立即与支持人员聊天
与支持团队交流

GPOADmin 5.17 - Quick Start Guide

Configuring GPOADmin to use a Group Managed Service Account (GMSA)

3
Create the Group Managed Service Account for GPOADmin using the New-ADServiceAccount PowerShell command. For more details, see https://docs.microsoft.com/en-us/powershell/module/activedirectory/new-adserviceaccount?view=windowsserver2019-ps.
6
Follow the Minimum permissions required for the service accounts and replace the service account with the group the GMSA member of create in step 4.

Minimum permissions required for the service accounts

2
Grant this account Log on as a Service on the computer where GPOADmin is installed.
3
Grant the service account Full Control to the installation directory.
2
Select the Security tab and click Advanced.
3
Click Add and select the service account. The applies to option should be This object and all descendant objects.
4
Delegate the following permissions in the Advanced Security Settings: List Contents, Read all Properties, Write all Properties, Delete Subtree, Read Permissions, Modify Permissions, Modify Owner, All Validated Writes, Create All Child Objects, and Delete All Child Objects.
3
Browse to the Member attribute and click Edit. Add the GPOADmin service account as a Windows Account.
a
In Microsoft SQL Server Management Studio, select File | Open | File or press the control key and the O key (Ctrl + O).
b
In the Open File dialog, select the GPOADmin.sql file and press OK. This file is located in the GPOADmin server install directory by default, but if your SQL server is on a different computer, the file can be copied.
d
Click the Execute button or press F5 to create the database.
b
Set the available database to the name of your GPOADmin database or type USE [DATABASE_NAME] where DATABASE_NAME is the name of your GPOADmin database.
c
On the next line, type EXEC InitializeDatabase.
d
When ready, click the Execute button or press F5 to run the command.
b
Right-click Logins and select New Login.
e
Set the Default database property to the name of your GPOADmin database.
g
On the User Mapping page, under Users mapped to this login, check the name of your GPOADmin database. Under Database role membership for the selected database, check db_owner and public. Click OK to close the properties page.
6
Grant the service account Full Control on each WMI Filter that will be managed by GPOADmin.
7
Using GPMC, delegate Link GPOs to the service account on the Site and Domain level (or even on the OU level depending on where GPOADmin is required to manage GPOs), for This container and all child containers, if child containers are needed.
8
For the service account to run RSoP reports, the Read Group Policy Results data right must be granted. Using GPMC, delegate Read Group Policy Results Data to the service account on the Domain level (or even on the OU level, depending on where GPOADmin is required to perform the RSoP analysis), for This container and all child containers, if child containers are needed.
9
Using GPMC, delegate Create GPOs to the service account on the Group Policy Objects Level.
10
Using GPMC, delegate Edit settings, Delete, and Modify security to the service account for each existing GPO that will be managed by GPOADmin using GPMC.
3
Click the Advanced button on the Security tab.
4
Click Change at the top of the Advanced Security Settings page and select the service account.
5
Click OK three times.
3
Click the Advanced button on the Security tab and click Add.
5
Ensure Read servicePrincipalName and Write servicePrincipalName are selected.
6
Click OK three times.
Add the GPOADmin service account to the Distributed COM Users security group in each domain that will be reported on.
b
Right-click the CN=Partitions object and select Properties.
c
Select the Security tab, click Add, and add the GPOADmin service account.
d
Under Permissions for <Service Account>, enable Allow for the following permissions:
e
Click Advanced, select the service account, and click Edit.
f
Set Applies to to This object and all descendant objects and enable the following permissions:
g
Click OK to close the Permission Entry for Partitions dialog.
h
Click OK to close the Advanced Security Settings for Partitions dialog.
i
Click OK to close the CN=Partitions Properties dialog.
b
d
f
At the partition management command prompt, type the following: create nc dc=staging,dc=gpoadmin DomainController.
c
Select the DC=Staging,DC=GPOADmin context in the left pane.
d
Right-click the DC=Staging,DC=GPOADmin domainDNS object in the right pane, and select Properties.
e
Click the Security tab, click Add, and add the GPOADmin service account.
f
Under Permissions for <Service Account>, enable Allow for the following permissions:
g
Click Advanced, select the service account, and click Edit.
h
Set Applies to to This object and all descendant objects, and enable the following permissions:
i
Click OK to close the Permission Entry for Staging dialog.
j
Click OK to close the Advanced Security Settings for Staging dialog.
k
Click OK to close the DC=Staging,DC=GPOADmin Properties dialog.
To do so, open ADSIedit.msc or DSA.msc and connect to the Active Directory domain. Navigate to the computer where GPOADmin will installed, the computer properties, and select the Security tab. Grant the service account the following permissions: Create serviceConnectionPoint objects and Delete serviceConnectionPoint objects for This object and all descendant objects.
22
Once the product has been configured, connect to the GPOADmin console using the service account. Configure any additional administrators and users (trustees) that will connect to the product by
right- clicking the connected domain and selecting
Options and then Access. Delegate any roles required by these users through the Version Control Root properties, or any registered OU/GPO within the Version Control Root as necessary.

HKEY_LOCAL_MACHINE\SOFTWARE\Quest\
GPOADmin

 

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Diagnostics

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\EventLog

25

Minimum permissions, rights, and roles required for Microsoft Intune

To register an application with the required permissions:

3
Select the Azure Active Directory service, App registrations, New registration.
5
Click Register.
6
Under Manage, select Certificates & Secrets.
7
Under Certificates, select Upload certificate. You will need this when you configure Intune in the Version Control properties.
8
Under Manage, select API permissions, and click Add a permission.
a
Under Microsoft APIs, select Microsoft Graph.
b
Select Application permissions.
c
Under All APIs, select Device Management Configuration, and enable DeviceManagementConfiguration.ReadWrite.All.
d
Under APIs my organization uses, select Microsoft Graph | Application permissions | Group and enable Group.ReadWrite.All.
9
Under Manage, select API permissions, and click Grant Admin consent for GPOADmin.

To edit Intune objects, you need to create a custom role with the required permissions and assign it to the required Intune user group.

1
In the Microsoft Endpoint Manager admin center, select Tenant administration | Roles | All roles.
3
On the Basic page, enter Intune Object Editor in the Name field, and click Next.
4
On the Permissions page, select Device configurations, click Yes for Read and Update (and Assign if you want to allow users to edit Intune object assignments), and click Next.
5
On the Scope tags page, click Next to move to the Review + Create page.

Before you can perform workflow actions within GPOADmin on Intune objects associated to a tenant, you need to set the required permissions.

3
Enable Read, Register, and Report.

SQL storage method

Using SQL as the backup repository (storage method), the service account will need the following minimum requirements:

NOTE: Database Creator’s right is only required for the initial creation of the GPOADmin_Backups database. If the database has been pre-created (see Configuring the GPOADmin Server ) by your DB Administrators team then only the following database roles and permissions are required by the GPOADmin service account to access and update the Database:

db_datareader, db_datawriter: Permissions to Execute the following GPOADmin stored procedures:

quest_qgpm_add_group_to_role
quest_qgpm_domainid_pr
quest_qgpm_gpoid_pr
quest_qgpm_insbackup_p
相关文档

The document was helpful.

选择评级

I easily found the information I needed.

选择评级