Chat now with support
Chat with Support

GPOADmin 5.18 - Quick Start Guide

GPOADmin watcher service

The watcher service protects an organization from unauthorized changes by automatically detecting changes to GPOs, scripts, and Scopes of Management made outside of the Version Control system. An optional component of GPOADmin, the watcher service will monitor registered GPOs, scripts, configuration profiles, and Scopes of Management outside of the GPOADmin console for changes and display them as non compliant with an icon change. If the change is valid, an administrator can either incorporate the change into the version control system or roll back the change to the previous deployed version.

The GPOADmin watcher service must be run using credentials with sufficient network permissions.


For example, if you have a GPO checked out and it is flagged as non compliant by the Watcher Service, this indicates that the GPO settings in the live environment have changed since you checked out and started working on that GPO.

Once you have selected GPOs for check-in, the Non compliant Objects Detected dialog box shows you a list of the non-compliant objects, alerting you of any GPOs that have been modified outside of the version control system of GPOADmin, and providing you with the following options:

Watcher service polling interval

The default polling interval is 45000 milliseconds (45 seconds). If required, you can alter this to meet your needs.

Select Decimal as the Base when editing the value.

Excluding security modifications on Scopes of Management from the watcher service

If needed, you can use a registry key to prevent the watcher service from flagging a Scope of Management as non-compliant when modifying the system-provided security.

If you select to enable this, you need to redeploy all registered scopes of management to ensure that security is either included or excluded (depending on the value) in the latest backup used to perform the comparison. If you do not redeploy the SOMs, they will be flagged as non-compliant.

Set the ExcludeSOMSecurityFromHash registry value to 1. By default this is set to 0.

Port requirements

The following ports must be open for the application to function correctly:

Name resolution can be achieved using DNS on port 53 or WINS (downlevel) on port 137.

Between the client and the GPOADmin Server:

From the GPOADmin Server:

Configuration storage

GPO Archives

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating