GPOs) are at the forefront of an organization's ability to roll out functional security. Core aspects such as password policies, logon hours, software distribution, and other crucial security settings are handled through GPOs. Organizations need methods to control the settings of these GPOs and to deploy GPOs in a meaningful and safe manner with confidence. Since GPOs are so important to the proper operating of the Active Directory, organizations also need methods to restore GPOs when they are either incorrectly updated or corrupt. Windows Group Policy is powerful but difficult to manage. Uncontrolled changes can have disastrous consequences. For example, unplanned effects of a GPO change could prohibit hundreds of users from logging on, exclude access to critical software applications, or expose system settings. The Group Policy Management Console (GPMC) from Microsoft is a useful tool for the individual administrator, but additional functionality—such as GPO check in/check out, change control, and rollback—is needed to effectively manage GPOs across the enterprise.

GPOADmin offers a mechanism to control this highly important component of Active Directory. GPOs, Scope of Management links, and WMI filters are backed up in a secure, distributed manner and then placed under version control. When changes are made a backup of the object is made. Changes are then managed from the Version Control system, and approval for change is required. GPOADmin also offers two methods of ensuring GPO consistency. The stored object can be retrieved if the current object in the directory is not valid for any reason. This means that objects become managed and deployed with a sense of security. If issues do arise, recovery time is reduced between the discovery of an issue and the resolution by restoring to a previous version of the object. GPOADmin:

GPOADmin architecture

GPOADmin is a directory-enabled application and all of its configuration information is stored in the configuration container of either Active Directory Domain Services (ADDS), Active Directory Lightweight Directory Services (AD/LDS).

Active Directory deployments

For all Active Directory deployments, the application information along with the GPOADmin Version Control System is stored in the configuration container of Active Directory in the following location:


Where if you drilled down on the GPOADmin container you will find the following directories:


Since this information is stored in the configuration container of Active Directory, it is replicated to all other DCs within your forest. However, the primary version control server is unique and the authoritative source for all version control actions. The primary version control server role is normally held by the DC specified during the initial run of the Server Configuration wizard shortly after the GPOADmin server and service have been installed.

Active Directory Lightweight Directory Services (AD/LDS) deployments

For all AD LDS deployments, the application information, along with the GPOADmin Version Control system, follows the same format as the Active Directory deployment with the exception that the application information and Version Control system is stored in the configuration of the AD LDS instance. The information is not replicated to other AD LDS servers (unless manually set up) like Active Directory replicates information with the configuration container.

SQL storage

During configuration of the Version Control server, you now have the option to select to store GPOADmin data in a SQL database. If you select this option, the data can be found in the following tables:



Contains access control list information when cloaking or locking GPOs.


Contains approval workflow information.


Contains backup information such as date, location, and storage type.


Contains custom search folder information.


Contains registered domain names, their Id, and whether or not they are visible in the live environment.


Contains a mapping of which rights a user has for a registered domain.


Contains a mapping of which attachments are to be include with what email template for a given notification type.


Contains email template information.


Contains custom email template subject line information.


Contains Exchange settings.


Contains Gmail settings.


Contains a mapping of GPO lineage for a given registered GPO, when the lineage was assigned, and by whom.


Contains a mapping of GPO links between the GPO and the SOM.


Contains a historical list of actions for any registered object or container.


Contains a mapping of keywords to registered object.


Contains a list of trustees who have access to the live environment.


Contains a list of all keywords.


Contains a mapping of which notifications are enabled for a given user on a given registered object or container.


Contains registered object information.


Contains a mapping of which protected settings policies are assigned to a specific container.


Contains a list of policies that are excluded from verification of a given protected settings policy.


Contains remediation information for a given registered object or container.


Contains default and custom role information.


Contains a mapping between a trustee and their root container assignment.


Contains a list of all scheduled deployment tasks.


Contains a list of GPOADmin permissions assignments for a given registered object or container.


Contains a list GPOADmin service host names and UIDs.


Contains the list of service options and there current values.


Contains the list of GPO links for a given SOM.


Contains a list of the results for a given GPO synchronization.


Contains a mapping between a source GPO and it synchronization targets.


Contains a list of trustees who have been granted access to GPOADmin as either a user or administrator.


Contains a mapping of child and parent version control containers.


Contains a temporary list of newly created or registered items for the watcher service to monitor.


Contains a mapping between a registered object and its working copy.





The client/server architecture facilitates granular security and delegation. GPOADmin runs under the security context of a privileged service account that must have full access to GPOs in the managed forest.
Clients can connect to any deployed server within any Active Directory forest.
GPOADmin maintains a most recently used (MRU) list of servers to which the users have previously connected to facilitate quick subsequent server connections.

Self Service Tools
Knowledge Base
Notifications & Alerts
Product Support
Software Downloads
Technical Documentation
User Forums
Video Tutorials
RSS Feed
Contact Us
Licensing Assistance
Technical Support
View All
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating