Chat now with support

Get Live Help
Complete Registration

Sign In

Request Pricing

Contact Sales

GPOADmin 5.21 - User Guide

Table of Contents

Introducing Quest GPOADmin

GPOADmin overview GPOADmin security overview GPOADmin features

Client/server architecture Multiforest support Group Policy Management Console extension Version control Change approval process Role-based delegation Notification system GPO ACL editor Reporting options Customized views Offline GPO testing Custom workflow actions

Configuring GPOADmin

Configuring the Version Control server Setting permissions on AD LDS Setting permissions when using SQL as the configuration store Port requirements Editing the Version Control server properties Editing the Version Control server configuration store Replacing the Version Control server configuration settings Migrating from AD/AD LDS to a SQL configuration store Changing the Service Account Root container assignment Restricting GPO management for specific domains Configuring role-based delegation

Creating roles Editing roles Delegating roles

Restricting access to objects Adding notifications for users Selecting events on which to be notified Restricting inheritance on notifications Creating email templates Working with Protected Settings policies

Rights and role for Protected Settings for GPOs Create a Protected Settings policy Protecting policy settings based on extensions Generating Protected Settings policies reports Using Protected Settings policies Checking a GPO against a Protected Settings policies and blocked extensions Validating a GPO against a Protected Settings policies and blocked extensions before a check-in

Working with Protected Settings Policy Baselines

Connecting to the Version Control system

Restricting search scope Working with multiple connections Version Control data in the directory

Navigating the GPOADmin console Search folders

Creating custom search folders

Accessing the GPMC extension Configuring user preferences Working with the live environment

Registering objects Registered status Removing registered objects Viewing the live environment

Working with controlled objects (version control root)

Creating a custom container hierarchy Selecting security, levels of approval, and notification options Viewing the differences between objects Copying/pasting objects Proposing the creation of controlled objects

Creating Group Policy Objects (GPOs) Creating starter GPOs Creating WMI filters Creating scripts Creating Desired State Configuration (DSC) PowerShell scripts

Merging GPOs Restoring an object to a previous version Restoring links to a previous version Managing your links with search and replace Linking GPOs to multiple Scopes of Management Managing compliance issues automatically with remediation rules Validating GPOs Managing GPO revisions with lineage Setting the change window for specific actions Working with registered objects

Creating labels Cloaking a GPO Locking a GPO Establishing Management for an Object Viewing history Deleting version history Clearing account names in version history Viewing and editing object properties Applying keywords on containers Creating a report

Working with available objects

Enabling/disabling workflow Checking out objects Requesting the deletion of an object Unregistering GPOs and removing history Requesting approval

Working with checked out objects

Undoing a check out Checking in controlled objects

Working with objects pending approval and deployment

Withdrawing an approval request Enhanced workflow approval Changing the approval workflow Withdrawing approval Approving and rejecting edits Deploying objects (scheduling and associated items)

Checking compliance Editing objects

Removing persistent registry settings

Editing Intune objects (Configuration profiles and Compliance policies) Editing WMI filters Editing scripts Linking GPOs

Synchronizing GPOs

Enabling synchronization Working with GPO synchronizations Generating Synchronized GPO report

Exporting and importing

Export objects Exporting GPO registry settings as a Desired State Configuration resource file Import objects

Creating Reports

Available reports

Controlled object reports

Settings Report Difference Report Group Policy Comparison Report History Report Group Policy Object Settings Search Report User Activity Report Role Assignment Report All Actions Report Compliance Report Change Auditor Report Change Auditor Working Copies Report Deployment Report Protected Settings Assignment Report Attestation Report Intune Readiness Report Creating Controlled Object Reports

Diagnostic and troubleshooting reports

Group Policy Object Consistency Report Software Installation Package Report Linked/Unlinked Report Linked/Unlinked SOMs Report Inactive Policy Settings Report Group Policy Object Security Report Group Policy Permission Check Report Group Policy Size Validation Report Policy Analysis Report GPO Synchronization Report Group Policy Results Group Policy Results Difference Report Group Policy Modeling Report Group Policy Object Settings Priority Report WMI Filter Usage Report Creating Diagnostic and Troubleshooting Reports

Live, working copy, latest version, and differences reports

Creating live, working copy, latest version, and differences reports

Historical Settings Reports

Creating historical settings reports

Creating RSoP validation reports Exporting registry settings Working with report folders

Managing report folders

Appendix: Windows PowerShell Commands

Introduction GPOADmin scripts Available commands

GPOADmin PowerShell provider extensions

Using the GPOADmin PowerShell commands (Examples)

Loading the GPOADmin modules Extracting help for GPOADmin commands Managing objects

Get information on all GPOs Get information for all managed objects Get unregistered objects Register an object Check out an object Check in an object Undo the check out of an object Request approval for changes Withdraw an approval request Approve changes Reject changes Withdraw approval on an object Deploy an object Deploy an object at a future time and date Check for pending deployments Cancel pending deployment

Gathering object and GPOADmin information

Identify which objects are checked out Identify which objects are checked out to me What are the properties of an object What objects are available What objects are checked out

Utility commands

Gather GPOADmin license information Install a GPOADmin license Get logging options Set logging options Get notifications Set notifications on objects

Administrative commands

Approval workflow information Set the approval workflow Identify user accounts Identify user roles Modify a role Add a role Get an object's security Set an object's security Overwrite a GPOs security filter

Protected Settings commands

Gather Protected Settings information Enable and disable Protected Settings Get a list of Protected Settings Add Protected Settings

Appendix: GPOADmin Event Log

What is the GPOADmin event log? Interpreting the GPOADmin event log

Example GPOADmin events

Appendix: GPOADmin Backup and Recovery Procedures

GPOADmin Backup Requirements Restoring GPOADmin

Appendix: Customizing your workflow

What is a custom workflow action? Working with custom workflow actions in the Version Control system Working with the custom workflow actions xml file

Actions Predefined Tags Conditions Example of a complete pre-action

Troubleshooting custom workflow actions

Appendix: GPOADmin Silent Installation Commands

Installing GPOADmin with msiexec.exe

All components (Complete GPOADmin installation) Client and components

Server and client Client only Client and PowerShell provider (Client Only button on Installation dialog) PowerShell provider only

Watcher Service

Watcher Service on localhost Watcher Service on another computer Watcher Service and GPMC Extension on another computer Watcher Service and Client only on another computer Watcher Service, Client, and GPMC Extension on another computer

GPMC Extension on a localhost GPMC Extension on another computer

Appendix: Configuring Gmail for Notifications

Using Gmail for Workflow Approvals Creating a Gmail Credentials File

Appendix: Registering GPOADmin for Microsoft 365 Exchange Online Appendix: GPOADmin with SQL Replication About Us

Configuring role-based delegation

NOTE:

•

The predefined roles cannot be altered.

•

You must perform all role-related tasks in the GPOADmin console.

•

When using the Link right, you must have Link right on the GPO and the SOM.

GPOADmin Administrators can create custom roles that can be applied to specific users to allow them to perform certain functions within the Version Control system. For more information about users with permissions to create roles see Configuring the Version Control server .

When building custom roles, keep in mind the rights must also have the dependent permissions assigned.

Table 10. Right dependencies
Right	Dependencies
Assign Keywords	Read
Attest	Read
Block Inheritance for SOM links	Read and Edit
Block Notification Inheritance	Read
Cloak / Uncloak	Read
Compliance Action	Read
Create	Read and Edit
Delegate Security	Read
Delete	Read
Delete links outside of workflow	Read, Edit, Link and Deploy (User must be the sole approver on linked Scopes of Management)
Deploy	Read
Edit	Read
Edit Linage	Read
Enable/Disable Approvals	Read
Enable / Disable Workflow	Read
Export	Read
Label	Read
List Folders	None
Link	Read and Edit (For managed Scopes of Management)
Lock / Unlock	Read
Modify Approval Workflow	Read
Modify Keywords	Read
Modify Change Window	Read
Modify Link Properties	Read and Edit (For managed Scopes of Management)
Modify Managed By	Read
Modify System-Provided Security Right	Read, Edit and Modify Security Filter
Modify Security Filter	Read and Edit
Move	Read
Read	None
Register	Read
Reject Change	Read
Request Approval	Read
Run Contextual Reports	Read
Run Reports	Read
Set Notifications	Read
Set Remediation Rules	Read
Synchronize	Read
Undo Check-out	Read
Unregister	Read
Unregister and Remove History	Read
View Cloaked	Read
Create Subcontainers	Read
Delegate Container Security	Read
Delete Container	Read
Rename Container	Read
Block Protected Settings Inheritance	Read and Modify Protected Settings Assignments
Export Group Policy Objects as Protected Settings Policies	Read and Register (On the target Protected Settings Container)
Modify Protected Settings	Read
Modify Protected Settings Assignments	Read
Modify Protected Settings Exclusions	Read
Modify Protected Settings Baseline Assignments	Read
Modify Intune Assignments	Read

•

•

•

Delegating roles

Table 11. Roles and rights

Rights included in the role

System Administrator

System Administrators can perform any action in the Version Control system.

Version Controlled Object Rights include:

•

Block Inheritance for SoM links

•

Block Notification Inheritance

•

•

Compliance Action

•

•

Delegate Security

•

•

Delete links outside of workflow

•

•

•

•

Enable/Disable Workflow

•

•

•

•

•

Modify Approval Workflow

•

Modify Change Window

•

Modify Keywords

•

Modify Managed By

•

Modify System-Provided Security

•

Modify Security Filter

•

•

•

•

Run Contextual Reports

•

•

Set Remediation Rules

•

Set Notifications

•

•

•

•

Unregister and Remove History

•

Rights included in the role

System Administrator (continued)

Version Control Container Rights include:

•

Create Subcontainers

•

Delegate Container Security

•

Delete Container

•

Rename Container

Protected Settings Rights include:

•

Block Protected Settings Inheritance

•

Export Group Policy Objects as Protected Settings Policies

•

Modify Protected Settings

•

Modify Protected Settings Assignments

•

Modify Protected Settings Baseline Assignments

•

Modify Protected Settings Exclusions

Moderator (Moderators can perform every action a user can, plus undoing check outs from other users and running the compliance wizard.) They can also:

•

•

•

•

•

•

•

Run Contextual Reports

•

•

User (Users can perform all the basic actions of the Version Control system, such as check in, check out, edit.) They can also:

•

•

•

•

•

•

•

Run Contextual Reports

•

•

Set Notifications

Creating roles

You can easily create roles with any of the customized rights.

To create a role


	NOTE: You must use the GPOADmin console to create roles, not the GPMC Extension.

1

Right-click the forest, and select Options.

2

Select Delegation | Roles.

3

Click Add New Role.

4

Enter a name and description for the role, and click Next.

You can create a role that is based on an existing role. (To see which rights are assigned to a particular role, hover the cursor over it.)

5

Select the role or roles you want to copy and click Next.

If you want to create the role from scratch, do not select an existing role before clicking Next.

6

Select the rights that you want included in the role, and click Finish.

Editing roles


	NOTE: You must use the GPOADmin console to edit roles, not the GPMC Extension.

1

Right-click the forest node, and select Options.

2

Select Delegation | Roles.

3

Select the role that you want to edit and click Edit Role.

4

Make the required changes and click OK.

5

Click OK again to apply the changes.

Delegating roles

Once the required roles are in place, GPOADmin Administrators can begin to delegate the security over containers and GPOs to specific users and groups.

To delegate rights on the Version Control system through roles


	NOTE: You must use the GPOADmin console to delegate roles, not the GPMC Extension.

1

Right-click the Version Control Root node, required container or object, and select Properties.

2

Select the Security tab.

3

Click Add to select the users and groups to which you want to apply the role.

4

Select the role to apply and click OK.

The specified users will now have the specified rights included in the assigned role over the selected container or object.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating

© ALL RIGHTS RESERVED. Terms of Use Privacy Cookie Preference Center