GPOADmin 5.21 - User Guide


	NOTE: If required, you can modify the information generated by the Watcher Service by creating a new role specifically for it and then customizing an existing template or creating a new template to associate with it. For example, to ensure that the Watcher Service or server name does not display in the notification message, remove the following section from the template html file: <tr> <td class="style3"> Detected on: </td> <td> [MACHINENAME] </td> </tr> The keyword MACHINENAME specifies the computer where Watcher Service is running.

GPOADmin includes a sample template (DefaultNotificationTemplate.html) in the server installation directory. This file should not be moved or modified; however, you can use it as a basis for the creation of new templates.

To select an email template for an existing role

Right-click the forest node, and select Options.

Select Delegation | Roles, select the require role, and click View Role.

Select the Email Template tab.

Click Browse to select the template to use for the selected role.

By default, the DefaultNotificationTemplate.html in the server install directory is used by the notification system if the specified custom template cannot be found.

If there are no templates displayed, click Add and browse to where the templates are located. The default template is located at C:\Program Files\Quest\GPOADmin.

Select the template and click OK.

Select the cost for this template.

If a user is a member of two or more roles which have subscribed to the same notification, the email template associated with the role with the lowest cost is the one used for that user.

For example, User A has subscribed to all event on Version Control Root. They are a member of the Moderators role set on the Version Control Root container and a member of the Administrators Role set on a child container When a version-controlled object is Checked-Out in the child container a notification is sent to them. GPOADmin determines that user A is a member of two roles. The cost that you have applied to the role tells the system which template to use when sending the notification. If the Moderators role has a lowest cost then the cost associated with the Administrators role, then the template associated with the Moderators role is used.

To select an attachment to include in the email, select the Attachments tab, click Add, select the action that triggers the attachment inclusion from the list, select the attachment to include by entering its location or browsing to it, and apply the changes.


	NOTE: You can optionally use any GPOADmin predefined tag in this field.

To further control the inclusion of attachments, you can use keywords. The attachment is only included if the specified keywords are present in the list of keywords on the version-controlled object.

Enter, enable, disable keywords as required. (Check an existing keyword to have it associated with this attachment and click to clear the keyword to exclude it.)


	NOTE: Any attachment with an empty keyword list would always be included for the associated action.

To include a subject in the email, select the Subject Lines tab, click Add, select the required action, enter the text that you want included in the Subject Line field, and apply the changes.

To further customize the subject line, you can use tags and keywords.

Tags allow you to include a very specific subject line. For example, if you select Type, Name, and Trustee Name from the drop down list (The “[TYPE] '[NAME]' has been checked in by [TRUSTEENAME]”), the resulting email for a GPO named Sales would be "The GPO 'Sales" has been checked in by domain\user".

Keywords allow you to include a set subject line when the specified keywords are present in the list of keywords on the version-controlled object.

Click OK.

Click Apply to associate the template.

Working with Protected Settings policies

Protected Settings policies contain settings that you want to control. They are protected in the sense that they contain and identify the settings that may not be altered by users. This provides an added level of security for the policies within your organization. If a user attempts to create, edit, or remove the flagged settings they are stopped.

Protected Settings are identified by examining the difference report between the Protected Settings policies and the Group Policy Object being checked in. The difference is produced by using the Difference Engine in GPOADmin. Once this is completed, the protected setting function searches the difference report for matches based on the specified validation mode.

Protected Settings policies have a modified workflow and follow the typical check-out, edit, and check-in process. As with any other object, when you are ready to make the newly created Protected Settings policy active or edit an existing policy, a request approval action must be initiated.

Once the approval is granted, the Protected Settings policy is available for use.


	NOTE: These policies differ from other GPOs in that they are not deployed to the environment.

If a protection issue is detected during check in, users with the Modify Protected Settings right on the GPO in question, have the option to continue with the check in and override the blocked setting or review a report and address the issue.

Protected settings must be:

•

Enabled within the domain

•

Created with the selected settings

•

Applied to the required container within GPOADmin

To enable Protected Settings for Group Policy Objects

Right-click the domain and select Options.

Select Options | General and select Enable Protected Settings for Group Policy Objects.

Click OK.

A new Protected Settings Root container is created to store and manage the Protected Settings policies deployed within your environment.

Rights and role for Protected Settings for GPOs

The Protected Settings for GPOs requires the following rights to control the actions of the Protected Settings tab on containers and provide the ability to export GPOs to create protected settings:

•

Block Protected Settings Inheritance

•

Export Group Policy Objects as Protected Settings Policies

•

Modify Protected Settings Assignments

•

Modify Protected Settings Exclusions


	NOTE: These rights are not available until the Protected Settings for Group Policy Objects is enabled through the server properties. See Working with Protected Settings policies .

These rights are automatically assigned to the System Administrator role when Protected Settings are enabled. No other roles, built in or otherwise, are given the Protected Settings rights. They must be assigned.


	IMPORTANT: Built-in roles cannot be modified, so if users require these rights then a new role must be created.

To create and assign the required role to the user responsible for managing containers and controlling the settings on the Protected Settings tab for containers

Create a role called Prot_All and assign rights listed above and the Read right to this role. No other rights are required for this role.

Right-click the Protected Setting container, and select the Security tab. Click Add and add the user who is going to manage the container. Give them the Prot_All role. Do not give them any other roles to the Protected Settings container. Select OK to apply the security changes.

Right-click the container that the user is to manage, and select Properties.