GPOADmin 5.18 - Quick Start Guide


	NOTE: The GMSA will not update the SPN automatically each time the service starts resulting in warnings in the GPOADmin event log. To prevent the service from updating the SPN, add the following to the registry of the GPOADmin service host if it does not exist: Value name: UpdateSPN Value type: DWORD Value path: HKEY_LOCAL_MACHINE\SOFTWARE\Quest\GPOADmin\ServerConfig Value: 0

Create a global security group and add the Group Managed Service Account. This security group will be used to grant permission to the service account.

For each computer that will host the GPOADmin service and that you added to the security group in step 2, do the following:

Restart the computer.

Run the following PowerShell command once the GPOADmin host computers have restarted to install the GMSA: Install-ADServiceAccount -Identity <service_account_name>.

Run the following PowerShell command to verify that the GMSA was successfully installed. The command will return True if the GMSA was successfully installed: Test-ADServiceAccount -Identity <service_account_name>.

Follow the Minimum permissions required for the service accounts and replace the service account with the group the GMSA member of create in step 4.


	NOTE: If configuring for SQL, enter the actual GMSA instead of the group when specifying a windows login.

Once the service is using a GMSA account, the password is retrieved from the LSA. This will disable the ability to stop the service or change the service account.

You can run the following command to switch back to a normal account:

sc <server> managedaccount [service name] [type]. For example, sc managedaccount "QGPMService" false.

Minimum permissions required for the service accounts

To set up minimum permissions for the service accounts

Create a service account and add it as a member of the Local Administrators group where the GPOADmin service is installed.

Grant this account Log on as a Service on the computer where GPOADmin is installed.

Grant the service account Full Control to the installation directory.

Create the "Quest" container for the configuration store in either Active Directory or AD LDS (depending on where the configuration will be stored.


COnfiguration Store	to create the Quest container...
Active Directory	Using ADSIEdit.msc, create a "Quest" container under CN=Services,CN=Configuration,DC=Domain,DC=com within the GPOADmin servers domain.
AD LDS (Preferred option)	Using ADSIEdit.msc, connect to the AD LDS instance, expand CN=Services and create the Quest container.
SQL	Skip this step.


	NOTE: ADSIEDit.msc is available from the Windows Support Tools or through Add Roles and Features.

Grant the service account access to the Quest container.

COnfiguration Store

TO grant the service account access...

Active Directory

Go to the properties of the Quest container.

Select the Security tab and click Advanced.

Click Add and select the service account. The applies to option should be This object and all descendant objects.

Delegate the following permissions in the Advanced Security Settings: List Contents, Read all Properties, Write all Properties, Delete Subtree, Read Permissions, Modify Permissions, Modify Owner, All Validated Writes, Create All Child Objects, and Delete All Child Objects.

AD LDS (Preferred option)

Connect to the AD LDS instance using ADSIedit.msc (for example "CN=Configuration,CN={AD LDS INSTANCE GUID}").

Expand CN=Roles and go to the properties of CN=Administrators.

Browse to the Member attribute and click Edit. Add the GPOADmin service account as a Windows Account.

NOTE: If adding the service account as a member of the AD LDS Administrators role is not possible, the AD LDS support tool dsacls.exe can be used to fine-tune the rights given by this role or grant specific rights to user accounts.

SQL

Run the database script GPOADmin.sql.

In Microsoft SQL Server Management Studio, select File | Open | File or press the control key and the O key (Ctrl + O).

In the Open File dialog, select the GPOADmin.sql file and press OK. This file is located in the GPOADmin server install directory by default, but if your SQL server is on a different computer, the file can be copied.

If you want to create the database with a different name other than the default name of GPOADmin, change the name from GPOADmin on line 4 and line 7 to the name you want to use.

Click the Execute button or press F5 to create the database.

Execute the InitializeDatabase stored procedure on the newly created database.

Create a new query by pressing the New Query button.

Set the available database to the name of your GPOADmin database or type USE [DATABASE_NAME] where DATABASE_NAME is the name of your GPOADmin database.

On the next line, type EXEC InitializeDatabase.

When ready, click the Execute button or press F5 to run the command.

Create a login for the GPOADmin service account.

In Microsoft SQL Server Management Studio, navigate to Security, then Logins.

Right-click Logins and select New Login.

On the General page, enter the name of the service account in the Login name field.

Select Windows authentication to connect as the GPOADmin service account or SQL Server Authentication to connect as a SQL account. SQL authentication is useful if you want to use this database as the configuration store for a GPOADmin installation in another untrusted domain.

Set the Default database property to the name of your GPOADmin database.

On the Server Roles page, check the public server role.

On the User Mapping page, under Users mapped to this login, check the name of your GPOADmin database. Under Database role membership for the selected database, check db_owner and public. Click OK to close the properties page.

Grant the service account Full Control on each WMI Filter that will be managed by GPOADmin.

Using ADSIEDIT.msc, expand the Default Naming Context partition, open ‘CN=SOM,CN=WMIPolicy,CN=System,DC=domain,DC=com’ and delegate Full control for All descendant objects.

Using GPMC, delegate Link GPOs to the service account on the Site and Domain level (or even on the OU level depending on where GPOADmin is required to manage GPOs), for This container and all child containers, if child containers are needed.

For the service account to run RSoP reports, the Read Group Policy Results data right must be granted. Using GPMC, delegate Read Group Policy Results Data to the service account on the Domain level (or even on the OU level, depending on where GPOADmin is required to perform the RSoP analysis), for This container and all child containers, if child containers are needed.

For each computer that will be targeted during the RSoP analysis, add the service account to that computer’s local Administrators group.

Using GPMC, delegate Create GPOs to the service account on the Group Policy Objects Level.

Using GPMC, delegate Edit settings, Delete, and Modify security to the service account for each existing GPO that will be managed by GPOADmin using GPMC.

For each GPO managed by GPOADmin, verify that the service account has direct ownership of the GPO on the Owner tab of the Advanced Security Settings dialog box.


	NOTE: This step can be automated after GPOADmin has been installed and configured using the GPOADmin.AddServiceAccountToALLGPOs.ps1 PowerShell script located in the Scripts directory of the install directory.

Make the service account the owner of each existing starter GPO to be managed.

Expand the StarterGPOs folder in SYSVOL.

Click the Guid folder of the StarterGPO and select Properties.

Click the Advanced button on the Security tab.

Click Change at the top of the Advanced Security Settings page and select the service account.

Click OK three times.

Repeat this process for each starter GPO.

The service account must be granted Read and Write servicePrincipalName.

Using ADSIEdit, navigate to the service account.

Right-click and select Properties.

Click the Advanced button on the Security tab and click Add.

Click Select a principal and type SELF.

Ensure Read servicePrincipalName and Write servicePrincipalName are selected.

Click OK three times.

An application partition is created prior to running the Group Policy Modeling Report to simulate the live environment during the report execution. It contains a temporary staging container that is deleted once the report has been generated.

Add the GPOADmin service account to the Distributed COM Users security group in each domain that will be reported on.

To have the GPOADmin service create the Application Partition:

Open ADSI Edit and navigate to the Partitions container in the Configuration naming context.

Right-click the CN=Partitions object and select Properties.

Select the Security tab, click Add, and add the GPOADmin service account.

Under Permissions for <Service Account>, enable Allow for the following permissions:

•

Read

•

Write

•

Create all child objects

•

Delete all child objects

Click Advanced, select the service account, and click Edit.

Set Applies to to This object and all descendant objects and enable the following permissions:

•

•

•

•

Click OK to close the Permission Entry for Partitions dialog.

Click OK to close the Advanced Security Settings for Partitions dialog.

Click OK to close the CN=Partitions Properties dialog.

Close ADSI Edit.

To manually create the Application Partition:

•

Create the partition:

Open Command Prompt and type: ntdsutil.

At the ntdsutil command prompt, type: partition management.

At the partition management command prompt, type: connection.

At the server connections command prompt, type: connect to server ServerName.

At the server connections command prompt, type: quit.

At the partition management command prompt, type the following: create nc dc=staging,dc=gpoadmin DomainController.

Where DomainController is the domain controller’s FQDN where you want to create the partition. If you are using a preferred domain controller, this should be the same domain controller. Otherwise this should be the Primary domain controller.

•

Assign access to the service account on the new application partition:

Open ADSI Edit and navigate to the Partitions container in the Configuration naming context.

Right-click the object with the Directory Partition Name "DC=Staging,DC=GPOADmin" and select New Connection to Naming Context.

Select the DC=Staging,DC=GPOADmin context in the left pane.

Right-click the DC=Staging,DC=GPOADmin domainDNS object in the right pane, and select Properties.

Click the Security tab, click Add, and add the GPOADmin service account.

Under Permissions for <Service Account>, enable Allow for the following permissions:

•

Read

•

Write

•

Create all child objects

•

Delete all child objects

Click Advanced, select the service account, and click Edit.

Set Applies to to This object and all descendant objects, and enable the following permissions:

•

Delete

•

Delete subtree

•

Generate resultant set of policy (planning)

Click OK to close the Permission Entry for Staging dialog.

Click OK to close the Advanced Security Settings for Staging dialog.

Click OK to close the DC=Staging,DC=GPOADmin Properties dialog.

Close ADSI Edit.

To ensure that GPOs created in GPMC and then registered in GPOADmin can be deleted and are not missed during a check in, the Service Account must have the Delete Subtree right on the required GPOs.

For each GPO managed by GPOADmin, the Service Account must have ownership of the GPO. This is required in all environments to ensure that modifications made to the delegation of a GPO can be properly applied. You can verify direct ownership of the GPO on the Owner tab of the Advanced Security Settings dialog box.

Repeat steps 7 to 16 for every domain that will require GPOADmin to manage its GPOs.

The service account requires rights to create a Service Connection Point on computers where GPOADmin is installed.

To do so, open ADSIedit.msc or DSA.msc and connect to the Active Directory domain. Navigate to the computer where GPOADmin will installed, the computer properties, and select the Security tab. Grant the service account the following permissions: Create serviceConnectionPoint objects and Delete serviceConnectionPoint objects for This object and all descendant objects.

Install GPOADmin using the service account.

For more information about the installation, see Installing Quest GPOADmin .

Connect to GPOADmin as an Enterprise Admin or the service account.

Only these accounts are granted access to change the configuration during the install of GPOADmin.

Make sure the service account has access to the desired configuration and backup storage locations. Then, step through the Server Configuration Wizard.

You can add GPOADmin trustees to connect to the system or change server properties.

For more information about the configuration, see Configuring the GPOADmin Server .

Once the product has been configured, connect to the GPOADmin console using the service account. Configure any additional administrators and users (trustees) that will connect to the product by
right- clicking the connected domain and selecting Options and then Access. Delegate any roles required by these users through the Version Control Root properties, or any registered OU/GPO within the Version Control Root as necessary.

Connect to GPOADmin as any account granted rights to connect during the Server configuration setup.


	NOTE: The Watcher Service requires that the service account created in step 1 has the “Replicating directory changes” permission on the Default Naming Context (DC=domain, DC=com) and the Configuration Context (CN=Configuration, DC=domain, DC=com) for this object and all descendents.


	NOTE: The service account must have List folder contents, Read, Write, and Modify on the Scripts folder in SYSVOL.

The service account requires the following registry access on the GPOADmin service host computer:

Registry Key

Required service account access

HKEY_LOCAL_MACHINE\SOFTWARE\Quest\
GPOADmin

•

Full Control

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Diagnostics

•

•

•

•

•

•

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\EventLog

•

•

•

•

•

•

Open GPMC and add the GPOADmin service account to the Delegations tab for Starter GPOs.

Minimum permissions, rights, and roles required for Microsoft Intune

To register an application with the required permissions:

If you have access to more than one tenant, select your account in the top right corner, and set your portal session to the Azure AD tenant that you are going to use.

Select the Azure Active Directory service, App registrations, New registration.

On the Register an application page:

Enter your application's name. For example, GPOADmin Intune App.

Select the supported account type. For example, Accounts in this organizational directory only (gpoadmin only- single tenant.)

Click Register.

Azure AD assigns a client ID to your app, and the application's Overview page opens where you can now enter additional required information.

Under Manage, select Certificates & Secrets.

Under Certificates, select Upload certificate and upload the .cer file. You will need the matching .pfx file for the certificate when configuring Intune support in the Service Options.

Under Manage, select API permissions, and click Add a permission.

Under Microsoft APIs, select Microsoft Graph.

Select Application permissions.

Under All APIs, select Device Management Configuration, and enable DeviceManagementConfiguration.ReadWrite.All.


	NOTE: User.Read is also a required permission that is added by default.

Under APIs my organization uses, select Microsoft Graph | Application permissions | Group and enable Group.ReadWrite.All.

Under Manage, select API permissions, and click Grant Admin consent for GPOADmin.

Additional requirements to edit Intune objects

To edit Intune objects, you need to create a custom role with the required permissions and assign it to the required Intune user group.

To create a custom role

In the Microsoft Endpoint Manager admin center, select Tenant administration | Roles | All roles.

On the Intune roles - All roles blade, select Create.

On the Basic page, enter Intune Object Editor in the Name field, and click Next.

On the Permissions page, select Device configurations, click Yes for Read and Update (and Assign if you want to allow users to edit Intune object assignments), and click Next.

On the Scope tags page, click Next to move to the Review + Create page.

Review your settings and click Create.

You are now ready to assign the role to the required users. For details on assigning roles, refer to the Microsoft Intune documentation.

Additional required tenant permissions

Before you can perform workflow actions within GPOADmin on Intune objects associated to a tenant, you need to set the required permissions.

To enable the required rights

From the GPOADmin console, right-click the tenant node, select Properties.

Add the required users.

Enable Read, Register, and Report.

Apply the settings.

SQL storage method

Using SQL as the backup repository (storage method), the service account will need the following minimum requirements:

•

Database Creator’s rights in order to create the GPOADmin_Backups Database during the Server Configuration Wizard setup.


	NOTE: Database Creator’s right is only required for the initial creation of the GPOADmin_Backups database. If the database has been pre-created (see Configuring the GPOADmin Server ) by your DB Administrators team then only the following database roles and permissions are required by the GPOADmin service account to access and update the Database: db_datareader, db_datawriter: Permissions to Execute the following GPOADmin stored procedures: quest_qgpm_add_group_to_role quest_qgpm_domainid_pr quest_qgpm_gpoid_pr quest_qgpm_insbackup_p

请选择您的产品：

为向您提供更好的服务，请填写'Purpose of your Chat'（联系目的）：

针对您的问题建议的解决方案

GPOADmin 5.18 - Quick Start Guide

Configuring GPOADmin to use a Group Managed Service Account (GMSA)

Minimum permissions required for the service accounts

Minimum permissions, rights, and roles required for Microsoft Intune

SQL storage method