立即与支持人员聊天
与支持团队交流

GPOADmin 5.18 - Quick Start Guide

Quest GPOADmin Quick Start Guide
About this guide
Product overview
GPOADmin architecture
Authentication
System requirements
Getting started with Quest GPOADmin
Step-by-step walkthrough
Best practices

About this guide

This document has been prepared to assist you in becoming familiar with Quest GPOADmin. The Quick Start Guide contains information required to install and use GPOADmin and is intended for network administrators, consultants, analysts, and any other IT professionals using the product.

Product overview

Business problem

Security issues are becoming paramount within organizations. Within Active Directory, Group Policy Objects (GPOs) are at the forefront of an organization's ability to roll out functional security. Core aspects such as password policies, logon hours, software distribution, and other crucial security settings are handled through GPOs. Organizations need methods to control the settings of these GPOs and to deploy GPOs in a meaningful and safe manner with confidence. Since GPOs are so important to the proper operating of the Active Directory, organizations also need methods to restore GPOs when they are either incorrectly updated or corrupt. Windows Group Policy is powerful but difficult to manage. Uncontrolled changes can have disastrous consequences. For example, unplanned effects of a GPO change could prohibit hundreds of users from logging on, exclude access to critical software applications, or expose system settings. The Group Policy Management Console (GPMC) from Microsoft is a useful tool for the individual administrator, but additional functionality—such as GPO check in/check out, change control, and rollback—is needed to effectively manage GPOs across the enterprise.

Business solution

GPOADmin offers a mechanism to control this highly important component of Active Directory. GPOs, Scope of Management links, and WMI filters are backed up in a secure, distributed manner and then placed under version control. When changes are made a backup of the object is made. Changes are then managed from the Version Control system, and approval for change is required. GPOADmin also offers two methods of ensuring GPO consistency. The stored object can be retrieved if the current object in the directory is not valid for any reason. This means that objects become managed and deployed with a sense of security. If issues do arise, recovery time is reduced between the discovery of an issue and the resolution by restoring to a previous version of the object. GPOADmin:

Gives Active Directory managers and security officers control of GPO changes, to eliminate system outages and security exposures
Allows administrators to edit and test GPOs offline and have them approved before they are implemented
Provides a way to quickly roll back changes, in the event that a change has unexpected results
Archives all GPO settings into a reliable, scalable data store
Leverages and complements Microsoft technology, including Group Policy Management Console (GPMC), to strengthen infrastructure investments

GPOADmin architecture

GPOADmin is a directory-enabled application and all of its configuration information is stored in the configuration container of either Active Directory Domain Services (ADDS), Active Directory Lightweight Directory Services (AD/LDS).

Active Directory deployments

For all Active Directory deployments, the application information along with the GPOADmin Version Control System is stored in the configuration container of Active Directory in the following location:

CN=QGPM,CN=Quest,CN=Services,CN=Configuration,DC=Domain,DC=com

Where if you drilled down on the GPOADmin container you will find the following directories:

- CN=QGPM

- CN=Wentworth
+ CN=Roles (Custom Roles location)
+ CN=Users (Where users' preferences are stored)
+ CN=VCRoot (The root of the version control container hierarchy)
+ CN=Version Control (Pointers to backups' locations (perhaps also backups themselves if 'Directory' is selected as the backup storage location) and controlled object history)
+ CN=Scheduled Actions

Since this information is stored in the configuration container of Active Directory, it is replicated to all other DCs within your forest. However, the primary version control server is unique and the authoritative source for all version control actions. The primary version control server role is normally held by the DC specified during the initial run of the Server Configuration wizard shortly after the GPOADmin server and service have been installed.

Active Directory Lightweight Directory Services (AD/LDS) deployments

For all AD LDS deployments, the application information, along with the GPOADmin Version Control system, follows the same format as the Active Directory deployment with the exception that the application information and Version Control system is stored in the configuration of the AD LDS instance. The information is not replicated to other AD LDS servers (unless manually set up) like Active Directory replicates information with the configuration container.

SQL storage

During configuration of the Version Control server, you now have the option to select to store GPOADmin data in a SQL database. If you select this option, the data can be found in the following tables:

 

Table 1. Database Tables
Table
Description

AclTable

Contains access control list information when cloaking or locking GPOs.

ApprovalWorkflow

Contains approval workflow information.

BackupData

Contains backup information such as date, location, and storage type.

CustomSearchFolders

Contains custom search folder information.

Domains

Contains registered domain names, their Id, and whether or not they are visible in the live environment.

DomainSecurity

Contains a mapping of which rights a user has for a registered domain.

EmailTemplateAttachments

Contains a mapping of which attachments are to be include with what email template for a given notification type.

EmailTemplates

Contains email template information.

EmailTemplateSubjectLines

Contains custom email template subject line information.

ExchangeSettings

Contains Exchange settings.

GmailSettings

Contains Gmail settings.

GPOLineage

Contains a mapping of GPO lineage for a given registered GPO, when the lineage was assigned, and by whom.

GPOLinks

Contains a mapping of GPO links between the GPO and the SOM.

History

Contains a historical list of actions for any registered object or container.

KeywordList

Contains a mapping of keywords to registered object.

LiveEnvironmentAccess

Contains a list of trustees who have access to the live environment.

MasterKeywordList

Contains a list of all keywords.

Notifications

Contains a mapping of which notifications are enabled for a given user on a given registered object or container.

ObjectData

Contains registered object information.

ProtectedSettingsAssignments

Contains a mapping of which protected settings policies are assigned to a specific container.

ProtectedSettingsExclusions

Contains a list of policies that are excluded from verification of a given protected settings policy.

Remediation

Contains remediation information for a given registered object or container.

Roles

Contains default and custom role information.

RootContainerAssignments

Contains a mapping between a trustee and their root container assignment.

ScheduledTasks

Contains a list of all scheduled deployment tasks.

Security

Contains a list of GPOADmin permissions assignments for a given registered object or container.

ServiceIDs

Contains a list GPOADmin service host names and UIDs.

ServiceOptions

Contains the list of service options and there current values.

SOMLinks

Contains the list of GPO links for a given SOM.

SynchronizationResults

Contains a list of the results for a given GPO synchronization.

SynchronizationTargets

Contains a mapping between a source GPO and it synchronization targets.

Trustees

Contains a list of trustees who have been granted access to GPOADmin as either a user or administrator.

VersionControlContainers

Contains a mapping of child and parent version control containers.

WatcherData

Contains a temporary list of newly created or registered items for the watcher service to monitor.

WorkingCopy

Contains a mapping between a registered object and its working copy.

 

 

 

 

Figure 1. GPOADmin architecture

The client/server architecture facilitates granular security and delegation. GPOADmin runs under the security context of a privileged service account that must have full access to GPOs in the managed forest.
Clients can connect to any deployed server within any Active Directory forest.
GPOADmin maintains a most recently used (MRU) list of servers to which the users have previously connected to facilitate quick subsequent server connections.

自助服务工具
知识库
通知和警报
产品支持
下载软件
技术说明文件
用户论坛
视频教程
RSS订阅源
联系我们
获得许可 帮助
技术支持
查看全部
相关文档

The document was helpful.

选择评级

I easily found the information I needed.

选择评级