Chat now with support
Chat with Support

GPOADmin 5.17 - User Guide

Introducing Quest GPOADmin Configuring GPOADmin Using GPOADmin
Connecting to the Version Control system Navigating the GPOADmin console Search folders Accessing the GPMC extension Configuring user preferences Working with the live environment Working with controlled objects (version control root)
Creating a custom container hierarchy Selecting security, levels of approval, and notification options Viewing the differences between objects Copying/pasting objects Proposing the creation of controlled objects Merging GPOs Restoring an object to a previous version Restoring links to a previous version Managing your links with search and replace Linking GPOs to multiple Scopes of Management Managing compliance issues automatically with remediation rules Validating GPOs Managing GPO revisions with lineage Setting when users can modify objects Working with registered objects Working with available objects Working with checked out objects Working with objects pending approval and deployment
Checking compliance Editing objects Synchronizing GPOs Exporting and importing
Creating Reports Appendix: Windows PowerShell Commands Appendix: GPOADmin Event Log Appendix: GPOADmin Backup and Recovery Procedures Appendix: Customizing your workflow Appendix: GPOADmin Silent Installation Commands Appendix: Configuring Gmail for Notifications Appendix: Registering GPOADmin for Office 365 Exchange Online Appendix: GPOADmin with SQL Replication About Us

Offline GPO testing

Using the Export Wizard, you can test GPOs offline before implementing them. For more information, see Exporting and importing .

Custom workflow actions

You can extend GPOADmin’s version control system to incorporate customized actions based on your organizations existing workflow. This allows you to customize and control the deployment of controlled objects (such as GPOs, scripts, DSC scripts, SOMs, and WMI filters) to meet your individual needs. For details, see Appendix: Customizing your workflow .

 

Configuring GPOADmin
Configuring the Version Control server
Setting permissions on AD LDS
Setting permissions when using SQL as the configuration store
Port requirements
Editing the Version Control server properties
Editing the Version Control server configuration store
Replacing the Version Control server configuration settings
Migrating from AD/AD LDS to a SQL configuration store
Changing the Service Account
Root container assignment
Restricting GPO management for specific domains
Configuring role-based delegation
Restricting access to objects
Adding notifications for users
Selecting events on which to be notified
Restricting inheritance on notifications
Creating email templates
Working with Protected Settings policies

Configuring the Version Control server

You must configure the Version Control server the first time that you connect to it.

To configure the Version Control server
* 
NOTE: Configure the server using the GPOADmin console, even if you intend to use the GPMC Extension.
1
Right-click the GPOADmin node and select Connect To.
2
Select the required Version Control server and click Connect to connect with the current logged on user credentials. Alternatively, select the down arrow in the Connect button and select Connect As to enter new credentials (domain\user and password).
3
To save the credentials, select the Remember my password check box and click OK.
For information about saving connections, see Connecting to the Version Control system .
4
In the Select a Configuration Store dialog, select Active Directory, AD LDS, or SQL Server for your configuration storage location.
* 
NOTE: Configuration Store Selection

The best practice is to use AD LDS as the configuration store. However, in large environments, SQL server is the recommended option. Quest uses the following criteria to define large environments:

Domains with more than 500 registered objects that run searches on a regular basis.
More than 500 registered containers.
Containers with objects nested more than 3 levels deep.

These are guidelines and should not be considered as an exhaustive list.

* 
IMPORTANT: Ensure that you are following the minimum permissions detailed in the Quick Start guide. The listed permissions help to secure the database by limiting the access to only the required accounts.
a
If you select Active Directory, select the Domain Controller (DC) to be the Version Control server, and click Next.
Any DC in any domain of the selected forest can be specified as the primary version control server. This server can be thought of as another FSMO role in the Microsoft sense (such as Schema master, PDC Emulator, and RID master).
GPOADmin is a directory-enabled application and all its application information is stored in the configuration container of Active Directory. Because of how the information is stored, all information is automatically replicated to all other DCs. However, the primary version control server is the authoritative source for all version control actions. If it goes offline, users cannot perform actions such as check-in a desired group policy object change until the problem has been rectified.
b
If you select AD LDS, enter the NetBIOS name of the computer you are installing to and the port number in the format: server_name:port, and click Next.
For example, gpoadmin_svr: 389.
* 
NOTE: The username/port/server (but not password) will be cached, so the next time you open the console you will not need to enter this information.
c
If you select SQL Server, choose the required SQL server, enter a name for the database, select the authentication method to access the server, and click Next.
To connect as the current user, select NT Authentication.
To connect using SQL credentials, select SQL Authentication and enter the username and password.
* 
NOTE:  
SQL Server (See the Release Notes for supported versions.)
See Appendix: GPOADmin with SQL Replication to configure database replication for an SQL configuration store.
* 
NOTE: When using SQL replication with a SQL configuration store, objects may be incorrectly flagged as non-compliant. This occurs when SQL replication and Active Directory replication are on different cycles. To resolve this, GPOADmin provides a HashStorageProperties.ini file that allows you to store the comparison hash on the Active Directory object. The file is located in the GPOADmin installation directory and contains the information on the settings to change. Ensure that objects are in the available state prior to changing the values in this file.
SQL Injection inserts malicious code into SQL statements which can lead to security vulnerabilities. To protect your environment from a SQL Injection attack, you can mark SQL statement inputs that are not permitted. See Editing the Version Control server properties. By default, we have marked the following inputs as not permitted. If you allow these inputs, malicious code may be inserted in a SQL statement resulting in security vulnerabilities:
Table 2. SQL inputs
Input
Description

:

Denotes the end of a SQL query. Allowing this character can permit malicious queries to be included in user input.

--

All trailing input is interpreted as a comment until the new line character.

/*

The character combination used to denote the start of a block comment. All trailing input is interpreted as a comment until the comment end delimiter.

*/

The character combination used to denote the end of a block comment. Input between the comment start delimiter and the comment end delimiter is interpreted as a comment.

xp_

Extended procedures are routines residing in DLLs that function similarly to regular stored procedures. The extended stored procedure function is run under the security context of Microsoft SQL Server.

\AUX

Generally, the AUX port on a PC is computer port 1 (COM1), which is the first serial port with a preconfigured assignment for serial devices. File paths can be constructed using this input.

\CLOCK$

The system clock. File paths can be constructed using this input.

\COM1

The first Communications port. File paths can be constructed using this input.

\COM2

The second Communications port. File paths can be constructed using this input.

\COM3

The third Communications port. File paths can be constructed using this input.

\COM4

The forth Communications port. File paths can be constructed using this input.

\COM5

The fifth Communications port. File paths can be constructed using this input.

\COM6

The sixth Communications port. File paths can be constructed using this input.

\COM7

The seventh Communications port. File paths can be constructed using this input.

\COM8

The eighth Communications port. File paths can be constructed using this input.

\CON

A common device name for the keyboard and screen. File paths can be constructed using this input.

\CONFIG$

A configuration information file. File paths can be constructed using this input.

\LPT1

The first line print terminal. File paths can be constructed using this input.

\LPT2

The second line print terminal. File paths can be constructed using this input.

\LPT3

The third line print terminal. File paths can be constructed using this input.

\LPT4

The fourth line print terminal. File paths can be constructed using this input.

\LPT5

The fifth line print terminal. File paths can be constructed using this input.

\LPT6

The sixth line print terminal. File paths can be constructed using this input.

\LPT7

The seventh line print terminal. File paths can be constructed using this input.

\LPT8

The eighth line print terminal. File paths can be constructed using this input.

\NUL

The NUL port. File paths can be constructed using this input.

\PRN

The DOS name for the first connected parallel port. File paths can be constructed using this input.

5
In the Select Storage Options dialog, select where you want to store the historical backup information.
Backups can grow to be large. Storing backups in Active Directory may not be the most optimal configuration in some enterprise environments.
You have the option of choosing Configuration store location, AD LDS, SQL Server, or a network share.
* 
TIP: The best practice is to use a network share.
 
Table 3. Storage Options
Option
If you select this option

Active Directory

NOTE: Active Directory is not recommended for production deployments due to the amount of replication data.

Click Next.

AD LDS

Enter the server and port name, and click Next.

For more information about an AD LDS deployment, see Setting permissions on AD LDS .

SQL Server

Enter the server name and the required authentication information, and click Next.

NOTE: If the server is installed as a unique instance, it must be specified as servername\instancename rather than just the SQL Server name.

Network Share

NOTE: Recommended method as it provides a high level of performance and a low level of configuration and maintenance overhead.

Browse to and select the required network share or directory, and click Next.

6
Select which users should have the right to connect to and administer the Version Control server, and click Next.
7
Click Finish.
Now that the system has been configured, users can connect to and use the version control features.
* 
NOTE: Users with the appropriate rights can modify the server settings at anytime by right-clicking the GPOADmin node and selecting Options.
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating