Quest® GPOADmin
Version 5.0.1
Release Notes
January 2010
Resolved Issues and Enhancements
Quest GPOADmin gives organizations control of Group Policy across the enterprise. Built to augment the Microsoft GPMC, GPOADmin provides comprehensive Group Policy Object (GPO) management with additional features such as offline editing, reporting, archival and restoration, version control, test framework, change notification and approval, and quick rollback in the event that an object change has unexpected results.
Features
· Client/Server Architecture
GPOADmin has a client/server architecture that facilitates granular security and delegation requirements. The application runs under the security context of a privileged service account that must have full access to GPOs in the managed forest.
This architecture allows for multiple servers to be installed within the same forest providing the ability to granularly manage domains independently within the same forest. Clients can connect to any deployed server within any Active Directory forest. GPOADmin maintains a most recently used (MRU) list of servers to which the users have previously connected to facilitate quick subsequent server connections.
·
Multi-forest Support
GPOADmin allows you to
connect to multiple GPOADmin Servers within the same console. The GPOADmin Server Service
could be from a trusted or non-trusted domain/forest. By enumerating all GPOADmin Server Service instances you now have the ability
to easily manage all Version Control systems from a single console thus making
it much easier to transition GPOs from a test environment to production.
·
Backup Storage
GPOADmin is a directory-enabled application and all of its
application information is usually stored in the configuration container of
Active Directory or in Active Directory Application Mode (ADAM/AD LDS). However, you
also have the option of choosing Active
Directory, ADAM/AD LDS, SQL Server, or network shares storing the physical
backup of GPOs, WMI filters, templates, and Scopes of Management (domains,
sites, and OUs) links stored historically in the Version
Control system.
·
Version Control
GPOs, Scopes of Management, Templates, and WMI Filters have their
own Version Control subsystem so that you can delegate in a granular manner who can edit/create/approve/reject changes. Each of these
objects maintain their own versioning and audit
history so that all changes (versions) are tracked/rolled back separately. You
have the option of including history comments (labels) on objects in the
Version Control system which allows you to rollback to an object identified by
a specific label.
·
Role-based Delegation
GPOADmin allows you to create and define roles which
consist of a set of rights to perform actions on the Version Control system.
These roles can delegate user specific access to resources within the system.
·
Templates
Templates represent a collection of GPO settings that you can apply to
existing or newly created GPOs. Templates simplify the time-consuming process
of recreating GPOs by allowing you to create a single template that you can
reuse and distribute across an organization, from central administrators to
local administrators in branch offices. These administrators can then create
similar GPOs based on the template or create new GPOs that adhere to corporate
policy. This provides a mechanism to ensure that group policy settings are
consistent across GPOs in your organization.
·
Multi-level Approval Process
All changes are made within the Version Control system and are not
rolled out into the live production environment until approved by specifically
assigned users. The multi-level approval process ensures that all changes have
been carefully approved by all members of a hierarchy.
·
Scheduled Deployment
Deploying changes within the system is a critical
process that affects the live environment. To minimize the impact of
disruption, this process should be performed when the impact to users is
minimal. GPOADmin allows users with the deployment
right the ability to schedule changes made in the Version Control system to be
deployed in the live production environment at a later (scheduled) date and
time.
·
Compliance Checking
GPOADmin allows you to see if objects have been
changed outside the scope of the system in the live enterprise environment. If
a discrepancy is found between the last historical backup and the live object
then you can either:
o Restore the object to the most current backup found in the system in order to overwrite the recent unauthorized live change.
o Accept all live changes as being authorized and more up-to-date than what is currently already in the system. This will automatically backup what those changes were into the system and increment the version number of the same backup to the next major number.
o Granularly accept live changes as being authorized and more up-to-date than what is currently already in the system. This will automatically granularly backup what those changes were into the system and increment the version number of the same backup to the next major number.
This process can be automated by scheduling compliance checks through the Command Line Interface (CLI). If a difference is determined between the last historical backup and the live object, the delegated individual can restore the object, accept live changes, or leave the live object alone.
·
Test Framework
You can test objects offline (in the testing environment) before
implementing them (in the live environment). From the Version Control
system you can export objects under version control to another test domain or
forest and validate your changes. Once you have reviewed and are satisfied with
the effects on the target domain, you can then import the changes, check in the
object, and mark it ready for approval.
·
Link Management
GPOADmin continues to offer delegated users the
ability to easily link and unlink the last major version of each GPO in the
Version Control system to a scope of management in the live
environment. All changes related to linking or unlinking a GPO
from a Scope of Management must follow the approval workflow implemented
through the system.
·
Notification System
GPOADmin provides a rich notification system that
allows users to control a wide variety of Version Control events and to receive
immediate detail through e-mail. Users can subscribe/unsubscribe from the
notification service which is based on a granular defined event trigger such
as:
o register/unregister
o check in/out
o create/delete/change approval requests
o approval/rejection of create/delete/change requests
o compliance (deleted, rollback, incorporate live)
o administrative undo of someone’s check-out
o link/unlink, and create/delete/edit container
·
Real-time and Historical Reports
GPOADmin allows you to generate report templates
for quick real-time reporting purposes, as well as simple point-in-time reports
for historical reasons. This functionality allows for quick regeneration of
live data from the real-time report templates.
·
Register objects with a Predefined Major
Version Number
Initially all objects will be unregistered. Once an object is
registered, it is available to be checked out and worked on. When an object is
added to the system for the first time, it will be automatically backed up
(stored) in the Version Control system history and labeled with a version of
1.0. However, if you are migrating from an existing Version Control system, you
can set the major version number to any number greater than 1.0 during the registration
process.
·
Container Hierarchy View
GPOADmin allows you to organize objects within a
domain into a user-defined container hierarchy. Each container has its own
security descriptor in which trustees can be granted (delegated) roles to
define access to the container, sub-container or simply a specific object
within these containers.
·
ADM Template Editor
Administrative template (.adm) files
define the GPO settings that are displayed under the Administrative Template
folder in the GPO interface. In order to distribute a custom registry value to
all or some of the computers in an organization a custom ADM file is often
used. To create these files, users must have a working knowledge and
understanding of the ADM file language. Although this language is not difficult
to learn, it can become cumbersome depending on the complexity of the custom
ADM file.
To alleviate the complexity of ADM files, GPOADmin
includes the Quest ADM Editor. The ADM Editor allows users to create or manage
existing ADM templates through a Graphical User Interface. For those less
experienced with ADM templates, there are Wizards in place to guide in the
creation or update of existing ADM templates.
·
Quest Group Policy Extensions for
Desktops Support
GPOADmin fully supports the backup and restore of
Quest Group Policy Extensions client side extensions through its Version
Control system. You can easily report on Quest Group Policy Extensions client
side extensions settings through Historical and Differences reports.
·
64-bit Support
GPOADmin can be installed and run on a Windows
64-bit Operating System.
·
Event ID Logging
All GPOADmin events appear in the Event Viewer with their own
event ID (for example, Event ID 1002 is a User approve
action). All Event IDs assigned to each action inside the product are published
so that the properties can be used with an event logging solution (such as
Quest InTrust).
The following best practices exist within Quest GPOADmin:
The following is a list of issues addressed and enhancements implemented in this release of Quest GPOADmin.
|
Feature |
Resolved Issue |
Change Request |
|
General
|
The Working Copy is not deleted from the live environment when a GPO is checked in. | TF#111651 |
|
If selecting file paths for server configuration from a client, the auto-complete list in the path textbox displays paths local to the client which may not be valid on the server. |
CR#0229225 |
|
|
Creating a template with firewall settings enabled will cause an unhandled exception. |
CR#0228864 |
|
|
The GPOADmin service may fail to start on reboot. If this occurs, start the service manually. |
CR#0225731 |
|
|
When running with minimum permissions, you will be unable to deploy a Software Installation package for GPOs with a version of 0.x. |
CR#0174142 |
The following is a list of issues known to exist at the time of this Quest GPOADmin release.
|
Feature |
Known Issue |
Change Request |
|
Installation
|
When upgrading to version 5.0.1 and using the 64bit msi the SMTP notification information will be removed and have to be re-entered after the upgrade is complete. | TF#112571 |
| When upgrading to version 5.0.1 and using the 64bit msi the logging information will be removed and have to be re-entered after the upgrade is complete. | TF#112573 | |
| When running GPOADmin on a Windows 7 or 2K8 R2 operating system, when a WMI filter is applied to a GPO, this information will not be displayed in the latest or working copy Settings reports. It will only be displayed in the live Settings report. | TF#112572 | |
|
When you connect to an ADAM version control server without proper access to it, you may receive the error "The object is not on the server" instead of "Access Denied". |
CR#0229307 |
|
| If you upgrade from Group Policy Manager 4.1 using the GPOADmin x64 installer you will need to reconfigure the GPOADmin server. | TF#108220 | |
| After an upgrade to GPOADmin 5.0.1 from Group Policy Manager 4.1.8 or higher, the Group Policy Manager\Quest.Avalanche.Interops.QCMMngr2.dll directory remains. | TF#108210 | |
| When installing GPOADmin for the first time using the silent install, the installation will fail unless the service account has been granted the Logon as Service right. | TF#41984 | |
| When you install the GPMC Extension, the installation architecture must match the architecture of the GPMC. For example, if you choose to install the GPMC extension on a 64-bit Windows 2003 Operating System that is running a 32-bit GPMC, the GPOADmin x86 installer must be used. | - | |
| If you upgrade to GPOADmin 5.0.1 and use a custom port number, the Quest GPOADmin Service has to be manually restarted before you can connect to the GPOADmin server. | TF#64307 | |
| If you are running GPMC during an upgrade, you have to close and re-open it before the GPO Management tab will display. | - | |
| After upgrading, to access reports from the previous version you must change the reports folder path in the User Preferences to point to the old folder. | - | |
|
ADM Files |
Since ADM files have been replaced by ADMX files in Windows Server 2008, Windows Server 2008 R2, Vista and Windows 7, the ADM file cache will be empty in these operating systems. To view ADM files in the Template Editor or the ADM cache, you need to search for the ADM files and add them after installing GPOADmin 5.0.1. |
TF#40817 |
| Custom ADM files added to templates must be in UNICODE. |
CR#0229313 TF#109192 |
|
|
Cross-forest Support |
If you create a SOM backup in one forest and import it to another, the links will appear as deleted GPOs if those GPOs cannot be accessed from the second forest. |
CR#0228454 |
|
When editing a GPO cross-forest, the native GPO editor does not create the ADM folder in Sysvol. |
CR#0229227 |
|
|
Connection |
If you provide an invalid domain name when connecting to a server using the GPOADmin console you receive a valid error message but the application must be restarted to attempt a new connection. |
TF#104431 |
|
Version Control System
|
The Watcher Service needs to be restarted after changing Configuration Stores. | TF#65408 |
|
Copying multiple objects between containers is not possible. Each version controlled object must be copied separately. |
CR#0225943 |
|
|
Deploying a GPO containing existing Software Installation packages may cause each of those packages to be reinstalled on target workstations. |
CR#0222515 |
|
| MMC snap-in may become unresponsive when rolling back changes on 15 or more GPOs in the Check Compliance wizard. | TF#108919 | |
|
If selecting file paths for server configuration from a client, the autocomplete list in the path textbox displays paths local to the client which may not be valid on the server. |
CR#0229225 |
|
|
Times displayed in GPOADmin reports will be in the local time zone of the client machine. Any times displayed in the GPMC settings reports will appear in the time zone of the GPOADmin server. |
CR#0135484 |
|
|
When checking for compliance, GPOADmin will not perform a backup if the unauthorized changes result in an object in the same state as the currently stored version. |
TF#106505 | |
|
If you do not have the appropriate language packs installed, GPOs created using Japanese characters on a Japanese OS will not display on an English OS. |
CR#0229308 |
|
|
After changing storage locations, the individual version information is not transferred from the old storage location to the new. You must keep the old storage server online if you want to still access those individual versions. |
CR#0229309 |
|
|
This version of GPOADmin is only compatible with Group Policy Extensions 3.0. |
CR#0228204 |
|
|
When using the SeizeVCRole.exe utility, if a port is specified with the new server name, the utility assumes that the new server is ADAM. When using an Active Directory Version Control server, the default port of 389 does not need to be specified. |
CR#0229311 |
|
|
GPOADmin will not delete the information stored in the directory when it is uninstalled. The Version Control information may be deleted manually if it is no longer required. GPOADmin uses "working copies" of objects for editing purposes. If the Version Control information is deleted from the server, while objects are still pending creation or in a minor version, these working copies may be seen as "Unregistered" if a new instance of the version control information is instantiated. |
CR#0229312 |
|
|
Running the Check Compliance wizard on a root container will include controlled templates. Controlled templates should not be found. |
TF#106360 | |
| Performing actions too quickly on a GPO that is still running a previous action may cause the menus/objects to display incorrectly. | TF#105422 | |
| The modified date on a GPO will change to the create date when the GPO is unregistered. | TF#103480 | |
| Working with large (3-5MB) GPOs in the GPMC Extension has the potential to hang the GPOADmin Service or Watcher Service. | TF#108921 | |
| When you are editing a GPO with both the GPOADmin console and the GPMC Extension open, closing the Group Policy Object Editor may not return you to the expected interface. | TF#91914 | |
| When a registered OU is moved in Active Directory, the OU Distinguished Name will not be updated in the GPOADmin Version Control system. | TF#81397 | |
| The Container-Move and Delete notifications will not be sent. | TF#109869 | |
|
When you approve a change to a container, the Container Properties dialog does not reflect this. However, the change has been correctly applied. |
TF#109933 | |
| If the ITAD client is installed on the GPOADmin server and the ITAD service is not running, GPOADmin will be unable to deploy GPOs until the ITAD service is configured and running. | TF# 112159 | |
|
Templates |
The template conflict report lists the templates in alphabetical order, sorted by GUID. This is not the same as the order in which the templates will be applied. The conflict data in the body of the report is unaffected and is correct. |
CR#0228985 |
|
On German language computers, applying a template to a GPO may not apply the ADM settings correctly. Specifically, settings that were enabled in the template may not be enabled in the resulting GPO. |
CR#0215478 |
|
|
On Windows XP, the Template Editor does not display some icons. This does not affect functionality. |
CR#0229226 |
|
|
Creating a template from a GPO as a user requires the Register right instead of the Create right. To workaround, give the user the Register right for that container. |
CR#0229280 |
|
|
Group Policy Reports |
If the Service Account does not have the correct access to generate Group Policy Results reports, you may receive miscellaneous errors throughout the Report Wizard. To properly generate Group Policy Results reports for a user or computer, the Service Account must have Read Group Policy Results data permission on the domain or OU that contains the user or computer, or the Service Account must be a member of a local Administrator's group on the targeted computer. |
CR#0104882 CR#0106937 |
| The MMC snap-in may become unresponsive when running the Group Policy Object Consistency Report with 5000 or more GPOs. | TF#108930 | |
| The Group Policy Object Settings Search Report does not report on policy settings from the Quest Authentication Services product. | TF#108289 | |
| The Differences report may report/identify invalid changes. | TF#106354 | |
| In the Group Policy Settings and Resultant Set of Policies reports, some dates (for example, Created, Modified and Applied date) will display with the time zone of the GPOADmin Server. | TF#102486 | |
|
Upgrade and adm files |
If you are upgrading from Group Policy Manager 3.1 to Group Policy Manager 4.1 or GPOADmin 5.0.1, the default adm files must be added manually. (The default files included with 4.1 are common.adm, conf.adm, inetcorp.adm, inetres.adm, inetset.adm, system.adm, windows.adm, wmplayer.adm, and wuau.adm.) |
CR#0227968 |
|
Error message |
If the system time is not synchronized between client and server, it can cause misleading error messages. |
CR#0228332 |
|
User Account |
When installing the GPOADmin service on Vista or Windows 2008 with User Account Control turned on, the installer must be launched using elevated privileges. To do this, run the 'Quest GPOADmin.msi' file from an elevated command prompt. |
TF#41286 |
Before installing Quest GPOADmin, ensure your system meets the following minimum hardware and software requirements:
|
Client Install |
· 1 GHz processor · 512 MB RAM or greater · 100 MB hard disk space · Video Card w/ 1024x768 resolution monitor · Windows XP Service Pack 2, Windows Server 2003, Windows Server 2003 R2, Windows Vista, Windows Server 2008, Windows Server 2008 R2 or Windows 7 operating systems · MMC 3.0 · .NET Framework 3.5 Service Pack 1 · Must be able to connect to an Active Directory forest · Microsoft Group Policy Management Console with Service Pack 1 or Remote Server Administration Tools |
|
Server Install |
· 1 GHz processor · 1 GB RAM or greater · 200 MB hard disk space · Video Card w/ 1024x768 resolution monitor · Windows XP Service Pack 2, Windows Server 2003, Windows Server 2003 R2, Windows Vista, Windows Server 2008, Windows Server 2008 R2 or Windows 7 operating systems · MMC 3.0 · .NET Framework 3.5 Service Pack 1 · Microsoft Group Policy Management Console with Service Pack 1 · Must be able to connect to an Active Directory forest · Either ADAM or Active Directory must be available on the network to be used for the application's configuration storage. |
GPMC Extension |
· 1 GHz processor · 512 MB RAM or greater · 100 MB hard disk space · Video Card w/ 1024 x 768 resolution monitor · Windows XP SP2, Windows Server 2003, Windows Server 2003 R2, Windows Vista, Windows Server 2008, Windows Server 2008 R2 or Windows 7 operating systems · MMC 3.0 · .NET Framework 3.5 Service Pack 1 · Microsoft Group Policy Management Console with Service Pack 1 or Remote Server Administration Tools · Must be able to connect to an Active Directory forest |
|
Watcher Service |
· 1 GHz processor · 1GB RAM or greater · 200 MB hard disk space · Video Card w/ 1024 x 768 resolution monitor · Windows XP Service Pack 2, Windows Server 2003, Windows Server 2003 R2, Windows Vista, Windows Server 2008, Windows Server 2008 R2 or Windows 7 operating systems · .NET Framework 3.5 Service Pack 1 · Microsoft Group Policy Management Console with Service Pack 1 or Remote Server Administration Tools · Must be able to connect to an Active Directory forest · Either ADAM or Active Directory must be available on the network to be used for the application’s configuration storage |
|
Port Requirements |
Outbound: all TCP ports
Note:
To run the Version Control server on a custom port in 4.1, you must set the following registry value: Key: HKLM/Software/Quest Software/Quest GPOADmin/Remoting Value Name: Port Value Type: DWord Valid Values: 1-65536 If this value is not set, the default (port 40200) will be used.
From the Quest GPOADmin Server:
GPO Archives
|
This
section contains information about installing and operating this product in
non-English configurations, such as those needed by customers outside of North
America. This section does not replace the materials about supported platforms
and configurations found elsewhere in the product documentation.
This release is Unicode-enabled and supports any character set. It supports
simultaneous operation with multilingual data. This release is targeted to
support operations in the following regions: North America, Western Europe and
Latin America, Central and Eastern Europe, Far-East Asia, Japan.
The Quest GPOADmin release package contains the following products:
1. Quest GPOADmin version 5.0.1
2. Product Documentation, including:
o Quick Start Guide
o User Guide
o Online Help
o What's New
Refer to Quest GPOADmin Quick Start Guide for installation instructions.
|
|
|
|
|
Quest Software, Inc. |
|
Web |
Refer to our Web site for regional and international office information.
Quest Support is available to customers who have a trial version of a Quest product or who have purchased a commercial version and have a valid maintenance contract. Quest Support provides around the clock coverage with SupportLink, our web self-service. Visit SupportLink at http://support.quest.com. From SupportLink, you can do the following:
View
the Global Support Guide for a detailed explanation of support programs, online
services, contact information, and policy and procedures.
The guide is available at:
http://support.quest.com/pdfs/Global
Support Guide.pdf.
Note: This document is available in English only.
© 2010 Quest Software, Inc.
ALL RIGHTS RESERVED.
This document contains proprietary information protected by copyright. The software described in this document is furnished under a software license or nondisclosure agreement. This software may be used or copied only in accordance with the terms of the applicable agreement. No part of this guide may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying and recording for any purpose other than the purchaser’s personal use without the written permission of Quest Software, Inc.
If you have any questions regarding your potential use of this material, contact:
|
Quest Software World
Headquarters
www.quest.com |
Refer to our website for regional and international office information.
Quest, Quest Software, and the Quest Software logo are trademarks and registered trademarks of Quest Software, Inc in the United States of America and other countries. Other trademarks and registered trademarks used in this guide are property of their respective owners.
The information in this document is provided in connection with Quest products. No license, express or implied, by estoppel or otherwise, to any intellectual property right is granted by this document or in connection with the sale of Quest products. EXCEPT AS SET FORTH IN QUEST'S TERMS AND CONDITIONS AS SPECIFIED IN THE LICENSE AGREEMENT FOR THIS PRODUCT, QUEST ASSUMES NO LIABILITY WHATSOEVER AND DISCLAIMS ANY EXPRESS, IMPLIED OR STATUTORY WARRANTY RELATING TO ITS PRODUCTS INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT. IN NO EVENT SHALL QUEST BE LIABLE FOR ANY DIRECT, INDIRECT, CONSEQUENTIAL, PUNITIVE, SPECIAL OR INCIDENTAL DAMAGES (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION OR LOSS OF INFORMATION) ARISING OUT OF THE USE OR INABILITY TO USE THIS DOCUMENT, EVEN IF QUEST HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Quest makes no representations or warranties with respect to the accuracy or completeness of the contents of this document and reserves the right to make changes to specifications and product descriptions at any time without notice. Quest does not make any commitment to update the information contained in this document.