Chat now with support

Get Live Help
Complete Registration

Sign In

Request Pricing

Contact Sales

GPOADmin 5.17 - User Guide

Table of Contents

Introducing Quest GPOADmin

GPOADmin features

Client/server architecture Multiforest support Group Policy Management Console extension Version control Change approval process Role-based delegation Notification system GPO ACL editor Reporting options Customized views Offline GPO testing Custom workflow actions

Configuring GPOADmin

Configuring the Version Control server Setting permissions on AD LDS Setting permissions when using SQL as the configuration store Port requirements Editing the Version Control server properties Editing the Version Control server configuration store Replacing the Version Control server configuration settings Migrating from AD/AD LDS to a SQL configuration store Changing the Service Account Root container assignment Restricting GPO management for specific domains Configuring role-based delegation

Creating roles Editing roles Delegating roles

Restricting access to objects Adding notifications for users Selecting events on which to be notified Restricting inheritance on notifications Creating email templates Working with Protected Settings policies

Rights and role for Protected Settings for GPOs Create a Protected Settings policy Protecting policy settings based on extensions Generating Protected Settings policies reports Using Protected Settings policies Checking a GPO against a Protected Settings policies and blocked extensions Validating a GPO against a Protected Settings policies and blocked extensions before a check-in

Connecting to the Version Control system

Restricting search scope Working with multiple connections Version Control data in the directory

Navigating the GPOADmin console Search folders

Creating custom search folders

Accessing the GPMC extension Configuring user preferences Working with the live environment

Registering objects Registered status Removing registered objects Viewing the live environment

Working with controlled objects (version control root)

Creating a custom container hierarchy Selecting security, levels of approval, and notification options Viewing the differences between objects Copying/pasting objects Proposing the creation of controlled objects

Creating Group Policy Objects (GPOs) Creating starter GPOs Creating WMI filters Creating scripts Creating Desired State Configuration (DSC) PowerShell scripts

Merging GPOs Restoring an object to a previous version Restoring links to a previous version Managing your links with search and replace Linking GPOs to multiple Scopes of Management Managing compliance issues automatically with remediation rules Validating GPOs Managing GPO revisions with lineage Setting when users can modify objects Working with registered objects

Creating labels Cloaking a GPO Locking a GPO Establishing Management for an Object Viewing history Deleting version history Clearing account names in version history Viewing and editing object properties Applying keywords on containers Creating a report

Working with available objects

Enabling/disabling workflow Checking out objects Requesting the deletion of an object Unregistering GPOs and removing history Requesting approval

Working with checked out objects

Undoing a check out Checking in controlled objects

Working with objects pending approval and deployment

Withdrawing an approval request Enhanced workflow approval Changing the approval workflow Withdrawing approval Approving and rejecting edits Deploying objects (scheduling and associated items)

Checking compliance Editing objects

Removing persistent registry settings

Editing Intune objects (configuration profiles and compliance policies) Editing WMI filters Editing scripts Linking GPOs

Synchronizing GPOs

Enabling synchronization Working with GPO synchronizations Generating Synchronized GPO report

Exporting and importing

Export objects Exporting GPO registry settings as a Desired State Configuration resource file Import objects

Creating Reports

Available reports

Controlled object reports

Settings Report Difference Report Group Policy Comparison Report History Report Group Policy Object Settings Search Report User Activity Report Role Assignment Report All Actions Report Compliance Report Change Auditor Report Change Auditor Working Copies Report Deployment Report Protected Settings Assignment Report Creating Controlled Object Reports

Diagnostic and troubleshooting reports

Group Policy Object Consistency Report Software Installation Package Report Linked/Unlinked Report Linked/Unlinked SOMs Report Inactive Policy Settings Report Group Policy Object Security Report Policy Analysis Report GPO Synchronization Report Group Policy Results Group Policy Results Difference Report Group Policy Modeling Report Creating Diagnostic and Troubleshooting Reports

Live, working copy, latest version, and differences reports

Creating live, working copy, latest version, and differences reports

Historical Settings Reports

Creating historical settings reports

Creating RSoP validation reports Exporting registry settings Working with report folders

Managing report folders

Appendix: Windows PowerShell Commands

Introduction GPOADmin scripts Available commands

GPOADmin PowerShell provider extensions

Using the GPOADmin PowerShell commands (Examples)

Loading the GPOADmin modules Extracting help for GPOADmin commands Managing objects

Get information on all GPOs Get information for all managed objects Get unregistered objects Register an object Check out an object Check in an object Undo the check out of an object Request approval for changes Withdraw an approval request Approve changes Reject changes Withdraw approval on an object Deploy an object Deploy an object at a future time and date Check for pending deployments Cancel pending deployment

Gathering object and GPOADmin information

Identify which objects are checked out Identify which objects are checked out to me What are the properties of an object What objects are available What objects are checked out

Utility commands

Gather GPOADmin license information Install a GPOADmin license Get logging options Set logging options Get notifications Set notifications on objects

Administrative commands

Approval workflow information Set the approval workflow Identify user accounts Identify user roles Modify a role Add a role Get an object's security Set an object's security Overwrite a GPOs security filter

Protected Settings commands

Gather Protected Settings information Enable and disable Protected Settings Get a list of Protected Settings Add Protected Settings

Appendix: GPOADmin Event Log

What is the GPOADmin event log? Interpreting the GPOADmin event log

Example GPOADmin events

Appendix: GPOADmin Backup and Recovery Procedures

GPOADmin Backup Requirements Restoring GPOADmin

Appendix: Customizing your workflow

What is a custom workflow action? Working with custom workflow actions in the Version Control system Working with the custom workflow actions xml file

Actions Predefined Tags Conditions Example of a complete pre-action

Troubleshooting custom workflow actions

Appendix: GPOADmin Silent Installation Commands

Installing GPOADmin with msiexec.exe

All components (Complete GPOADmin installation) Client and components

Server and client Client only Client and PowerShell provider (Client Only button on Installation dialog) PowerShell provider only

Watcher Service

Watcher Service on localhost Watcher Service on another computer Watcher Service and GPMC Extension on another computer Watcher Service and Client only on another computer Watcher Service, Client, and GPMC Extension on another computer

GPMC Extension on a localhost GPMC Extension on another computer

Appendix: Configuring Gmail for Notifications

Using Gmail for Workflow Approvals Creating a Gmail Credentials File

Appendix: Registering GPOADmin for Office 365 Exchange Online Appendix: GPOADmin with SQL Replication About Us

Rights and role for Protected Settings for GPOs

The Protected Settings for GPOs requires the following rights to control the actions of the Protected Settings tab on containers and provide the ability to export GPOs to create protected settings:

•

Block Protected Settings Inheritance

•

Export Group Policy Objects as Protected Settings Policies

•

Modify Protected Settings Assignments

•

Modify Protected Settings Exclusions


	NOTE: These rights are not available until the Protected Settings for Group Policy Objects is enabled through the server properties. See Working with Protected Settings policies .

These rights are automatically assigned to the System Administrator role when Protected Settings are enabled. No other roles, built in or otherwise, are given the Protected Settings rights. They must be assigned.


	IMPORTANT: Built-in roles cannot be modified, so if users require these rights then a new role must be created.

To create and assign the required role to the user responsible for managing containers and controlling the settings on the Protected Settings tab for containers

1

Create a role called Prot_All and assign rights listed above and the Read right to this role. No other rights are required for this role.

2

Right-click the Protected Setting container, and select the Security tab. Click Add and add the user who is going to manage the container. Give them the Prot_All role. Do not give them any other roles to the Protected Settings container. Select OK to apply the security changes.

3

Right-click the container that the user is to manage, and select Properties.

4

Select the Security tab, and click Add to add the user account. Give them the User (built-in) and the Prot_All roles. Click Apply and OK.

The user account now has the necessary rights to make all the required changes to the container.

To review why the above roles were created and assigned consider the following:

•

The Prot_All role gives the user the necessary rights to perform any of the Protected Settings functions and because they have the Read right, the user can see what is in the Protected Settings container but cannot change or add anything to the container. The ability to Read is needed so the user can assign a Protected Settings policy to a container or any sub containers being managed.

•

The User role is also given so the user can do the normal actions such as create, check out, edit, and check in a GPO in the container. The role Prot_All has the right, Export Group Policy Objects as Protected Settings policies. The user also needs the Create right which is part of the built-in User role.

Securing protected settings

Protected Settings policies can be further controlled by delegating who has permission to modify protected settings. To secure the protected settings, you can assign a role (that contains the “Modify Protected Settings” right) to a user on the Protected Settings policy. If during the validation process, GPOADmin determines the current user possess this right, the associated Protected Settings policy is excluded from the validation allowing the modification of those protected settings to proceed.

Create a Protected Settings policy

Once the ability to use Protected Settings has been enabled, you can create the policies using one of the following methods:

•

Create a policy directly from the Protected Settings container.

•

Export a GPO to the Protected Settings container.

•

Drag a GPO onto the Protected Settings container.

To create Protected Settings Policy from the Protected Settings container

1

Select the Protected Settings container in the tree view.

2

Right-click and select New | New Protected Settings Policy.

3

Enter a name for the policy. Quest recommends using a naming convention that sets these GPOs apart from other GPOs and make them easily identifiable as protected. For example, PROT_01.

4

Select the domain that the Protected Settings policy will be related to and click Next.

5

In the Settings page, edit the policy and configure the setting you want to protect.


	NOTE: You can elect to configure the settings later.

6

Click Finish.

The policy is identified as a Protected Setting Policy type and has the same icon as the Protected Settings container.

At this point, the Protected Settings policy is checked out and has a version of 0.0.

Protected Settings policies have a modified workflow and therefore require workflow processing such as requesting approval during creation.

To export a GPO to the Protected Settings container

1

In the Version Control Root, right-click the GPO you want to export, and select Protected Settings | Export as Protected Settings.

2

Select the version of the GPO you want to make as a Protected Settings policy, and click Next.

3

Review and confirm the version and GPO to export, and click Finish.

The selected GPO exports and then import into the Protected Settings container.

4

Refresh the Protected Settings container.

The newly imported GPO has the same name as the exported GPO. Best practice is to rename it using a naming convention that identifies it as protected. For example, PROT_01.

To create a Protected Settings policy through drag and drop

1

In the Version Control Root, select the GPO you want to use for a Protected Settings policy.

2

Drag it on the Protected Settings container.

The Export Wizard opens.

3

Select the version of the GPO you want to make as a Protected Settings policy, and click Next.

4

Review and confirm the version and GPO to export, and click Finish.

The selected GPO exports and then import into the Protected Settings container.

5

Refresh the Protected Settings container.

6

The newly imported GPO has the same name as the exported GPO. Best practice is to rename it using a naming convention that identifies it as protected. For example, PROT_01.

Protecting policy settings based on extensions

If required, you can prevent users from editing policy settings based on one or more policy extensions. Once you have selected the extension to block, if a policy contains any settings from the extension, the policy will fail the validation test and will not be checked in.


	NOTE: A blocked extension overrides allowed settings in a Protected Settings policy. NOTE: The Modify Protected Settings right is required to block file extensions using a Protected Settings policy.

Available extensions include:

•

Advanced Audit Configuration

•

Application Control Policies

•

Central Access Policy

•

•

Deployed Printer Connections Policy

•

•

•

•

Environment Variables

•

•

•

Folder Redirection

•

•

•

Internet Explorer Maintenance

•

Internet Settings

•

•

Wired Network Policies

•

Local Users and Groups

•

Name Resolution Policy

•

Network Access Protection Client Management

•

Network Options

•

•

Policy-based QoS

•

•

•

•

Regional Options

•

Administrative Templates

•

Remote Installation

•

Scheduled Tasks

•

•

•

•

•

Software Installation

•

Software Restriction

•

•

Windows Firewall

•

Windows Registry

•

Wireless Network Policies

To block specific extensions

1

Right-click the required object or container and select Properties.

2

Select the Protected Settings tab and the Blocked Extensions tab.

3

Click to select the extensions that you want to block and click Apply.

Generating Protected Settings policies reports

The following reports are available for Protected Settings policies: Latest, Working Copy, and Differences reports.

To generate a report

1

Select the Protected Settings Root container in the tree view.

2

Right-click the Protected Settings Policy, and select Reports.

3

Select the type of report to run.


	NOTE: When a Protected Settings policy is used in GPOADmin, a separate report is generated by the protection process and is generated when the comparison is made between a Protected Settings policy and a GPO.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating

© ALL RIGHTS RESERVED. Feedback Terms of Use Privacy Cookie Preference Center