Chat now with support
Chat with Support

GPOADmin 5.21 - User Guide

Introducing Quest GPOADmin Configuring GPOADmin Using GPOADmin
Connecting to the Version Control system Navigating the GPOADmin console Search folders Accessing the GPMC extension Configuring user preferences Working with the live environment Working with controlled objects (version control root)
Creating a custom container hierarchy Selecting security, levels of approval, and notification options Viewing the differences between objects Copying/pasting objects Proposing the creation of controlled objects Merging GPOs Restoring an object to a previous version Restoring links to a previous version Managing your links with search and replace Linking GPOs to multiple Scopes of Management Managing compliance issues automatically with remediation rules Validating GPOs Managing GPO revisions with lineage Setting the change window for specific actions Working with registered objects Working with available objects Working with checked out objects Working with objects pending approval and deployment
Checking compliance Editing objects Synchronizing GPOs Exporting and importing
Creating Reports Appendix: Windows PowerShell Commands Appendix: GPOADmin Event Log Appendix: GPOADmin Backup and Recovery Procedures Appendix: Customizing your workflow Appendix: GPOADmin Silent Installation Commands Appendix: Configuring Gmail for Notifications Appendix: Registering GPOADmin for Microsoft 365 Exchange Online Appendix: GPOADmin with SQL Replication About Us

Configuring GPOADmin
Configuring the Version Control server
Setting permissions on AD LDS
Setting permissions when using SQL as the configuration store
Port requirements
Editing the Version Control server properties
Editing the Version Control server configuration store
Replacing the Version Control server configuration settings
Migrating from AD/AD LDS to a SQL configuration store
Changing the Service Account
Root container assignment
Restricting GPO management for specific domains
Configuring role-based delegation
Restricting access to objects
Adding notifications for users
Selecting events on which to be notified
Restricting inheritance on notifications
Creating email templates
Working with Protected Settings policies
Working with Protected Settings Policy Baselines

Configuring the Version Control server

You must configure the Version Control server the first time that you connect to it.

To configure the Version Control server
* 
NOTE: Configure the server using the GPOADmin console, even if you intend to use the GPMC Extension.
1
Right-click the GPOADmin node and select Connect To.
2
Select the required Version Control server and click Connect to connect with the current logged on user credentials. Alternatively, select the down arrow in the Connect button and select Connect As to enter new credentials (domain\user and password).
3
To save the credentials, select the Remember my password check box and click OK.
For information about saving connections, see Connecting to the Version Control system .
4
In the Select a Configuration Store dialog, select SQL Server, AD LDS, or Active Directory for your configuration storage location.
* 
NOTE: Configuration Store Selection

The best practice is to use:
SQL Server for optimal performance.
AD LDS for small environments. Quest uses the following criteria to define small environments. (These are guidelines and should not be considered as an exhaustive list.)
Domains with less than 500 registered objects that run searches on a regular basis.
Less than 500 registered containers.
Containers with objects nested no more than 3 levels deep.
Active Directory for legacy deployments. It is not recommended for new installations.
* 
IMPORTANT: Ensure that you are following the minimum permissions detailed in the Quick Start guide. The listed permissions help to secure the database by limiting the access to only the required accounts.
a
If you select Active Directory, select the Domain Controller (DC) to be the Version Control server, and click Next.
Any DC in any domain of the selected forest can be specified as the primary version control server. This server can be thought of as another FSMO role in the Microsoft sense (such as Schema master, PDC Emulator, and RID master).
GPOADmin is a directory-enabled application and all its application information is stored in the configuration container of Active Directory. Because of how the information is stored, all information is automatically replicated to all other DCs. However, the primary version control server is the authoritative source for all version control actions. If it goes offline, users cannot perform actions such as check-in a desired group policy object change until the problem has been rectified.
b
If you select AD LDS, enter the NetBIOS name of the computer you are installing to and the port number in the format: server_name:port, and click Next.
For example, gpoadmin_svr: 389.
* 
NOTE: The username/port/server (but not password) will be cached, so the next time you open the console you will not need to enter this information.
c
If you select SQL Server, choose the required SQL server, enter a name for the database, select the authentication method to access the server.
To connect as the current user, select NT Authentication.
Select the level of encryption for the connection. When enabled, SQL Server uses TLS encryption for data sent between the client and server.
* 
NOTE: When using SQL as the Configuration or Backup store with GPOADmin, TLS 1.2 remains a requirement since SQL Server satellite services require TLS 1.2 to be enabled. For more information on TLS support, see Microsoft documentation.
Choose between:
Strict (SQL Server 2022 and Azure SQL): Select this option for Azure SQL Database and Azure SQL Managed Instance or when the instance has Force Strict Encryption enabled.
Mandatory: Select this option when the instance has Force Encryption enabled. It can also be used when no encryption is configured for the instance, but Trust server certificate is enabled. While this method is less secure than installing a trusted certificate, it does support an encrypted connection.
Optional (Default in GPOADmin)
Enabling Trust Server Certificate, when 'Optional' or 'Mandatory' encryption is selected, or if the server enforces encryption, means that SQL Server will not validate the server certificate on the client computer when encryption is enabled for network communication between the client and server.
Under Host name in the certificate, you can provide an alternate, yet expected, Common Name (CN) or Subject Alternative Name (SAN) in the server certificate for the connection to SSMS. You would use this option when the server name does not match the CN or SAN, for example, when using DNS aliases.
Leaving this option blank allows certificate validation to confirm that the CN or SAN matches the server name.
To connect using SQL credentials, select SQL Authentication and enter the username and password.
Click Next to continue.
* 
NOTE:  
SQL Server (See the Release Notes for supported versions.)
See Appendix: GPOADmin with SQL Replication to configure database replication for an SQL configuration store.
When configuring GPOADmin to use an Azure SQL managed instance, you must specify the public endpoint including the port number, in the Server Name field in GPOADmin. For details on configuring a public endpoint, see Microsoft documentation.
* 
NOTE: When using SQL replication with a SQL configuration store, objects may be incorrectly flagged as non-compliant. This occurs when SQL replication and Active Directory replication are on different cycles. To resolve this, GPOADmin provides a HashStorageProperties.ini file that allows you to store the comparison hash on the Active Directory object. The file is located in the GPOADmin installation directory and contains the information on the settings to change. Ensure that objects are in the available state prior to changing the values in this file.
SQL Injection inserts malicious code into SQL statements which can lead to security vulnerabilities. To protect your environment from a SQL Injection attack, you can mark SQL statement inputs that are not permitted. See Editing the Version Control server properties. By default, we have marked the following inputs as not permitted. If you allow these inputs, malicious code may be inserted in a SQL statement resulting in security vulnerabilities:
Table 2. SQL inputs
Input
Description

:

Denotes the end of a SQL query. Allowing this character can permit malicious queries to be included in user input.

--

All trailing input is interpreted as a comment until the new line character.

/*

The character combination used to denote the start of a block comment. All trailing input is interpreted as a comment until the comment end delimiter.

*/

The character combination used to denote the end of a block comment. Input between the comment start delimiter and the comment end delimiter is interpreted as a comment.

xp_

Extended procedures are routines residing in DLLs that function similarly to regular stored procedures. The extended stored procedure function is run under the security context of Microsoft SQL Server.

\AUX

Generally, the AUX port on a PC is computer port 1 (COM1), which is the first serial port with a preconfigured assignment for serial devices. File paths can be constructed using this input.

\CLOCK$

The system clock. File paths can be constructed using this input.

\COM1

The first Communications port. File paths can be constructed using this input.

\COM2

The second Communications port. File paths can be constructed using this input.

\COM3

The third Communications port. File paths can be constructed using this input.

\COM4

The forth Communications port. File paths can be constructed using this input.

\COM5

The fifth Communications port. File paths can be constructed using this input.

\COM6

The sixth Communications port. File paths can be constructed using this input.

\COM7

The seventh Communications port. File paths can be constructed using this input.

\COM8

The eighth Communications port. File paths can be constructed using this input.

\CON

A common device name for the keyboard and screen. File paths can be constructed using this input.

\CONFIG$

A configuration information file. File paths can be constructed using this input.

\LPT1

The first line print terminal. File paths can be constructed using this input.

\LPT2

The second line print terminal. File paths can be constructed using this input.

\LPT3

The third line print terminal. File paths can be constructed using this input.

\LPT4

The fourth line print terminal. File paths can be constructed using this input.

\LPT5

The fifth line print terminal. File paths can be constructed using this input.

\LPT6

The sixth line print terminal. File paths can be constructed using this input.

\LPT7

The seventh line print terminal. File paths can be constructed using this input.

\LPT8

The eighth line print terminal. File paths can be constructed using this input.

\NUL

The NUL port. File paths can be constructed using this input.

\PRN

The DOS name for the first connected parallel port. File paths can be constructed using this input.

5
Select where you want to store the historical backup information.
You have the option of choosing Configuration store location, a network share, SQL Server, AD LDS, or the Directory Configuration Location.
* 
TIP: The best practice is to use a network share.
 
Table 3. Storage Options
Option
If you select this option

Network Share

NOTE: Recommended method as it provides a high level of performance and a low level of configuration and maintenance overhead.

Browse to and select the required network share or directory, and click Next.

SQL Server

Enter the server name and the required authentication information, and click Next.

NOTE: If the server is installed as a unique instance, it must be specified as servername\instancename rather than just the SQL Server name.

AD LDS

Enter the server and port name, and click Next.

For more information about an AD LDS deployment, see Setting permissions on AD LDS .

Directory Configuration Location

This option is only available if you have selected to use Active Directory or AD LDS as your configuration store.

6
Select which users should have the right to connect to and administer the Version Control server, and click Next.
7
Click Finish.
Now that the system has been configured, users can connect to and use the version control features.
* 
NOTE: Users with the appropriate rights can modify the server settings at anytime by right-clicking the GPOADmin node and selecting Options.

Setting permissions on AD LDS

To use GPOADmin with an AD LDS deployment, users must be assigned the Administrators role.

To set permissions on AD LDS
1
Open ADSI-Edit (ADSI-Edit is installed as part of the AD LDS tools.)
2
Connect to the configuration naming context and browse to the roles container.
3
To grant the user rights, right-click the Administrators role and select Properties.
4
Browse to the member attribute and click Edit.
5
Add the service account to the selected role.
* 
NOTE: If necessary, you can use the AD LDS support tool dsacls.exe to fine-tune the rights given by these roles or to grant specific rights to users.

Setting permissions when using SQL as the configuration store

Perform the following after installing GPOADmin and before configuring the GPOADmin server.

1
Run the database script GPOADmin.sql.
a
In Microsoft SQL Server Management Studio, select File | Open | File or press the control key and the O key (Ctrl + O).
b
In the Open File dialog, select the GPOADmin.sql file and press OK. This file is located in the GPOADmin server install directory by default, but if your SQL server is on a different computer, the file can be copied.
c
If you want to create the database with a different name other than the default name of GPOADmin, change the name from GPOADmin on line 4 and line 7 to the name you want to use.
d
Click the Execute button or press F5 to create the database.
2
Run the InitializeDatabase stored procedure on the newly created database.
a
Create a new query by pressing the New Query button.
b
Set the available database to the name of your GPOADmin database or type USE [DATABASE_NAME] where DATABASE_NAME is the name of your GPOADmin database.
c
On the next line, type EXEC InitializeDatabase.
d
When ready, click the Execute button or press F5 to run the command.
3
Create a login for the GPOADmin service account.
a
In Microsoft SQL Server Management Studio, navigate to Security, then Logins.
b
Right-click Logins and select New Login.
c
On the General page, enter the name of the service account in the Login name field.
d
Select Windows authentication to connect as the GPOADmin service account or SQL Server Authentication to connect as a SQL account. SQL authentication is useful if you want to use this database as the configuration store for a GPOADmin installation in another untrusted domain.
e
Set the Default database property to the name of your GPOADmin database.
f
On the Server Roles page, check the public server role.
g
On the User Mapping page, under Users mapped to this login, check the name of your GPOADmin database. Under Database role membership for the selected database, check db_owner and public.
h
Click OK to close the properties page.
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating