Introducing Quest GPOADmin
Configuring GPOADmin
Configuring the Version Control server
Setting permissions on AD LDS
Setting permissions when using SQL as the configuration store
Port requirements
Editing the Version Control server properties
Editing the Version Control server configuration store
Replacing the Version Control server configuration settings
Migrating from AD/AD LDS to a SQL configuration store
Changing the Service Account
Root container assignment
Restricting GPO management for specific domains
Configuring role-based delegation
Restricting access to objects
Adding notifications for users
Selecting events on which to be notified
Restricting inheritance on notifications
Creating email templates
Working with Protected Settings policies
Using GPOADmin
Rights and role for Protected Settings for GPOs
Create a Protected Settings policy
Protecting policy settings based on extensions
Generating Protected Settings policies reports
Using Protected Settings policies
Checking a GPO against a Protected Settings policies and blocked extensions
Validating a GPO against a Protected Settings policies and blocked extensions before a check-in
Connecting to the Version Control system
Navigating the GPOADmin console
Search folders
Accessing the GPMC extension
Configuring user preferences
Working with the live environment
Working with controlled objects (version control root)
Creating Reports
Creating a custom container hierarchy
Selecting security, levels of approval, and notification options
Viewing the differences between objects
Copying/pasting objects
Proposing the creation of controlled objects
Checking compliance
Editing objects
Creating Group Policy Objects (GPOs)
Creating starter GPOs
Creating WMI filters
Creating scripts
Creating Desired State Configuration (DSC) PowerShell scripts
Merging GPOs
Restoring an object to a previous version
Restoring links to a previous version
Managing your links with search and replace
Linking GPOs to multiple Scopes of Management
Managing compliance issues automatically with remediation rules
Validating GPOs
Managing GPO revisions with lineage
Setting when users can modify objects
Working with registered objects
Creating labels
Cloaking a GPO
Locking a GPO
Establishing Management for an Object
Viewing history
Deleting version history
Clearing account names in version history
Viewing and editing object properties
Applying keywords on containers
Creating a report
Working with available objects
Enabling/disabling workflow
Checking out objects
Requesting the deletion of an object
Unregistering GPOs and removing history
Requesting approval
Working with checked out objects
Working with objects pending approval and deployment
Editing GPOs
Editing Intune objects (configuration profiles and compliance policies)
Editing WMI filters
Editing scripts
Linking GPOs
Synchronizing GPOs
Exporting and importing
Available reports
Appendix: Windows PowerShell Commands
Controlled object reports
Creating RSoP validation reports
Exporting registry settings
Working with report folders
Settings Report
Difference Report
Group Policy Comparison Report
History Report
Group Policy Object Settings Search Report
User Activity Report
Role Assignment Report
All Actions Report
Compliance Report
Change Auditor Report
Change Auditor Working Copies Report
Deployment Report
Protected Settings Assignment Report
Creating Controlled Object Reports
Diagnostic and troubleshooting reports
Group Policy Object Consistency Report
Software Installation Package Report
Linked/Unlinked Report
Linked/Unlinked SOMs Report
Inactive Policy Settings Report
Group Policy Object Security Report
Policy Analysis Report
GPO Synchronization Report
Group Policy Results
Group Policy Results Difference Report
Group Policy Modeling Report
Creating Diagnostic and Troubleshooting Reports
Live, working copy, latest version, and differences reports
Historical Settings Reports
Introduction
GPOADmin scripts
Available commands
Using the GPOADmin PowerShell commands (Examples)
Appendix: GPOADmin Event Log
Appendix: GPOADmin Backup and Recovery Procedures
Appendix: Customizing your workflow
Loading the GPOADmin modules
Extracting help for GPOADmin commands
Managing objects
Get information on all GPOs
Get information for all managed objects
Get unregistered objects
Register an object
Check out an object
Check in an object
Undo the check out of an object
Request approval for changes
Withdraw an approval request
Approve changes
Reject changes
Withdraw approval on an object
Deploy an object
Deploy an object at a future time and date
Check for pending deployments
Cancel pending deployment
Gathering object and GPOADmin information
Identify which objects are checked out
Identify which objects are checked out to me
What are the properties of an object
What objects are available
What objects are checked out
Utility commands
Gather GPOADmin license information
Install a GPOADmin license
Get logging options
Set logging options
Get notifications
Set notifications on objects
Administrative commands
Approval workflow information
Set the approval workflow
Identify user accounts
Identify user roles
Modify a role
Add a role
Get an object's security
Set an object's security
Overwrite a GPOs security filter
Protected Settings commands
What is a custom workflow action?
Working with custom workflow actions in the Version Control system
Working with the custom workflow actions xml file
Troubleshooting custom workflow actions
Appendix: GPOADmin Silent Installation Commands
Installing GPOADmin with msiexec.exe
Appendix: Configuring Gmail for Notifications
Appendix: Registering GPOADmin for Office 365 Exchange Online
Appendix: GPOADmin with SQL Replication
About Us
All components (Complete GPOADmin installation)
Client and components
Server and client
Client only
Client and PowerShell provider (Client Only button on Installation dialog)
PowerShell provider only
Watcher Service
Watcher Service on localhost
Watcher Service on another computer
Watcher Service and GPMC Extension on another computer
Watcher Service and Client only on another computer
Watcher Service, Client, and GPMC Extension on another computer
GPMC Extension
Linking GPOs
Once GPOs have been created and configured, they must be linked to the appropriate sites, domain, or OU. Before you can link a GPO, you must register and check out the site, domain, or OU. For information on registering Scopes of Management, see Registering objects .
Users with the Link right can link a single GPO with numerous sites, domains, or OUs and link multiple GPOs to a site, domain, or OU. (For more information on setting permissions, see Configuring role-based delegation.)
By default, GPOs affect all users and computers contained within a linked site, domain, or OU. To refine the application of a GPO, see Editing GPOs .
|
2 |
Click New Link to add another GPO. |
|
4 |
Enable Block Inheritance if required. |
|
5 |
Click OK. |
|
2 |
|
3 |
In the right pane, ensure that the Add check box is selected for the GPOs you want to link. |
|
5 |
Click OK. |
You can also rollback pre-existing links between GPOs and sites, domains, and OUs when restoring GPOs. For information, see Restoring links to a previous version and Checking compliance .
Synchronizing GPOs
Enabling synchronization
The ability to synchronize GPOs requires that:
|
1 |
Right-click the forest and select Options. |
|
2 |
Select Options| General. |
|
3 |
Select Enable Group Policy Object Synchronization. |
|
4 |
Click OK. |
Working with GPO synchronizations
Keep the following in mind when working with synchronizations:
|
• |
|
1 |
In the Version Control Root, right-click the source GPO, and select Synchronize | Set Synchronization Targets. |
|
2 |
If required, select Add Servers to include other servers that contain the GPOs that you want to target. Select the server and click Connect. Enter the required credentials and click OK. |
|
3 |
Select the required GPOs and choose Synchronization | Add Synchronization Target to select the required target GPOs. The list of all available GPOs will display. |
|
5 |
If required, we provide the option to setup a migration table by selecting the target and choosing Synchronization | Select Migration Table. From here, you can add (or remove), create, modify the migration tables that are going to be used during the synchronization using the Microsoft Migration Table Editor. |
|
6 |
Select the target and choose Synchronization to set the synchronization options. You can choose between the following: |
|
• |
Clear Migration table: Clear the tables when no longer required. |
|
• |
Use Migration Table Exclusively: If enabled, the migration (import operation) will not proceed if any settings security principals or UNC paths configured within the source GPO do not exist in the migration table. |
|
• |
Migrate Security Filters: Migrates any security principals from the security filter that are found in the migration table. |
|
• |
Target State: Select the state that you want the target to be in after the synchronization completes. You can choose between Available, Checked Out, Pending Approval, or Deployed. The default is Checked Out. |
|
• |
Synchronize Deletions: Select to enable this option, if you want any deleted source GPOs to also be deleted in the target. |
|
• |
Set target WMI Filters: Select this option to synchronize WMI filters between domains. You can choose between the following options: |
|
• |
None: When you select this option, the WMI filter in the target GPO will not be updated. Use this option to disable previously set WMI Filter synchronizations. |
|
• |
Auto-map By Name: When you select this option, if a WMI Filter in the target domain is found with the same name as the WMI Filter linked to the source GPO, it is assigned to the target GPO. |
|
• |
Select WMI Filter: This opens a browser that lists all of the WMI Filters in the target domain where the connected account has access. From this list, select the WMI Filter to assign to the target GPO. |
|
7 |
Once you have your targets set, it is recommended to validate the synchronization targets by selecting the target GPO and clicking Tools | Validate Synchronization Targets. |
|
1 |
If you select to Cancel the editor, the warning will not persist. |
|
2 |
If you select OK, the warning will remain to alert you that the issues must be addressed. When ready to address the issue, simply select the Correct button at the top of the dialog or right-click and select Correct. |
|
1 |
In the Version Control Root, select the source GPO, and choose Synchronization | Set Synchronization Targets. |
|
2 |
Select any one of the target GPOs, choose Tools | Update Credentials, and enter the new credentials. |
|
1 |
Right-click the source GPO and choose Synchronization | Synchronize Now. |
|
2 |
|
NOTE: If the synchronization fails, you can view the error by hovering over the faulted item. You can retry by selecting the Synchronize button again. |
|
3 |
If required, you can select Export to export the data to a .csv file. |
|
1 |
Right-click a GPO that has synchronization targets set and select Synchronize | Validate Synchronization Results. |
Right-click a GPO that has synchronization targets set and select Synchronize | Set Synchronization Targets. Then select one or more synchronization targets and choose Validate Synchronization Results.
|
• |
In the Version Control Root, select the source GPO, and choose Synchronization | Validate Synchronization Results. |
|
1 |
In the Version Control Root, select the source GPO, and choose Synchronization | Validate Synchronization Results. |
|
2 |
Select one or more of the existing targets, and choose Tools| Validate Synchronize Results. |
|
1 |
In the Version Control Root, select the source GPO, and choose Synchronization | Set Synchronization Targets. |
|
2 |
Select one or more of the existing targets, and choose Synchronization | Synchronize Now. |