Chat now with support

Get Live Help
Complete Registration

Sign In

Request Pricing

Contact Sales

GPOADmin 5.17 - User Guide

Table of Contents

Introducing Quest GPOADmin

GPOADmin features

Client/server architecture Multiforest support Group Policy Management Console extension Version control Change approval process Role-based delegation Notification system GPO ACL editor Reporting options Customized views Offline GPO testing Custom workflow actions

Configuring GPOADmin

Configuring the Version Control server Setting permissions on AD LDS Setting permissions when using SQL as the configuration store Port requirements Editing the Version Control server properties Editing the Version Control server configuration store Replacing the Version Control server configuration settings Migrating from AD/AD LDS to a SQL configuration store Changing the Service Account Root container assignment Restricting GPO management for specific domains Configuring role-based delegation

Creating roles Editing roles Delegating roles

Restricting access to objects Adding notifications for users Selecting events on which to be notified Restricting inheritance on notifications Creating email templates Working with Protected Settings policies

Rights and role for Protected Settings for GPOs Create a Protected Settings policy Protecting policy settings based on extensions Generating Protected Settings policies reports Using Protected Settings policies Checking a GPO against a Protected Settings policies and blocked extensions Validating a GPO against a Protected Settings policies and blocked extensions before a check-in

Connecting to the Version Control system

Restricting search scope Working with multiple connections Version Control data in the directory

Navigating the GPOADmin console Search folders

Creating custom search folders

Accessing the GPMC extension Configuring user preferences Working with the live environment

Registering objects Registered status Removing registered objects Viewing the live environment

Working with controlled objects (version control root)

Creating a custom container hierarchy Selecting security, levels of approval, and notification options Viewing the differences between objects Copying/pasting objects Proposing the creation of controlled objects

Creating Group Policy Objects (GPOs) Creating starter GPOs Creating WMI filters Creating scripts Creating Desired State Configuration (DSC) PowerShell scripts

Merging GPOs Restoring an object to a previous version Restoring links to a previous version Managing your links with search and replace Linking GPOs to multiple Scopes of Management Managing compliance issues automatically with remediation rules Validating GPOs Managing GPO revisions with lineage Setting when users can modify objects Working with registered objects

Creating labels Cloaking a GPO Locking a GPO Establishing Management for an Object Viewing history Deleting version history Clearing account names in version history Viewing and editing object properties Applying keywords on containers Creating a report

Working with available objects

Enabling/disabling workflow Checking out objects Requesting the deletion of an object Unregistering GPOs and removing history Requesting approval

Working with checked out objects

Undoing a check out Checking in controlled objects

Working with objects pending approval and deployment

Withdrawing an approval request Enhanced workflow approval Changing the approval workflow Withdrawing approval Approving and rejecting edits Deploying objects (scheduling and associated items)

Checking compliance Editing objects

Removing persistent registry settings

Editing Intune objects (configuration profiles and compliance policies) Editing WMI filters Editing scripts Linking GPOs

Synchronizing GPOs

Enabling synchronization Working with GPO synchronizations Generating Synchronized GPO report

Exporting and importing

Export objects Exporting GPO registry settings as a Desired State Configuration resource file Import objects

Creating Reports

Available reports

Controlled object reports

Settings Report Difference Report Group Policy Comparison Report History Report Group Policy Object Settings Search Report User Activity Report Role Assignment Report All Actions Report Compliance Report Change Auditor Report Change Auditor Working Copies Report Deployment Report Protected Settings Assignment Report Creating Controlled Object Reports

Diagnostic and troubleshooting reports

Group Policy Object Consistency Report Software Installation Package Report Linked/Unlinked Report Linked/Unlinked SOMs Report Inactive Policy Settings Report Group Policy Object Security Report Policy Analysis Report GPO Synchronization Report Group Policy Results Group Policy Results Difference Report Group Policy Modeling Report Creating Diagnostic and Troubleshooting Reports

Live, working copy, latest version, and differences reports

Creating live, working copy, latest version, and differences reports

Historical Settings Reports

Creating historical settings reports

Creating RSoP validation reports Exporting registry settings Working with report folders

Managing report folders

Appendix: Windows PowerShell Commands

Introduction GPOADmin scripts Available commands

GPOADmin PowerShell provider extensions

Using the GPOADmin PowerShell commands (Examples)

Loading the GPOADmin modules Extracting help for GPOADmin commands Managing objects

Get information on all GPOs Get information for all managed objects Get unregistered objects Register an object Check out an object Check in an object Undo the check out of an object Request approval for changes Withdraw an approval request Approve changes Reject changes Withdraw approval on an object Deploy an object Deploy an object at a future time and date Check for pending deployments Cancel pending deployment

Gathering object and GPOADmin information

Identify which objects are checked out Identify which objects are checked out to me What are the properties of an object What objects are available What objects are checked out

Utility commands

Gather GPOADmin license information Install a GPOADmin license Get logging options Set logging options Get notifications Set notifications on objects

Administrative commands

Approval workflow information Set the approval workflow Identify user accounts Identify user roles Modify a role Add a role Get an object's security Set an object's security Overwrite a GPOs security filter

Protected Settings commands

Gather Protected Settings information Enable and disable Protected Settings Get a list of Protected Settings Add Protected Settings

Appendix: GPOADmin Event Log

What is the GPOADmin event log? Interpreting the GPOADmin event log

Example GPOADmin events

Appendix: GPOADmin Backup and Recovery Procedures

GPOADmin Backup Requirements Restoring GPOADmin

Appendix: Customizing your workflow

What is a custom workflow action? Working with custom workflow actions in the Version Control system Working with the custom workflow actions xml file

Actions Predefined Tags Conditions Example of a complete pre-action

Troubleshooting custom workflow actions

Appendix: GPOADmin Silent Installation Commands

Installing GPOADmin with msiexec.exe

All components (Complete GPOADmin installation) Client and components

Server and client Client only Client and PowerShell provider (Client Only button on Installation dialog) PowerShell provider only

Watcher Service

Watcher Service on localhost Watcher Service on another computer Watcher Service and GPMC Extension on another computer Watcher Service and Client only on another computer Watcher Service, Client, and GPMC Extension on another computer

GPMC Extension on a localhost GPMC Extension on another computer

Appendix: Configuring Gmail for Notifications

Using Gmail for Workflow Approvals Creating a Gmail Credentials File

Appendix: Registering GPOADmin for Office 365 Exchange Online Appendix: GPOADmin with SQL Replication About Us

Cloaking a GPO

Cloaking allows you to hide Group Policy Objects (GPOs) from other users. The Cloaking role is not a default role installed with the product, and must be created with the Cloak/Uncloak and View Cloaked rights. By default, Domain Administrators can see all cloaked GPOs.

When a GPO is cloaked using GPOADmin, it is also cloaked in the live environment. Only users with the Cloak/Uncloak or View Cloaked right can see the GPO in the live environment. A cloaked GPO will only be applied to users who have the Cloak/Uncloak or View Cloaked right during group policy processing. All other users will no longer have the GPO applied.

Cloaked GPOs are indicated by a lighter GPO icon.


	NOTE: Only GPOs can be cloaked. (You cannot cloak WMI Filters or Scopes of Management).

To cloak a GPO using the GPOADmin console

1

Select the GPO you want to cloak from the list of GPOs within the Version Control Root node.

2

Right-click and select Cloak.

Cloaked GPOs are displayed in the Cloaked search folder. Enter a comment and click OK.


	NOTE: Users can also have the View Cloaked right only. This means that they can see cloaked GPOs but do not have permission to "uncloak" them. Cloaked GPOs can be viewed in the Search Folders in the GPOADmin console.

To cloak a GPO using the GPMC Extension

1

Select the GPO you want to cloak from the list of GPOs and click Cloak.

2

Enter a comment and click OK.

Locking a GPO

Locking allows you to lock a policy so other users cannot edit it. The Locking role has to be created and consists of the Lock/Unlock right. For example, you may choose to lock the Default Domain Policy and/or Default Domain Controller Policy as any modification to these settings would affect every GPO in the organization.

When a GPO is locked using GPOADmin, it is also locked in the live environment. All users can see the GPO, but no one can edit it.

By default, Domain Administrators can see all locked GPOs and unlock any locked GPO. Locked GPOs are indicated by a lock icon.


	NOTE: Only GPOs can be locked. (You cannot lock WMI Filters or Scopes of Management).

To lock a GPO using the GPOADmin console

1

Select the GPO you want to lock from the list of GPOs within the Version Control Root node.

2

Right-click and select Lock.

Locked GPOs are displayed in the Locked search folder.


	NOTE: When a user with the right to lock GPOs connects to the GPOADmin console, they will see all locked GPOs. A Locked GPO must be unlocked before any actions can be performed (even if you are a system administrator.) Locked GPOs can be viewed in the Search Folders in the GPOADmin console.

3

Enter a comment and click OK.

To lock a GPO using the GPMC Extension

1

Select the GPO you want to lock from the list of GPOs and click Lock.

2

Enter a comment and click OK.

Establishing Management for an Object

If you have the Modify Managed By right, you can set the user responsible for an object’s management.


	NOTE: The Managed By property is a textual field which can be used to sort objects by and as no affect on the objects security.

To set or change the user responsible for an object’s management

1

Expand the Version Control Root node, and select an object.

2

Right-click and select Managed By.

3

Enter or browse for the required account and click OK.

You can also assign management on a container by right-clicking on it an selecting Properties and selecting the required account.


	NOTE: Any child containers or objects below this container that do not have a managed assigned to them will automatically use this one.

Viewing history

Viewing history

You can easily create a report that displays the historical settings for objects in the Version Control system or a comparison of versions. When you view the history in the GPMC Extension, all events are shown. The GPOADmin console has a filter option that you can use to choose which events to display.

To view the history using the GPOADmin console

1

Expand the Version Control Root node, and the required container.

2

Right-click an object and select Show History.

3

Select a version in the list.

4

Select which, if any, filtering options you would like to apply, then right-click, and select View to view the historical information.

5

To view the difference between various check ins, select the required versions, right-click and select Differences.

6

Click Print to print the report.

Click Save As to save the report in HTML.

7

Click Close.


	NOTE: You can also restore links between a GPO and its Scopes of Management from the history view. For more information, see Restoring links to a previous version .

To view the history using the GPMC Extension

1

Select the GPO and click Show History.

The history displays in the bottom pane of the GPO Management tab. You will see the name, version, action, account, date and comment pertaining to the history item.

2

To view the difference between various check ins, select the required versions, right-click and select Differences.

3

Click Print to print the report.

Click Save As to save the report in HTML.

4

Click Close.

For more information on the available reports, see Creating Reports .

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating

© ALL RIGHTS RESERVED. Feedback Terms of Use Privacy Cookie Preference Center