Chat now with support
Chat with Support

GPOADmin 5.21 - User Guide

Introducing Quest GPOADmin Configuring GPOADmin Using GPOADmin
Connecting to the Version Control system Navigating the GPOADmin console Search folders Accessing the GPMC extension Configuring user preferences Working with the live environment Working with controlled objects (version control root)
Creating a custom container hierarchy Selecting security, levels of approval, and notification options Viewing the differences between objects Copying/pasting objects Proposing the creation of controlled objects Merging GPOs Restoring an object to a previous version Restoring links to a previous version Managing your links with search and replace Linking GPOs to multiple Scopes of Management Managing compliance issues automatically with remediation rules Validating GPOs Managing GPO revisions with lineage Setting the change window for specific actions Working with registered objects Working with available objects Working with checked out objects Working with objects pending approval and deployment
Checking compliance Editing objects Synchronizing GPOs Exporting and importing
Creating Reports Appendix: Windows PowerShell Commands Appendix: GPOADmin Event Log Appendix: GPOADmin Backup and Recovery Procedures Appendix: Customizing your workflow Appendix: GPOADmin Silent Installation Commands Appendix: Configuring Gmail for Notifications Appendix: Registering GPOADmin for Microsoft 365 Exchange Online Appendix: GPOADmin with SQL Replication About Us

Migrating from AD/AD LDS to a SQL configuration store

A configuration utility (GPOADmin.ConfigMig.exe) is available in the GPOADmin install directory that allows you to migrate the configuration store to SQL from an AD/AD LDS. You can migrate all objects or specify users, custom folders, keywords, email templates, roles, domains, containers, version control items, scheduled deployments, synchronization targets and synchronization results data as required.

* 
NOTE:  
The Migration utility migrates configuration store data; it does not migrate backups. To ensure the migration completes without issue, we recommend that you continue to use the same backup store.
To ensure the configuration utility is running against the latest version of GPOADmin, login and configure for the existing AD/AD LDS configuration store prior to migrating to SQL. This also ensures that AD/AD LDS configuration store is up-to-date and reduces possible migration issues.

The output from the configuration utility is written to the screen as well as to a Migration.txt file located in the install directory.

* 
IMPORTANT: The configuration utility must be:
Run on the GPOADmin server host computer.
Run as an account that has access to the AD/AD LDS configuration store and the new SQL database. In most cases this will be the service account.
Pointed to a GPOADmin 5.16 or above configuration storage location. (Upgrade from versions older than 5.16 are not supported.)
After the migration, you need to restart the Watcher Service so that it will use the correct configuration store.

Before running the configuration utility, you need to configure the version control server to use SQL as the configuration store. See Editing the Version Control server configuration store to change the storage from AD/AD LDS to SQL.

SQL Injection inserts malicious code into SQL statements which can lead to security vulnerabilities. To protect your environment from a SQL Injection attack, you can mark SQL statement inputs that are not permitted. See Editing the Version Control server properties. By default, we have marked the following inputs as not permitted. If you allow these inputs, malicious code may be inserted in a SQL statement resulting in security vulnerabilities:

Table 8. SQL inputs
Input
Description

:

Denotes the end of a SQL query. Allowing this character can permit malicious queries to be included in user input.

--

All trailing input is interpreted as a comment until the new line character.

/*

The character combination used to denote the start of a block comment. All trailing input is interpreted as a comment until the comment end delimiter.

*/

The character combination used to denote the end of a block comment. Input between the comment start delimiter and the comment end delimiter is interpreted as a comment.

xp_

Extended procedures are routines residing in DLLs that function similarly to regular stored procedures. The extended stored procedure function is run under the security context of Microsoft SQL Server.

\AUX

Generally, the AUX port on a PC is computer port 1 (COM1), which is the first serial port with a preconfigured assignment for serial devices. File paths can be constructed using this input.

\CLOCK$

The system clock. File paths can be constructed using this input.

\COM1

The first Communications port. File paths can be constructed using this input.

\COM2

The second Communications port. File paths can be constructed using this input.

\COM3

The third Communications port. File paths can be constructed using this input.

\COM4

The forth Communications port. File paths can be constructed using this input.

\COM5

The fifth Communications port. File paths can be constructed using this input.

\COM6

The sixth Communications port. File paths can be constructed using this input.

\COM7

The seventh Communications port. File paths can be constructed using this input.

\COM8

The eighth Communications port. File paths can be constructed using this input.

\CON

A common device name for the keyboard and screen. File paths can be constructed using this input.

\CONFIG$

A configuration information file. File paths can be constructed using this input.

\LPT1

The first line print terminal. File paths can be constructed using this input.

\LPT2

The second line print terminal. File paths can be constructed using this input.

\LPT3

The third line print terminal. File paths can be constructed using this input.

\LPT4

The fourth line print terminal. File paths can be constructed using this input.

\LPT5

The fifth line print terminal. File paths can be constructed using this input.

\LPT6

The sixth line print terminal. File paths can be constructed using this input.

\LPT7

The seventh line print terminal. File paths can be constructed using this input.

\LPT8

The eighth line print terminal. File paths can be constructed using this input.

\NUL

The NUL port. File paths can be constructed using this input.

\PRN

The DOS name for the first connected parallel port. File paths can be constructed using this input.

 

Before migrating the configuration store, Quest suggests that you test the migration to ensure that all objects migrate according to your specifications. To validate the migration, run the command with the /t option. This gathers all the information that will be committed to the SQL database but does not commit any changes.

To run the configuration utility:
From a command prompt, browse to and run Program Files\Quest\GPOAdmin\GPOADmin.ConfigMig.exe “FQDN of the AD/AD LDS server hosting the source configuration store.”
The following switches and options are available: (If none are specified, all objects are migrated.)
O = Service Options
U = Users
F = Custom Search Folders
K = Keywords
E = Email Templates
R = Roles
D = Domains
C = Version Control Containers
I = Version Control Items
S = Scheduled Deployments
T = Synchronization Targets
Y = Synchronization Results
/T = Testing only. Validates the object data from the source configuration store. Nothing is written to the database.
/H:<GPOADmin Host>] = The FQDN of the source GPOADmin host (Used to migrate Service Options stored in the registry)
/S:<domain\account> = The GPOADmin service account name. If not specified, the current user account is used.
/R = Re-migrate items. Items are logged to their own log file in a timestamped directory based on when the migration was started. It is located in the Configuration Migration folder of the installation directory. The file name is a combination of the item name and its Version Control Id.
/G = Grant the specified service account access.

Changing the Service Account

Changing the Service Account

To change the GPOADmin service account in an existing deployment, consider the following:
Existing live GPOs
Must have their ownership and delegation updated with the new service account. You can update the service account by running the GPOADmin.AddServiceAccountToAllGPOs PowerShell script found in the Scripts folder of the GPOADmin install directory.
Existing registered GPO backups
The Watcher service may detect and report GPOs as non-compliant because they contain the previous service account as the owner and as a delegate with the edit settings, delete, and modify security Group Policy Management Console permissions. To prevent this, stop the Watcher service monitoring the forest before changing the service account. Note: Running a manual compliance check by right-clicking the object and selecting to Check Compliance will also report GPOs as non-compliant.

To bring GPOs back into compliance complete the one of the following:
GPOs with a major version less than 1.0 should be copied and deployed. This corrects the security and ownership to reflect the new service account. Once the copied GPO has been successfully deployed, delete the original.
GPOs with any version greater than 1.0, when deployed, display a message indicating the policy is not compliant. This is expected behavior since the owner and delegation for the GPO have changed. The deployment can proceed; however, the security on the policy template in SYSVOL may become "out of sync". To address this, locate the policy in question in GPMC and select the service account from the Delegation tab. Right-click and select Edit settings and OK. Right-click again and select Edit settings, delete, modify security and OK.
To ensure that service account has proper access to any registered policies, we recommend that you enable the "Ensure service account access prior to deployment" option within GPOADmin.

Root container assignment

If necessary, the GPOADmin administrator can assign a specific container as a user’s or group’s “Root Container”. When the user or group member logs in they will only have access to the container they have been assigned, rather than the default "Version Control Root". This allows for the administration of containers and sub containers to be assigned to specific users or groups without those users being able to access or change managed objects in any other containers.

This assignment is also valid for the PowerShell commands and the GPOADmin snap-in for GPMC.

* 
NOTE: A user or group can only be directly assigned one root container at a time, however, they may have access to multiple root containers through their group membership.
To assign a container to a user or group
1
Right-click the container to be the root, and select Properties.
2
Select the Root Container Assignment tab and assign the users or groups who are going to see this as their Root Container.
* 
IMPORTANT: The security for the container must be set so the users or group members have the User, Moderator, Administrator, or some specially created role. If the security is not set for the assigned users of the Root Container, they will not be able to see, create, or manage any objects in the container and sub containers.

Restricting GPO management for specific domains

If necessary, you can restrict access to domains to ensure that only specified individuals or groups can view, register, create, and report on items in a domain. You can fine-tune the level of available management based on the level of security.

By default, the Domain Users group is assigned all domain rights to their corresponding domain. To take advantage of the new level of security, you must remove Domain Users and assign rights as appropriate.

* 
IMPORTANT: These rights refer to domain access and work with the existing GPOADmin delegated user rights that are in place; they do not replace them.
To manage the security on a domain
1
Expand the Live Environment, right-click the required domain, and select Properties.
2
Add and remove the user or groups that you want to apply the restrictions to.
3
Select to allow (or remove previously applied) rights and click Apply.
Table 9. Available rights
Right
Description

Read

A base right that you must apply as it is used with other rights.

This right works with, but does not replace, the delegated custom user Read right that controls whether users and groups can see a version control container’s contents.

Register

Apply this right to users and groups that are assigned the Domain Read right to allow them to register/unregister objects from the selected domain.

This right works with, but does not replace, the delegated custom user Register and Unregister rights that controls whether a user can register objects into a specific version control container or unregister objects.

Create Group Policy Objects

Apply this right to users and groups that are assigned the Domain Read right to allow them to create Group Policy Objects in the selected domain.

This right works with, but does not replace, the delegated custom user Create right that controls whether a user can create an object in a specific version control container.

The Edit right on the Version Control container is also required.

Create WMI Filters

Apply this right to users and groups that are assigned the Domain Read right to enable them to create WMI Filters in the selected domain.

This right works with, but does not replace, the delegated custom user Create right that controls whether a user can create an object in a specific version control container.

The Edit right on the Version Control container is also required.

Create Scripts (Logon/Logoff Startup/Shutdown)

 

Apply this right to users and groups that are assigned the Domain Read right to enable them to create a script in the selected domain.

This right works with, but does not replace, the delegated custom user Create right that controls whether a user can create an object in a specific version control container.

The Edit right on the Version Control container is also required.

Create Desired State Configuration Scripts

Apply this right to users and groups that are assigned the Domain Read right to enable them to create Desired State Configuration scripts in the selected domain.

This right works with, but does not replace, the delegated custom user Create right that controls whether a user can create an object in a specific version control container.

The Edit right on the Version Control container is also required.

Report

Apply this right to users and groups that are assigned the Domain Read right to enable them to report on objects within the selected domain.

Once applied, they will only see the "Live" report option for objects which exist in the associated domain and only the domains for which the user has this right is displayed in the report wizard.

This right works with, but does not replace, the delegated custom user Run Reports right that controls whether a user can run the “New Report” wizard, and the Run Contextual Reports right which controls whether a user can run the “Live”, “Working Copy”, “Latest”, and “Difference” from the context menu.

Create Starter GPO

Apply this right to users and groups that are assigned the Domain Read right to allow them to create Starter GPOsin the selected domain.

This right works with, but does not replace, the delegated custom user Create right that controls whether a user can create an object in a specific version control container.

The Edit right on the Version Control container is also required.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating