Published: June 22, 2007
User Guide
GPOVault™ is a Group Policy Management Console (GMPC) extension that provides comprehensive change control and enhanced management for Group Policy Objects (GPOs). GPMC is the platform of choice for centrally administering Group Policy. The free Microsoft console provides excellent support for most aspects of GPO management, but provides no change control features. GPOVault adds change control, notification, approval, rollback, offline editing, templates, and difference reporting directly into the GPMC.
On This Page
.gif)
Welcome
Installing and Configuring GPOVault
Getting Started with GPOVault
GPOVault Administrator Tasks
Editor Tasks
Approver Tasks
Reviewer Tasks
Troubleshooting
Support
Appendix 1: Introduction to Group Policy
Appendix 2: GPOVault User Interface
Appendix 3: Permissions and Roles Reference
Glossary
Welcome
Welcome to GPOVault™, DesktopStandard’s extension for Group Policy Management Console (GPMC) that provides comprehensive change control and enhanced management for Group Policy Objects (GPOs). GPOVault extends the capabilities of the GPMC, providing such muchneeded functionality as:
Offline editing for GPOs so that they can be created and tested before being deployed to a production environment
Version control so that multiple versions of a GPO can be retained in an archive, available for rollback if needed
Role-based delegation so that responsibility for editing, approving, and reviewing GPOs can be shared among multiple people
Check-in/check-out capability for GPOs so that multiple Editors cannot inadvertently overwrite each other’s work
Difference reporting to quickly analyze changes to the GPO compared to any version stored in the archive
GPO templates for beginning with a standard array of settings when creating new GPOs
Tip: Getting started with GPOVault
For setup instructions, see the Installing and Configuring GPOVault section in this user guide.
For an introduction to the concept of change control and how to use GPOVault to apply it, see the Welcome and Getting Started with GPOVault sections. (For an introduction to Group Policy, see Appendix 1: Introduction to Group Policy.)
For step-by-step instructions on how to perform tasks using GPOVault, see the GPOVault Administrator Tasks, Editor Tasks, Approver Tasks, or Reviewer Tasks section as appropriate.
For detailed information on GPOVault menu options, icons, and other aspects of the user interface, see Appendix 2: GPOVault User Interface.
For detailed information on what permissions are associated with specific tasks and roles, see Appendix 3: Permissions and Roles Reference.
In case of any difficulty with GPOVault, see the Troubleshooting and Support sections at the end of this user guide for resources and assistance.
Introduction to GPOVault
Microsoft provides the Group Policy Management Console (GPMC) as the primary product for managing Group Policy in an enterprise. There are many benefits to the GPMC, the main one being that it provides an intuitive interface with a Group Policy-centric view of the environment.
Despite the great value in the GPMC, key capabilities are absent. There is no mechanism for offline editing of the GPOs, there is no mechanism for version control, and the delegation model (albeit powerful) has limitations. The GPMC needs a check-in/check-out mechanism so that changes to the infrastructure can be approved, tracked, and audited. The audit trail is critical with regard to Group Policy because these GPOs are delivering critical standardization, security, and compliance configuration to systems across the enterprise.
Enter GPOVault™ by DesktopStandard. GPOVault has been developed to provide this much needed additional functionality to the GPMC. It extends the GPMC in an intuitive manner that makes adoption of a full change management product easily accessible.
(For a brief introduction to Group Policy concepts, see Appendix 1: Introduction to Group Policy later in this guide.)
Change Control with GPOVault
There was a time when a network administrator could manage the entire network directly and could afford to make and test changes on the live network. The network administrator was the only one making changes to user accounts and device configurations, so there was no issue of conflicting changes coming from multiple Group Policy administrators. You could make and test changes on the live network in evenings or on weekends when no one would be inconvenienced if the network was down for a few hours.
Today, none of those practices are still feasible. Network administration at most companies requires the work of multiple people, who must interact in concert without overwriting each other’s work or jeopardizing the company’s infrastructure. Companies now have customers (and perhaps employees) in so many time zones that their network needs to be online 24×7.
How can an administrator keep the work of multiple Group Policy administrators from conflicting? How can you allow these GP administrators the access they need to get their jobs done without allowing them so much access that they interfere with each other or have too great an opportunity to inadvertently damage the network infrastructure? How can you alter settings in an offline environment so that changes will not immediately affect the network? How can you archive and manage multiple versions of GPO settings?
GPOVault by DesktopStandard adds the much-needed functionality of change control to the Group Policy Management Console. GPOVault extends the GPMC, providing offline editing of GPOs, version control for GPOs, role-based delegation of control, check-in/check-out capability, difference reporting, and GPO templates.
Enterprise and Local Edition
GPOVault is available in two distinct versions, GPOVault Local Edition and GPOVault Enterprise, which are licensed differently.
GPOVault Local Edition
GPOVault Local Edition (also simply referred to as GPOVault) is the standalone version of GPOVault. It is available free of charge and does not require a license. GPOVault Local Edition does not have a server component and uses the native Windows permissions of the Group Policy administrator for all operations.
GPOVault Enterprise
GPOVault Enterprise is the client/server version of GPOVault. With GPOVault Enterprise, all operations are controlled through the GPOVault Service and execute with the service’s credentials.This Windows service enforces the delegation model by acting as a security proxy for access to the archive and the live GPO environment, tightening control over these critical archives.
GPOVault Enterprise is licensed per domain controller. To obtain a free evaluation license or to purchase a license for GPOVault Enterprise, contact DesktopStandard Sales at http://www.desktopstandard.com/sales.
New in GPOVault
The following features and enhancements are new in version 2.2 of GPOVault:
Report GPO links
Backup and restore of GPO links, including option during deployment to restore all links, selected links, or none
Change permissions on multiple GPOs at once
General section added to settings reports, including details, links, security filtering, WMI filtering, and delegation
The following features and enhancements were first incorporated into version 2.1 of GPOVault:
Extensions tab added to all GPOs and Group Policy links displayed in the GPMC
Delegate privileges to built-in security principals and computers
Add a license by running the install through Add or Remove Programs and selecting Modify
Change the owner of a GPO upon deployment
Display the names and dates modified of both GPOs compared in an XML-based difference report
Installing and Configuring GPOVault
This section includes instructions and helpful tips for installing GPOVault and upgrading archives from a previous version of GPOVault, as well as information about configuration and licensing.
Prerequisites
To install GPOVault, you must first have the Group Policy Management Console (GPMC) installed. You can download the GPMC through the Group Policy home page at http://www.microsoft.com/GroupPolicy. The GPMC runs on Windows Server 2003 and Windows XP with SP1 or later. For Windows XP SP1 systems, an additional QFE (a patch, which is included in XP SP2) is required.
Installing GPOVault
GPOVault Enterprise includes separate installers for the server and clients. GPOVault Local Edition includes only the client installer.
Tip: Upgrading GPOVault
If you are upgrading from a previous version of GPOVault, see Upgrading Archives from a Previous Version later in this section.
If you are upgrading from GPOVault 2.2 to GPOVault Enterprise 2.2, you must perform the server installation (see below), but you do not need to reinstall the client on systems where GPOVault 2.2 is already installed, nor do you need to upgrade GPOVault 2.2 archives.
Server Installation (GPOVault Enterprise Only)
With GPOVault Enterprise, all operations are controlled through the GPOVault Service and execute with the service’s credentials. This Windows service enforces the delegation model by acting as a security proxy for access to the archive and the live GPO environment.
GPOVault Enterprise should be installed only on the member server that will host the GPOVault Service. To install the GPOVault Service on a server:
Double-click the gpovents.msi file.
In the Welcome dialog box, click Next.
.jpg)
In the License Agreement dialog box, accept the terms and click Next.
In the Customer Information dialog box, enter your User Name and Organization. Also, select whether this installation is for Anyone who uses this computer or only for you, then click Next.
In the Setup Type dialog box:
To accept the default root installation folder: Click Complete -> Next.
To specify the root installation folder: Click Custom -> Next. In the Custom Setup dialog box, click Change, select a folder, then click Next.
In the GPOVault Service Account dialog box, select a service account under which the GPOVault service will run, then click Next.
.jpg)
Tip: Selecting the GPOVault Service Account
The GPOVault Service Account must have full access to the GPOs that it will manage and Log On As A Service permission. If you will be managing GPOs on a single domain, you can make the Local System account for the primary domain controller the GPOVault Service Account.
If you will be managing GPOs on multiple domains or if a member server will be the GPOVault server, you should configure a different account as the GPOVault Service Account since the Local System account for one domain controller would be unable to access GPOs on other domains.
In the GPOVault Owner dialog box, click Browse, select a single account to serve as the GPOVault Owner, then click Next.
.jpg)
In the License Import dialog box, click Browse and select the GPOVault Enterprise license that you have obtained from DesktopStandard, then click Next.
Obtaining a license
To obtain a free evaluation license for GPOVault Enterprise or to purchase a license, contact DesktopStandard Sales at http://www.desktopstandard/sales.
Click Install to proceed.
Click Finish to exit the wizard.
.jpg)
After GPOVault Enterprise Server is installed, you can start and stop the GPOVault service by clicking Start -> Control Panel -> Administrative Tools -> Services, then right-clicking GPOVault Service and selecting Start or Stop.
Client or Standalone Installation
GPOVault should be installed on the systems of Editors, Approvers, and Reviewers—anyone who creates, edits, deploys, reviews, or deletes GPOs. It is not necessary to install GPOVault on the systems of end-users of your network who do not perform these tasks.
If you are upgrading from GPOVault 2.2 to GPOVault Enterprise 2.2, you do not need to reinstall GPOVault on any client systems where GPOVault is already installed. However, the GPOVault Service must be installed on the server as described in the previous section.
To install GPOVault Enterprise – Client or GPOVault Local Edition:
Double-click the gpoventc.msi file (for GPOVault Enterprise – Client) or gpovault.msi file (for GPOVault Local Edition).
In the Welcome dialog box, click Next.
.jpg)
In the License Agreement dialog box, accept the terms and click Next.
In the Customer Information dialog box, enter your User Name and Organization. Also, select whether this installation is for Anyone who uses this computer or only for you, then click Next.
In the Setup Type dialog box:
To accept the default root installation folder: Click Complete -> Next.
To specify the root installation folder: Click Custom -> Next. In the Custom Setup dialog box, click Change, select a folder, then click Next.
Click Install to proceed.
Click Finish to exit the wizard.
.jpg)
GPOVault Enterprise: Ownership of the vault is initially set during installation of GPOVault Enterprise. (The GPOVault Owner can later be changed only by deleting a particular registry key and then modifying the installation. For instructions or assistance, refer to the Knowledge Base on the DesktopStandard website or contact DesktopStandard Support. (See the Support section of this guide for contact information.)) Additional delegations should be configured for other Group Policy administrators.
GPOVault Local Edition: After GPOVault is installed, the first person to launch the GPMC is granted ownership of the vault. (The owner cannot be changed except by reinstalling GPOVault.) The permission granted to this user is Full Control and is displayed in the details pane on the Domain Delegation tab when the Change Control node is selected. Additional delegations should be configured for other Group Policy administrators.
Upgrading Archives from a Previous Version
If upgrading from a previous version of GPOVault to version 2.2, you must upgrade each archive database file created using the previous version so that it will function with version 2.Performing this upgrade is independent of the installation of GPOVault Enterprise 2.2 or GPOVault 2.2, but is required only once for each archive.
WARNING: Upgrading archives will reset security
Upgrading the archives will remove all security descriptors from the archive database and therefore will reset all domain- and GPO-level security for GPOs.
Additionally, the GPOVault Owner will be reset. In GPOVault Local Edition, the owner will become the first person to launch the GPMC after this upgrade. In GPOVault Enterprise, the owner will become the GPOVault Owner selected during the initial server installation.
To upgrade archives from a previous version of GPOVault:
After installing GPOVault 2.2 or GPOVault Enterprise 2.2, click Start -> Programs -> Accessories -> Command Prompt.
Enter cd C:\Program Files\DesktopStandard\GPOVault\Tools and press Enter. (If you selected an installation folder for GPOVault other than the default, navigate within that folder to \DesktopStandard\GPOVault\Tools.)
Enter upgrade <ArchivePath>\gpostate.xml where <ArchivePath> is the full path to the archive to be upgraded, then press Enter.
In GPOVault Enterprise, the default archive path within the host selected is %AllUsersProfile%\Application Data\DesktopStandard\GPOVault\Archive
In GPOVault Local Edition, the default archive path is %UserProfile%\Local Settings\Application Data\DesktopStandard\GPOVault\Archive
.jpg)
Delegate access at the domain level and/or to individual GPOs. (See Delegating Domain-Level Access and Delegating Access to an Individual GPO in the GPOVault Administrator Tasks section of this guide.)
The old archive database file is backed up to gpostate.xml.bak, and the updated archive can now be displayed via the Change Control node of the Group Policy Management Console.
Configuring GPOVault
See the Getting Started with GPOVault section of this guide for an overview of and tips on how to begin using GPOVault to manage GPOs in your organization more effectively.
To enable GPO administrators in a multi-user environment to use the capabilities of GPOVault and to delegate access to GPOs either individually or at the domain level, see the GPOVault Administrator Tasks section in this guide. For additional information on delegation using GPOVault, see Appendix 3: Permissions and Roles Reference.
Selecting an archive location
While the default archive location in a local folder is appropriate for evaluating GPOVault, for a multi-user environment you should select an archive location that is accessible to all Group Policy administrators, such as a shared folder (\\<servername>\<archive>) or a host server. For more information, see the GPOVault Administrator Tasks section in this guide.
File system permissions
GPOVault Enterprise: Membership in the Group Policy Creator Owners group should be restricted so that it is not used to circumvent GPOVault management of access to GPOs. (In the GPMC, see Forest -> [MyDomain] -> Group Policy Objects -> Delegation.)
GPOVault Local Edition: All GPOVault Administrators, Editors, Approvers, and Reviewers must have file system permissions for the archive location. In native Group Policy, Editors and Approvers must be members of the Group Policy Creator Owners group or have delegated access to the Group Policy Object container. (In the GPMC, see Forest -> [MyDomain] -> Group Policy Objects -> Delegation.)
Licensing
GPOVault Local Edition does not require a license. (For information about the differences between GPOVault Enterprise and GPOVault Local Edition, see the Welcome section in this guide.)
GPOVault Enterprise is licensed per domain controller. To obtain a free evaluation license or to purchase a license for GPOVault Enterprise, contact DesktopStandard Sales at http://www.desktopstandard.com/sales.
After your license request is approved, a license key will be emailed to you. You can import the license key during the installation of the server component of GPOVault Enterprise, by modifying the installation of the server component of GPOVault Enterprise, or manually.
Importing a License (GPOVault Enterprise Only)
If you have not yet installed GPOVault Enterprise
If you have received a license key file from DesktopStandard and have not yet installed the server component of GPOVault Enterprise, you can import the license during the installation process. See Server Installation earlier in this guide.
To add a license key if you have already installed the server component of GPOVault Enterprise:
On the server on which GPOVault Enterprise is installed, click Start -> Control Panel -> Add or Remove Programs.
Click GPOVault™ Enterprise, then Change.
In the Welcome dialog box, click Next.
In the Program Maintenance dialog box, click Modify -> Next.
In the Custom Setup dialog box, click Next.
In the License Import dialog box, click Browse and select the license.xml file that you received from DesktopStandard. Click Next.
Click Install to proceed.
Click Finish to exit the wizard.
Click Start -> Control Panel -> Administrative Tools -> Services, then right-click GPOVault Service and select Restart to apply the license.
You have imported the license for GPOVault Enterprise. Because GPOVault Enterprise is licensed per domain controller through the server component, it is not necessary to deploy the license to clients or to GPOs.
Manually Importing a License (GPOVault Enterprise Only)
To manually add a license key if you have already installed the server component of GPOVault Enterprise, stop the GPOVault Service, copy the license.xml file to %AllUsersProfile%\Application Data\DesktopStandard\GPOVault, and then restart the GPOVault Service.
Getting Started with GPOVault
This section provides you with an overview of the key concepts needed for using GPOVault, along with tips on where to find additional information.
GPO Development with Change Control
A network administrator who has also worked in a position that includes development tasks may already be familiar with applications such as Microsoft Visual SourceSafe that provide change control (also called version control or source code control) for programming development. If your career path has not taken that direction, the concept of change control may be new to you.
.jpg)
The terms check in and check out are used in much the same way as in a library. To use a book that is in a library, you check it out from the library. No one else can use it while you have it checked out. When you are finished with the book, you check the book back into the library so that others can use it.
With GPOVault, you check out a copy of a GPO from the vault to edit it. The state of the GPO will be identified in the GPMC as checked out, preventing any other Editors from editing it. When you are finished editing the GPO, you check the GPO into the vault so that it can be edited by others, reviewed, or deployed to the production environment.
Roles-Based Delegation
GPOVault provides a comprehensive roles-based delegation model that is easy to use. Permissions in the context of GPOVault are focused on three levels: forest, domain, and GPO. The forest-level permissions provide access to all domains to be included. Domain-level permissions allow GPOVault Administrators to provide access to individual domains without providing access
to other domains. GPO-based delegation provides the finest level of permissions in the environment. This enables GPOVault Administrators to allow access only to specific GPOs. Together, the three levels provide a rich delegation model that tightens control of your critical configuration data.
Within GPOVault, there are specifically defined roles. These roles are GPOVault Administrator (Full Control), Approver, Reviewer, and Editor. GPOVault provides a GPOVault Administrator with the flexibility to customize GPO access to fit the needs of your organization. By default, only Approvers have the power to deploy GPOs to the production environment, protecting the environment from inadvertent mistakes by less experienced Editors. Also by default, Reviewers are able to view GPO settings in reports without being able to alter the GPO settings. However, with custom permissions, a GPOVault Administrator can give Editors permission to deploy GPOs, Reviewers the ability to edit GPOs, senior Editors full access to GPOs, or any special combination of permissions needed to fit the unique requirements of your organization.
Default Permissions for Roles | List Contents | Read Settings | Edit Settings | Create GPO | Deploy GPO | Delete GPO | Modify Options | Modify Security | Create Template |
|---|
Reviewer | .gif)
|
| | | | | | | |
Editor |
|
|
| | | | | |
|
Approver |
|
| |
|
|
| | | |
GPOVault Administrator (Full Control) |
|
|
|
|
|
|
|
|
|
Key:
By default, this role has these permissions.
Tip: Roles, permissions, and delegation
For detailed information on which permissions are required for particular tasks in GPOVault, see Appendix 3: Permissions and Roles Reference in this guide.
Delegation in a Multiple Editor Environment
In an environment where multiple Group Policy administrators make changes to GPOs, a GPOVault Administrator delegates permission to an Editor or Editors to make changes to a GPO. Once an Editor has finished making changes, the GPO is submitted to Reviewers (such as peer Editors or Approvers) for review, and finally an Approver deploys the GPO to the production environment.
.jpg)
A typical development process for an Editor and an Approver
Tip: How do I...?
The tasks section of this guide is separated by role. For example, step-by-step instructions for tasks typically performed by an Editor are provided in the Editor Tasks section. Because all roles include the role of Reviewer, however, information on reviewing settings and comparing GPOs is provided in the Reviewer Tasks section.
Finding the Change Control Node
GPOVault adds a Change Control node to each domain displayed in the Group Policy Management Console. In an environment where multiple domains are managed with the GPMC, each domain is listed under the Domains node in the console tree. Each domain has a Change Control node under it, and there is one archive (or vault) per domain.
.jpg)
Tip: GPOVault user interface
For detailed information on GPOVault controls, menus, icons, and settings, including those not accessed through the Change Control node, see Appendix 2: GPOVault User Interface in this guide.
GPOVault Administrator Tasks
In an environment in which multiple people develop GPOs, GPOVault provides the flexibility to choose whether all GPOVault users perform the same tasks and have the same level of access or whether GPOVault Administrators delegate control to Editors who make most changes to GPOs and to Approvers who then deploy GPOs to the production environment. GPOVault Administrators can configure permissions for GPOVault users to meet the needs of your organization.
This section provides information on using GPOVault to perform tasks that are typically the responsibility of a GPOVault Administrator, such as modifying domain-wide and vault-wide options and configuring permissions for GPOVault users. By default, a GPOVault Administrator is an individual with Full Control—all GPOVault permissions. The Modify Options and Modify Security permissions are unique to the role of GPOVault Administrator.
Tip: Creating, editing, deploying, or deleting GPOs
For information on creating, deploying, or deleting GPOs, see the Approver Tasks section in this guide.
For information on editing, renaming, labeling, or archiving GPOs, creating templates, or setting a default template, see the Editor Tasks section in this guide.
For information on reviewing settings and comparing GPOs, see the Reviewer Tasks section in this guide.
Tip: File system permissions
GPOVault Enterprise: Membership in the Group Policy Creator Owners group should be restricted so that it is not used to circumvent GPOVault management of access to GPOs. (In the GPMC, see Forest -> [MyDomain] -> Group Policy Objects -> Delegation.)
GPOVault Local Edition: All GPOVault Administrators, Editors, Approvers, and Reviewers must have file system permissions for the archive location. In native Group Policy, Editors and Approvers must be members of the Group Policy Creator Owners group or have delegated access to the Group Policy Object container. (In the GPMC, see Forest -> [MyDomain] -> Group Policy Objects -> Delegation.)
Modifying the Archive Location
GPOVault provides vault functionality including offline editing of GPOs as well as centralized storage for all previous versions of each GPO. By providing a share path to or specifying a server for the archive, this archive can be used by multiple Group Policy administrators.
.jpg)
To modify the archive location:
In the Group Policy Management Console, click Forest -> Domains -> [MyDomain] -> Change Control.
In the details pane, click the Archive Location tab.
Specify the location of the GPOVault archive to display. (Automatically detect server will be available in future versions of GPOVault.):
GPOVault Enterprise: Click Manually specify server address. Enter the host name for the server to host the archive. The port used by the GPOVault Service is port 4600, and the path within the server is %AllUsersProfile%\Application Data\DesktopStandard \GPOVault\Archive. (This path can be modified using an advanced procedure. For details, refer to the Knowledge Base on the DesktopStandard website or contact DesktopStandard Support for assistance. (See the Support section of this guide.))
GPOVault Local Edition: Click Use a local or shared folder archive. Enter a path for the archive, or click the browse button to navigate to a location. (By default, the archive is stored in %UserProfile%\Local Settings\Application Data\DesktopStandard\GPOVault\Archive, but it can be stored anywhere on a file system.)
Click Apply, then click Yes to confirm.
Repeat for each GPOVault installation used by Editors who are working together.
Tip: Selecting an archive location
While the default archive location in a local folder is appropriate for evaluating GPOVault, for a multi-user environment you should select an archive location that is accessible to all Group Policy administrators, such as a shared folder or a host server.
The location selected determines what archive is displayed on the Contents tab for you and to what location the Domain Delegation tab settings are applied. In a multi-user environment, each individual using GPOVault must set this path to the shared archive used by all Group Policy administrators for the domain.
Delegating Domain-Level Access
Set up the delegation model for your environment so that the delegated GPO administrators will have the appropriate access to and control over GPOs. There are baseline permissions to be applied that will make the operation of GPOVault more efficient, but permissions can be granted in any manner that meets the needs of your organization.
To delegate access so that selected users and groups have certain permissions to all GPOs throughout a domain:
In the Group Policy Management Console, click Forest -> Domains -> [MyDomain] -> Change Control.
Click the Domain Delegation tab, then click the Advanced button.
On the Permissions dialog box, click the checkbox for each role to be assigned to an individual, then click the Advanced button. (Note: Editor and Approver include Reviewer permissions.)
On the Advanced Security Settings dialog box, select a GPO administrator and click Edit.
For Apply onto, select This object and nested objects, configure any special permissions beyond the standard GPOVault roles, then click OK on the Permission Entry dialog box.
.jpg)
On the Advanced Security Settings dialog box, click OK.
On the Permissions dialog box, click OK.
.jpg)
Tip: Delegating read access to GPOVault
To delegate read access to any Group Policy administrators who use GPOVault, you must grant them List Contents as well as Read Settings permissions. This will enable them to view GPOs on the Contents tab of GPOVault. Set the permission to apply to This object and nested objects. Other permissions must be explicitly delegated. For details on GPOVault permissions, see Appendix 3: Permissions and Roles Reference in this guide.
Tip: Provide Editors with read access to deployed GPOs
Editors must have Read permission for the deployed copy of a GPO to make full use of Microsoft’s Software Installation extension to Group Policy. For more information, see Software Installation Extension Fails to Install Software in the Troubleshooting section of this guide.
Delegating Access to an Individual GPO
A GPOVault Administrator can delegate the management of a controlled GPO so that selected groups and Editors can edit it, Reviewers can review it, and Approvers can approve it.
To delegate the management of a controlled GPO:
In the Group Policy Management Console, click Forest -> Domains -> [MyDomain] -> Change Control.
On the Contents tab in the details pane, click the Controlled tab to display controlled GPOs, then click the GPO to delegate.
.jpg)
Click the Add button, then select the users or groups to be permitted access, then click OK.
.jpg)
To customize the permissions for each, click the Advanced button on the Contents tab and check role permissions to allow or deny. (For more detailed control, click Advanced in the Permissions dialog box.)
Click Apply -> OK in the Permissions dialog box window.
.jpg)
Configuring Email Notification
When an Editor or Reviewer attempts to create, deploy, or delete a GPO, a request for this action is sent to a designated email address or addresses. An Approver must approve these actions for them to be implemented.
To configure email notification for GPOVault:
In the Group Policy Management Console, click Forest -> Domains -> [MyDomain] -> Change Control.
In the details pane, click the Domain Delegation tab.
In the From field, enter the email alias for GPOVault from which notifications to Approvers will be sent.
In the To field, enter valid email addresses for all Approvers who should receive requests for approval.
In the SMTP server field, enter a valid SMTP mail server.
In the User name and Password fields, enter the credentials of a user with access to the SMTP service.
Click Apply.
.jpg)
Tip: Email configuration—a domain-level setting
Email notification for GPOVault is a domain-level setting. You can provide different Approver email addresses or GPOVault aliases on each domain’s Domain Delegation tab, or use the same addresses throughout your environment.
Starting and Stopping the GPOVault Service (GPOVault Enterprise Only)
The GPOVault Service enables clients to manage live and archived GPOs and enforces the GPOVault delegation model, providing a level of security beyond that available with Windows alone.
To start or stop the GPOVault Service:
On the GPOVault server, click Start -> Control Panel -> Administrative Tools -> Services.
In the list of services, right-click GPOVault Service and select Start, Restart, or Stop. (For additional options, double-click GPOVault Service.)
.jpg)
Tip: Stopping the GPOVault Service
Stopping or disabling the GPOVault Service will prevent GPOVault clients from performing any operations (such as listing or editing GPOs) through the server.
Modifying the GPOVault Service Account (GPOVault Enterprise Only)
The GPOVault Service is the Windows service that enables GPOVault clients to manage live and archived GPOs and enforces the GPOVault delegation model, providing a level of security beyond that available with Windows alone. If this service is stopped or disabled, GPOVault clients cannot perform operations through the server.
Tip: Selecting the GPOVault Service Account
The GPOVault Service Account must have full access to the GPOs that it will manage and Log On As A Service permission. If you will be managing GPOs on a single domain, you can make the Local System account for the primary domain controller the GPOVault Service Account.
If you will be managing GPOs on multiple domains or if a member server will be the GPOVault server, you should configure a different account as the GPOVault Service Account since the Local System account for one domain controller would be unable to access GPOs on other domains.
The GPOVault Service Account is initially selected during the Server Installation of GPOVault Enterprise. To modify the GPOVault Service Account after installation:
In Windows, click Start -> Control Panel -> Administrative Tools -> Services.
In Services, double-click GPOVault Service.
Click the Log On tab and select an account to serve as the GPOVault Service Account, then click OK.
.jpg)
Editor Tasks
This section provides information on using GPOVault to perform tasks that are typically the responsibility of an Editor—a person authorized by a GPOVault Administrator to make changes to GPOs. By default, an Editor has permission to list the contents of GPOs, read GPO settings, edit GPO settings, delete a GPO, rename a GPO, create a GPO template, and set the default template.
Tip: Reviewing settings and comparing GPOs
Because the permissions of an Editor include all those of a Reviewer, an Editor can also review settings and compare GPOs. See Reviewing Settings and Comparing GPOs under the Reviewer Tasks section in this guide for details.
Modifying the Archive Location
GPOVault provides vault functionality including offline editing of GPOs as well as centralized storage for all previous versions of each GPO. By using a shared folder or a server for the archive, this archive can be used by multiple Group Policy administrators. If you are working in an environment with multiple Group Policy administrators, request the archive location from a GPOVault Administrator.
To modify the archive location:
In the Group Policy Management Console, click Forest -> Domains -> [MyDomain] -> Change Control.
In the details pane, click the Archive Location tab.
Specify the location of the GPOVault archive to display. (Automatically detect server will beavailable in future versions of GPOVault.):
.jpg)
GPOVault Enterprise:
Click Manually specify server address. Enter the host name for the server to host the archive. The port used by the GPOVault Service is port 4600.
GPOVault Local Edition:
Click Use a local or shared folder archive. Enter the path for the archive, or click the browse button to navigate to the archive location.
Click Apply, then click Yes to confirm.
Repeat for each GPOVault installation used by Editors who are working together.
Tip: Impact of the archive location path
The archive location path selected determines what archive is displayed on the Contents tab for you and to what location the Domain Delegation tab settings are applied. In a multi-user environment, each individual using GPOVault must set this path to the shared archive used by all Group Policy administrators for the domain.
Creating, Controlling, or Archiving a GPO
To use GPOVault to provide change control for a GPO, you must first control the GPO with GPOVault. New GPOs created through the Change Control node will automatically be controlled. As an Editor, you may not have permission to complete the control, creation, or deletion of a GPO, but you do have the permission necessary to begin the process and submit your request to an Approver.
Requesting Control of a Previously Uncontrolled GPO
.jpg)
To control a previously uncontrolled GPO:
In the Group Policy Management Console, click Forest -> Domains -> [MyDomain] -> Change Control.
On the Contents tab in the details pane, click the Uncontrolled tab to display the uncontrolled GPOs.
Right-click the GPO to be controlled with GPOVault, then click Control.
Unless you have special permission to control GPOs, you must submit a request for control. To receive a copy of the request, enter your email address in the Cc field. Enter a comment to be displayed in the History of the GPO and click Submit.
A window displaying GPOVault Progress will appear. When the overall progress is complete, click Close. The GPO will be removed from the list on the Uncontrolled tab and added to the Pending tab.
.jpg)
When an Approver has approved your request, the GPO will be moved from the Pending tab to the Controlled tab.
Tip: Withdrawing a request
To withdraw your request before it has been approved, click the Pending tab. Right-click the GPO, then click Withdraw. The GPO will be returned to the Uncontrolled tab.
Requesting the Creation of a New Controlled GPO
.jpg)
To create a new GPO with change control managed through GPOVault:
In the Group Policy Management Console, click Forest -> Domains -> [MyDomain] -> Change Control.
Right-click the Change Control node, then click New Controlled GPO.
Unless you have special permission to create GPOs, you must submit a request for creation. In the New Controlled GPO dialog box:
To receive a copy of the request, enter your email address in the Cc field.
Enter a name for the new GPO.
Optional: Enter a comment for the new GPO.
To deploy the new GPO to the production environment immediately upon approval, click Create live. To create the new GPO offline without immediately deploying it upon approval, click Create offline.
Select the GPO template to use as a starting point for the new GPO.
Click Submit.
A window displaying GPOVault Progress will appear. When the overall progress is complete, click Close. The new GPO will be displayed in the list of GPOs on the Pending tab.
.jpg)
When an Approver has approved your request, the GPO will be moved from the Pending tab to the Controlled tab.
Tip: Withdrawing a request
To withdraw your request before it has been approved, click the Pending tab. Right-click the GPO, then click Withdraw. The GPO will be destroyed.
Archiving a GPO
.jpg)
If changes are made to a GPO outside of GPOVault, you can perform an archive operation to save a copy of the currently deployed version of a GPO to the vault, bringing them to a consistent state.
To archive a GPO:
In the Group Policy Management Console, click Forest -> Domains -> [MyDomain] -> Change Control.
On the Contents tab, click the Controlled tab to display the controlled GPOs.
Right-click the GPO, then click Archive.
Enter a comment for the audit trail of the GPO, then click OK.
Editing a GPO
If the GPO is not yet controlled by GPOVault, request control of the GPO. (See Creating, Controlling, or Archiving a GPO.)
To make changes to a GPO offline without immediately impacting the deployed version of the GPO, check out a copy of the GPO from the vault. Once changes are complete, check the GPO back into the vault and request deployment of the GPO to the production environment.
Checking out a GPO
.jpg)
To check a GPO out from the vault for editing:
In the Group Policy Management Console, click Forest -> Domains -> [MyDomain] -> Change Control.
On the Contents tab in the details pane, click the Controlled tab to display the controlled GPOs. Right-click the GPO to be edited, then click Check Out.
Enter a comment to be displayed in the History of the GPO while it is checked out, then click OK.
A window displaying GPOVault Progress will appear. When the overall progress is complete, click Close. On the Controlled tab, the state of the GPO is now identified as Checked Out.
Editing a GPO Offline
.jpg)
To make changes to a controlled GPO, you must first check out the GPO.
To edit a GPO offline:
On the Controlled tab, right-click the GPO to be edited, then click Edit.
A Group Policy Object Editor window will open to enable you to make changes to an offline copy of the GPO. When changes are complete, close the Group Policy Object Editor.
Tip: Using Software Installation packages
When editing a GPO, any Software Installation upgrade of a package in another GPO should reference the deployed GPO, not the checkedout copy. (For more information, see Software Installation Extension Fails to Install Software under Troubleshooting.)
Using a Test Environment
If you use a testing organizational unit (OU) to test GPOs before deployment to the production environment, you must have the necessary permissions to access the test OU.
.jpg)
To use a test OU:
While you have the GPO checked out for editing, in the Group Policy Management Console, click Forest -> Domains -> [MyDomain] -> Group Policy Objects.
Click the checked out copy of the GPO to be tested. The name will be preceded with [Checked Out]. (If it is not listed, click Action -> Refresh. Sort the names alphabetically, and [Checked Out] GPOs will typically appear at the top of the list.)
Drag and drop the GPO to the test OU.
Click OK in the dialog box asking whether to create a link to the GPO in the test OU.
When testing is complete, checking in the GPO will automatically delete the link to the checked out copy of the GPO.
Checking in a GPO
.jpg)
To check a GPO into the vault:
In the Group Policy Management Console, click Forest -> Domains -> [MyDomain] -> Change Control.
On the Contents tab in the details pane, click the Controlled tab to display the controlled GPOs.
If no changes have been made to the GPO, right-click the GPO and click Undo Check Out, then click Yes to confirm.
If changes have been made to the GPO, right-click the GPO and click Check In.
Enter a comment to be displayed in the audit trail of the GPO, then click OK.
A window displaying GPOVault Progress will appear. When the overall progress is complete, click Close. On the Controlled tab, the state of the GPO is now identified as Checked In.
Requesting Deployment of a GPO
.jpg)
To request the deployment of a GPO to the production environment:
In the Group Policy Management Console, click Forest -> Domains -> [MyDomain] -> Change Control.
On the Contents tab in the details pane, click the Controlled tab to display the controlled GPOs.
Right-click the GPO to be deployed and click Deploy.
Unless you have special permission to deploy GPOs, you must submit a request for deployment. To receive a copy of the request, enter your email address in the Cc field. Enter a comment to be displayed in the History for the GPO, then click Submit.
A window displaying GPOVault Progress will appear. When the overall progress is complete, click Close. The GPO will be displayed on the list of GPOs on the Pending tab.
When an Approver has approved your request, the GPO will be removed from the Pending tab to the Controlled tab and deployed.
Tip: Withdrawing a request
To withdraw your request before it has been approved, click the Pending tab. Right-click the GPO, then click Withdraw. The GPO will be returned to the Controlled tab.
Labeling a Version of a GPO
.jpg)
To insert a label into the History of a GPO (for example, to serve as a marker of a known good version for rollback):
In the Group Policy Management Console, click Forest -> Domains -> [MyDomain] -> Change Control.
On the Contents tab, click the Controlled tab to display the controlled GPOs.
Right-click the GPO to label, then click Label.
Enter a label and a comment to be displayed in the History of the GPO, then click OK.
A window displaying GPOVault Progress will appear. When the overall progress is complete, click Close.
Renaming a GPO or Template
.jpg)
To rename a GPO or template:
In the Group Policy Management Console, click Forest -> Domains -> [MyDomain] -> Change Control.
On the Contents tab, click the Controlled or Templates tab to display the item to rename.
Right-click the GPO or template to rename and click Rename.
Enter the new name for the GPO or template and a comment, then click OK.
A window displaying GPOVault Progress will appear. When the overall progress is complete, click Close. The GPO or template now appears under the new name on the Contents tab.
Tip: Deployed GPO name is updated upon redeployment
When you rename a GPO that has been deployed, only the name displayed in the archive is immediately updated. The name of the deployed copy in the production environment is updated when the GPO is redeployed.
Until the GPO is redeployed (or the production copy is deleted), the old GPO name is still in use in the production environment and therefore cannot be used for another GPO. Likewise, the archive copy cannot be renamed back to its original name until the GPO has been deployed (updating the name of the production copy name) or the production copy deleted.
Creating a Template and Setting a Default Template
Creating a GPO template enables you to save all of the settings of a particular version of a GPO to use as a starting point for creating new GPOs and to share that template with other Group Policy administrators. As an Editor, you can also specify which of the available templates will be the default template for all Group Policy administrators creating new GPOs.
Tip: Templates
A template is an uneditable, frozen version of a GPO for use as a starting point for creating new, editable GPOs. Renaming or deleting a template does not impact GPOs created from that template. Because it cannot be altered, a template does not have a history.
Creating a Template
.jpg)
To create a template based on an existing GPO:
In the Group Policy Management Console, click Forest -> Domains -> [MyDomain] -> Change Control.
On the Contents tab in the details pane, click the Controlled or Uncontrolled tab to display available GPOs.
Right-click the GPO from which you want to create a template, then click Save as Template.
Enter a name for the template and a comment, then click OK.
A window displaying GPOVault Progress will appear. When the overall progress is complete, click Close. The new template now appears on the Templates tab.
.jpg)
Setting a Default Template
.jpg)
To set the default template for all Group Policy administrators to use when creating new GPOs:
In the Group Policy Management Console, click Forest -> Domains -> [MyDomain] -> Change Control.
On the Contents tab in the details pane, click the Templates tab to display available templates.
Right-click the template that you want to set as the default, then click Set as Default.
Click Yes to confirm.
A window displaying GPOVault Progress will appear. When the overall progress is complete, click Close.
The default template will have a blue icon and the state will be identified as Template (default) on the Templates tab.
.jpg)
Tip: The default template—an option, not a requirement
After you set a template as the default, that template will be the one initially selected in the New Controlled GPO dialog box when Group Policy administrators create new GPOs. However, they will have the option to select a different GPO template, including <Empty GPO>, which does not include any settings.
Deleting a GPO
.jpg)
As an Editor, you may not have permission to complete the deletion of a GPO, but you do have the permission necessary to begin the process and submit your request to an Approver.
To request the deletion of a controlled GPO:
In the Group Policy Management Console, click Forest -> Domains -> [MyDomain] -> Change Control.
On the Contents tab, click the Controlled tab to display the controlled GPOs.
Right-click the GPO to delete, then click Delete.
To delete only the archive in the vault while leaving the deployed version of the GPO untouched in the production environment, click Delete archive only.
To delete both the archive in the vault as well as the deployed version of the GPO in the production environment, click Delete archive and deployed versions.
.jpg)
Unless you have special permission to delete GPOs, you must submit a request for deletion of the deployed GPO. To receive a copy of the request, enter your email address in the Cc field. Enter a comment to be displayed in the audit trail for the GPO, then click Submit.
A window displaying GPOVault Progress will appear. When the overall progress is complete, click Close. The GPO will be displayed on the list of GPOs on the Pending tab.
When an Approver has approved your request, the GPO will be moved from the Pending tab to the Recycle Bin tab, where it can be restored or destroyed.
Tip: Withdrawing a request
To withdraw your request before it has been approved, click the Pending tab. Right-click the GPO, then click Withdraw. The GPO will be returned to the Controlled tab.
Tip: Only controlled GPOs can be deleted from the vault
A GPO must be controlled by GPOVault before it can be deleted from the vault.
To delete an uncontrolled GPO from the production environment without first controlling it, in the Group Policy Management Console, click Forest -> Domains -> [MyDomain] -> Group Policy Objects. Right-click the uncontrolled GPO, then click Delete.
Approver Tasks
This section provides information on using GPOVault to perform tasks that are typically the responsibility of an Approver—a person authorized by a GPOVault Administrator to create, deploy, and delete GPOs and approve or reject requests and to create, deploy, or delete GPOs. By default, an Approver has permission to list GPOs, read GPO settings, create GPOs, deploy GPOs, and delete GPOs. Also, if an Approver creates or controls a GPO, that Approver has full control over it and so can perform tasks normally associated with an Editor on that GPO.
Tip: Reviewing settings and comparing GPOs
Because the permissions of an Approver include all those of a Reviewer, an Approver can also review settings and compare GPOs. See Reviewing Settings and Comparing GPOs under the Reviewer Tasks section in this guide for details.
Modifying the Archive Location
GPOVault provides vault functionality including offline editing of GPOs as well as centralized storage for all previous versions of each GPO. By using a shared folder or a server for the archive, this archive can be used by multiple Group Policy administrators. If you are working in an environment with multiple Group Policy administrators, request the archive location from a GPOVault Administrator.
To modify the archive location:
In the Group Policy Management Console, click Forest -> Domains -> [MyDomain] -> Change Control.
In the details pane, click the Archive Location tab.
Specify the location of the GPOVault archive to display. (Automatically detect server will be available in future versions of GPOVault.):
.jpg)
GPOVault Enterprise:
Click Manually specify server address. Enter the host name for the server to host the archive. The port used by the GPOVault Service is port 4600.
GPOVault Local Edition:
Click Use a local or shared folder archive. Enter the path for the archive, or click the browse button to navigate to the location.
Click Apply, then click Yes to confirm.
Repeat for each GPOVault installation used by Editors who are working together.
Tip: Impact of the archive location path
The archive location path selected determines what archive is displayed on the Contents tab for you and to what loction the Domain Delegation tab settings are applied. In a multi-user environment, each individual using GPOVault must set this path to the shared archive used by all Group Policy administrators for the domain.
Approving or Rejecting a Pending Action
The core responsibility of an Approver is to evaluate and then approve or reject requests for GPO creation, deployment, and deletion from Editors or Reviewers who do not have permission to complete those actions. The report capabilities of GPOVault can assist an Approver with evaluating a new version of a GPO.
To approve or reject a pending request:
In the Group Policy Management Console, click Forest -> Domains -> [MyDomain] -> Change Control.
.jpg)
On the Contents tab, click the Pending tab to display the pending GPOs.
Right-click a pending GPO, then click either Approve or Reject.
If approving deployment, to review links to the GPO, click Advanced in the Approve Pending Operation dialog box. Move the mouse cursor over a node in the tree to display details. By default, all links to the GPO will be restored. To prevent a link from being restored, clear the checkbox for that link. To prevent all links from being restored, clear the Restore Links checkbox in the Deploy GPO dialog box.
.jpg)
Click Yes or OK to confirm approval or rejection of the pending action. If you have approved the request, the GPO will be moved to the appropriate tab for the action performed.
Tip: Email notification
If an Approver’s email address is included in the To field on the Domain Delegation tab, the Approver will receive email from the GPOVault alias when an Editor or Reviewer submits a request.
Creating, Controlling, or Archiving a GPO
To use GPOVault to provide change control for a GPO, you must first control the GPO with GPOVault. New GPOs created through the Change Control node will automatically be controlled.
Controlling a Previously Uncontrolled GPO
.jpg)
To control a previously uncontrolled GPO:
In the Group Policy Management Console, click Forest -> Domains -> [MyDomain] -> Change Control.
On the Contents tab in the details pane, click the Uncontrolled tab to display the uncontrolled GPOs.
Right-click the GPO to be controlled with GPOVault, then click Control.
Enter a comment to be displayed in the GPO’s history, then click OK.
A window displaying GPOVault Progress will appear. When the overall progress is complete, click Close. The GPO will be removed from the list on the Uncontrolled tab and added to the Controlled tab.
Creating a New Controlled GPO
To create a new GPO with change control managed through GPOVault:
In the Group Policy Management Console, click Forest -> Domains -> [MyDomain] -> Change Control.
Right-click the Change Control node, then click New Controlled GPO.
In the New Controlled GPO dialog box:
.jpg)
Enter a name for the new GPO.
Optional: Enter a comment for the new GPO to be displayed in the History for the GPO.
To immediately deploy the new GPO to the production environment, click Create live. To create the new GPO offline without immediately deploying it, click Create offline.
Select the GPO template to use as a starting point for the new GPO.
Click OK.
A window displaying GPOVault Progress will appear. When the overall progress is complete, click Close. The new GPO will be displayed in the list of GPOs on the Controlled tab.
Delegating Access to a GPO
An Approver can delegate the management of a controlled GPO that was created by that Approver. Like a GPOVault Administrator, the Approver can delegate access to such a GPO so that selected groups and Editors can edit it, Reviewers can review it, and other Approvers can approve it. By default, an Approver cannot delegate access to GPOs created by someone else.
To delegate the management of a controlled GPO:
In the Group Policy Management Console, click Forest -> Domains -> [MyDomain] -> Change Control.
On the Contents tab in the details pane, click the Controlled tab to display controlled GPOs, then click the GPO to delegate.
.jpg)
Click the Add button, then select the users or groups to be permitted access, then click OK.
.jpg)
.jpg)
To customize the permissions for each, click the Advanced button on the Contents tab and check role permissions to allow or deny. (For more detailed control, click Advanced in the Permissions dialog box.)
Click Apply -> OK in the Permissions dialog box window.
Archiving a GPO
.jpg)
If changes are made to a GPO outside of GPOVault, you can perform an archive operation to save a copy of the currently deployed version of a GPO to the vault, bringing them to a consistent state.
To archive a GPO:
In the Group Policy Management Console, click Forest -> Domains -> [MyDomain] -> Change Control.
On the Contents tab, click the Controlled tab to display the controlled GPOs.
Right-click the GPO, then click Archive.
Enter a comment for the audit trail of the GPO, then click OK.
Checking in a GPO
.jpg)
To check in a GPO that has been checked out by an Editor:
In the Group Policy Management Console, click Forest -> Domains -> [MyDomain] -> Change Control.
On the Contents tab in the details pane, click the Controlled tab to display the controlled GPOs.
To discard any changes made by the Editor, right-click the GPO and click Undo Check Out, then click Yes to confirm.
To retain changes made by the Editor, right-click the GPO and click Check In.
Enter a comment to be displayed in the audit trail of the GPO, then click OK.
A window displaying GPOVault Progress will appear. When the overall progress is complete, click Close. On the Controlled tab, the state of the GPO is now identified as Checked In.
Deploying a GPO
GPOVault enables an Approver to either deploy a new version of a GPO or redeploy an earlier version from the GPO’s history.
Deploying a New or Edited GPO
To deploy a new or edited version of a GPO to the production environment:
In the Group Policy Management Console, click Forest -> Domains -> [MyDomain] -> Change Control.
.jpg)
On the Contents tab, click the Controlled tab to display the controlled GPOs.
Right-click the GPO to be deployed and click Deploy.
To review links to the GPO, click Advanced. Move the mouse cursor over a node in the tree to display details. By default, all links to the GPO will be restored. To prevent a link from being restored, clear the checkbox for that link. To prevent all links from being restored, clear the Restore Links checkbox in the Deploy GPO dialog box.
.jpg)
Click Yes. A window displaying GPOVault Progress will appear. When the overall progress is complete, click Close.
Tip: Verifying deployment
To verify whether the most recent version of a GPO has been deployed, on the Controlled tab, double-click the GPO to display its History. In the History for the GPO, the State column will indicate whether a GPO has been deployed.
Deploying a Previous Version of a GPO
To deploy a previous version of a GPO to the production environment, overwriting the version currently in production:
In the Group Policy Management Console, click Forest -> Domains -> [MyDomain] -> Change Control.
On the Contents tab, click the Controlled tab to display the controlled GPOs.
Double-click the GPO to be deployed to display its History.
Right-click the version to be deployed and click Deploy -> Yes.
.jpg)
A window displaying GPOVault Progress will appear. When the overall progress is complete, click Close. In the History window, click Close.
Tip: Verifying the version
To verify that the version that has been redeployed matches the version intended, examine a difference report for the two versions. In the History window for the GPO, highlight the two versions, then right-click and select Difference and either HTML Report or XML Report.
Deleting, Restoring, or Destroying a GPO
GPOVault enables Approvers to delete a GPO (moving it to the Recycle Bin), restore a GPO from the Recycle Bin (returning it to the vault), or destroy a GPO (permanently deleting it so that it can no longer be restored).
Deleting a GPO
.jpg)
To delete a controlled GPO:
In the Group Policy Management Console, click Forest -> Domains -> [MyDomain] -> Change Control.
On the Contents tab, click the Controlled tab to display the controlled GPOs.
Right-click the GPO to delete, then click Delete.
To delete only the archive in the vault while leaving the deployed version of the GPO untouched in the production environment, click Delete archive only.
To delete both the archive in the vault as well as the deployed version of the GPO in the production environment, click Delete archive and deployed versions.
.jpg)
Enter a comment to be displayed in the audit trail for the GPO, then click OK.
A window displaying GPOVault Progress will appear. When the overall progress is complete, click Close.
The GPO is removed from the Controlled tab and is now displayed on the Recycle Bin tab, where it can be restored or destroyed. If only the archive was deleted, the GPO will also be displayed on the Uncontrolled tab.
Tip: Only controlled GPOs can be deleted from the vault
A GPO must be controlled by GPOVault before it can be deleted from the vault.
To delete an uncontrolled GPO from the production environment without first controlling it, in the Group Policy Management Console, click Forest -> Domains -> [MyDomain] -> Group Policy Objects. Right-click the uncontrolled GPO, then click Delete.
Restoring a Deleted GPO
.jpg)
To restore a deleted GPO:
In the Group Policy Management Console, click Forest -> Domains -> [MyDomain] -> Change Control.
On the Contents tab, click the Recycle Bin tab to display the deleted GPOs.
Right-click the GPO to restore, then click Restore.
Enter a comment to be displayed in the History of the GPO, then click OK.
A window displaying GPOVault Progress will appear. When the overall progress is complete, click Close.
The GPO is removed from the Recycle Bin tab and is now displayed on the Controlled tab.
Tip: Restoring a GPO does not redeploy the GPO
If a GPO was deleted from the production environment, restoring it to the vault will not automatically redeploy it to the production environment. To return the GPO to the production environment, deploy the GPO.
Destroying a GPO
.jpg)
To remove a GPO from the Recycle Bin so that it can no longer be restored:
In the Group Policy Management Console, click Forest -> Domains -> [MyDomain] -> Change Control.
On the Contents tab, click the Recycle Bin tab to display the deleted GPOs.
Right-click the GPO to destroy, then click Destroy.
Click Yes to confirm that you want to permanently delete the selected GPO and all backups from the vault.
A window displaying GPOVault Progress will appear. When the overall progress is complete, click Close.
The GPO is removed from the Recycle Bin tab and is permanently deleted.
Reviewer Tasks
This section provides information on using GPOVault to perform tasks that are the responsibility of a Reviewer—a person authorized by a GPOVault Administrator to review or audit GPOs. By default, a Reviewer has permission only to list GPOs and read GPO settings.
Modifying the Archive Location
GPOVault provides vault functionality including offline editing of GPOs as well as centralized storage for all previous versions of each GPO. By using a shared folder or a server for the archive, this archive can be used by multiple Group Policy administrators. If you are working in an environment with multiple Group Policy administrators, request the archive location from a GPOVault Administrator.
To modify the archive location:
In the Group Policy Management Console, click Forest -> Domains -> [MyDomain] -> Change Control.
In the details pane, click the Archive Location tab.
Specify the location of the GPOVault archive to display. (Automatically detect server will be available in future versions of GPOVault.):
.jpg)
GPOVault Enterprise:
Click Manually specify server address. Enter the host name for the server to host the archive. The port used by the GPOVault Service is port 4600.
GPOVault Local Edition:
Click Use a local or shared folder archive. Enter the path for the archive, or click the browse button to navigate to the location.
Click Apply, then click Yes to confirm.
Repeat for each GPOVault installation used by Editors who are working together.
Tip: Impact of the archive location path
The archive location path selected determines what archive is displayed on the Contents tab for you and to what location the Domain Delegation tab settings are applied. In a multi-user environment, each individual using GPOVault must set this path to the shared archive used by all Group Policy administrators for the domain.
Reviewing Settings and Comparing GPOs
GPOVault enables you to generate reports for reviewing settings in one GPO or for comparing settings in two GPOs or templates, a GPO and a template, two versions of one GPO, or a version of a GPO and a template. Additionally, you can display a diagram showing where a selected GPO is linked to organizational units.
Reviewing GPO Settings
.jpg)
To review settings in any version of a GPO:
In the Group Policy Management Console, click Forest -> Domains -> [MyDomain] -> Change Control.
On the Contents tab in the details pane, click a tab to display GPOs.
Double-click the GPO to display its history.
Right-click the GPO version for which to review the settings and click Settings -> HTML Report or XML Report to display a summary of the GPO’s settings.
.jpg)
Reviewing GPO Links
GPOVault enables you to display a diagram showing where a GPO or GPOs that you select are linked to organizational units. GPO link diagrams are updated each time that the GPO is controlled, archived, or checked in.
To display GPO links for one or more GPOs:
.jpg)
In the Group Policy Management Console, click Forest -> Domains -> [MyDomain] -> Change Control.
On the Contents tab in the details pane, click the Controlled, Pending, or Recycle Bin tab to display GPOs.
Select one or more GPOs for which to display links, then right-click a selected GPO and click Settings -> GPO Links to display a diagram of domains and organizational units with links to the selected GPO(s).
.jpg)
To display GPO links for one or more versions of a GPO:
In the Group Policy Management Console, click Forest -> Domains -> [MyDomain] -> Change Control.
On the Contents tab in the details pane, click the Controlled or Recycle Bin tab to display GPOs.
Double-click the GPO to display its history.
Right-click the GPO version for which to review the settings and click Settings -> HTML Report or XML Report to display a summary of the GPO’s settings.
Identifying Differences between GPOs, GPO Versions, or Templates
To compare two GPOs or templates, a GPO and a template, two versions of one GPO, or a version of a GPO and a template and determine which settings are different:
In the Group Policy Management Console, click Forest -> Domains -> [MyDomain] -> Change Control.
On the Contents tab in the details pane, click a tab to display GPOs (or templates, if comparing two templates). To compare:
Two GPOs or templates:
Highlight the two GPOs or templates.
.jpg)
Right-click one of the GPOs or templates and click Differences -> HTML Report or XML Report to display a difference report summarizing of the settings of the GPOs or templates.
A GPO and a template:
.jpg)
Right-click the GPO and click Differences -> Template.
Select the template and type of report, then click OK to display a difference report summarizing of the settings of the GPO and template.
.jpg)
Two versions of one GPO:
Double-click the GPO to display its history, then highlight the versions to be compared.
Right-click one of the versions and click Differences -> HTML Report or XML Report to display a difference report summarizing of the settings of the GPOs.
.jpg)
A GPO version and a template:
Double-click the GPO to display its history.
Right-click the GPO version of interest and click Differences -> Template.
.jpg)
Select the template and type of report, then click OK to display a difference report summarizing of the settings of the GPO version and template.
.jpg)
.jpg)
Key to Difference Reports:
Item exists with identical settings in both GPOs (color varies with level)
[#] Item exists in both GPOs, but with changed settings (blue)
[-] Item exists only in the first GPO (red)
[+] Item exists only in the second GPO (green)
Notes:
For items with changed settings, the changed settings are identified when the item is expanded. The value for the attribute in each GPO is displayed in the same order that the GPOs are displayed in the report.
Some changes to settings may cause an item to be reported as two different items (one present only in the first GPO, one present only in the second) rather than as one item that has changed.
Troubleshooting
This section provides answers to common questions about using GPOVault.
Tip: Change control and delegation
For an introduction to change control, see the Getting Started with GPOVault section of this guide.
For more detail about the delegation model provided by GPOVault, see Appendix 3: Permissions and Roles Reference in this guide.
Unable to Access an Archive
While the default archive location in a local folder is appropriate for evaluating GPOVault, for a multi-user environment you should select an archive location that will not generate user-specific archives and is accessible to all Group Policy administrators, such as a shared folder (\\<servername>\<archive>) or a host server.
The archive location path selected determines what archive is displayed on the Contents tab for you and to what location the Domain Delegation tab settings are applied. To avoid creating userspecific archives in a multi-user environment, each individual using GPOVault must set this path to a shared archive used by all Group Policy administrators for the domain. You can select a separate archive location for each domain or a single location for your entire environment, but access to the location is controlled at the domain level through the Domain Delegation tab.
GPOVault Enterprise only: The GPOVault Service must be running to enable Group Policy administrators to access an archive.
GPOVault Local Edition only: GPOVault Administrators, Editors, Approvers, and Reviewers must have file system permissions to the archive location.
Upgrading archives from GPOVault 1.0 or 2.0 to 2.1: When upgrading from GPOVault 1.0 or 2.0 to 2.1, you must upgrade each version 1.0 or 2.0 archive so that it will function with version 2.Performing this upgrade is independent of the installation of GPOVault Enterprise 2.1 or GPOVault 2.For instructions, see Upgrading Archives from GPOVault 1.0 or 2.0 in the Installing and Configuring GPOVault section of this guide.
More information:
For instructions on selecting an archive location, see Modifying the Archive Location in the GPOVault Administrator Tasks section of this guide.
For instructions on providing access to archives and setting permissions, see Delegating Domain-Level Access and Delegating Access to an Individual GPO in the GPOVault Administrator Tasks section.
For details on the Archive Location tab, see Appendix 2: GPOVault User Interface in this guide.
For instructions on starting the GPOVault Service, see Starting and Stopping the GPOVault Service in the GPOVault Administrator Tasks section of this guide.
GPO State Varies for Different GPOVault Users
Ensure that all GPOVault users select the same archive path for the archive of a particular domain to prevent the creation of user-specific archives. See Unable to Access an Archive above for more information.
Unable to Find Evaluation Archive to Reset or Delete
When installing GPOVault for the first time, a new archive is created. If a decision is later made to have multiple GPO administrators access this archive you, must either share out this location or create a new location and move the contents manually.
The best practice is to create a shared location and the direct all GPO administrators to that share point or server. This will cause the least confusion and provide an intuitive path to the archive.
GPOVault 2.0 or 2.1: The default archive location depends upon the option selected on the Archive Location tab.
Manually specify server address: This option is used for GPOVault Enterprise Edition. The default archive location within the host selected is %AllUsersProfile%\Application Data\DesktopStandard\GPOVault\Archive
Use a local or shared folder archive: This option is used for GPOVault Local Edition. The default archive location is %UserProfile%\Local Settings\Application Data\DesktopStandard\GPOVault\Archive
GPOVault 1.0: The default archive location is %UserProfile%\Local Settings\Application Data\DesktopStandard\GPOVault\Archive
GPOVault Beta: The default archive location is %AllUsersProfile%\Application Data\DesktopStandard\GPOVault\Archive
Any users of GPOVault beta should completely remove the beta before beginning to work with the release version of the product. As stated above, there are changes in vault location and other less obvious changes that may cause confusion.
Unable to Modify Archive Location (GPOVault Enterprise Only)
If using GPOVault Enterprise, you manually specify a server address on the Archive Location tab. Within that host server, the default archive location is %AllUsersProfile%\Application Data\DesktopStandard\GPOVault\Archive.
However, you can change the archive location for GPOVault Enterprise by adding a particular registry item. For information, refer to the Knowledge Base on the DesktopStandard website or contact DesktopStandard Support for assistance. (See the Support section of this guide.)
Unable to Apply a New License (GPOVault Enterprise Only)
If you have replaced your license for GPOVault Enterprise, you must restart the GPOVault Service for the new license to take effect. For instructions, see the Licensing section of this guide.
Unable to View GPOs
To enumerate or view lists of GPOs in GPOVault, an Editor, Approver, or Reviewer must be granted List Contents permission by a GPOVault Administrator.
GPOVault permissions will cascade down from the domain to all GPOs currently in the vault. As new delegates are added at the domain level, their permissions must be set to apply to This object and nested objects.
GPOVault Local Edition only: GPOVault Administrators, Editors, Approvers, and Reviewers must have file system permissions to the archive location.
For instructions on setting permissions and delegating access to GPOs, see the GPOVault Administrator Tasks section of this guide. Details are provided for Delegating Domain- Level Access and Delegating Access to an Individual GPO. Also, see Appendix 3: Permissions and Roles Reference for an explanation of GPOVault permissions and delegation.
Unable to Use a Particular GPO Name
If a GPO name is already in use, you cannot create a new GPO with or rename an existing GPO to that name. If you attempt to do so, the following error is displayed: A GPO with that name already exists. Choose another name.
If the GPO name in question does not appear on the Controlled, Uncontrolled, or Pending tabs, you may lack permission to list the GPO. Also, if a GPO that has been deployed is renamed but not yet redeployed, it will be displayed under its old name in the production environment—therefore the old name is still in use. Once the GPO has been redeployed, its name will be updated in the production environment, freeing the name for use by another GPO.
Unable to Create a GPO
To create a new controlled GPO, the Create GPO permission is required. By default, GPOVault Administrators and Approvers have this permission.
Others can begin the process of creating a GPO and submit a request for creation. This request is sent to the email addresses listed in the To field on the Domain Delegation tab. An Approver or GPOVault Administrator must approve the request.
GPOVault Local Edition only: In native Group Policy, Approvers must be members of the Group Policy Creator Owners group or have full delegated access to the Group Policy Object container. (In the GPMC, see Forest -> [MyDomain] -> Group Policy Objects -> Delegation.) GPOVault Administrators, Editors, Approvers, and Reviewers must have file system permissions to the archive location.
More information:
For instructions on setting permissions and delegating access to GPOs, see the GPOVault Administrator Tasks section of this guide. Details are provided for Delegating Domain-Level Access and Delegating Access to an Individual GPO. Also, see Appendix 3: Permissions and Roles Reference for an explanation of GPOVault permissions and delegation.
For instructions on Creating or Controlling a GPO, see the Approver Tasks section of this guide.
For instructions on requesting the creation of a GPO, see Creating, Controlling or Archiving a GPO in the Editor Tasks section of this guide.
Unable to Edit or Rename a GPO
To edit or rename a controlled GPO, the Edit Settings permission is required. By default, GPOVault Administrators and Editors have this permission. Additionally, you must check out a GPO before you can edit it.
A GPOVault Administrator must provide Editors with List Contents and Read Settings permissions at the domain level in GPOVault and Edit Settings permission at the GPO level.
GPOVault Local Edition only: In native Group Policy, Editors must either be members of the Group Policy Creator Owners group or have explicitly delegated access to the Group Policy Object container. (In the GPMC, see Forest -> [MyDomain] -> Group Policy Objects -> Delegation.). GPOVault Administrators, Editors, Approvers, and Reviewers must have file system permissions to the archive location.
More information:
For instructions on setting permissions and delegating access to GPOs, see the GPOVault Administrator Tasks section of this guide. Details are provided for Delegating Domain-Level Access and Delegating Access to an Individual GPO. Also, see Appendix 3: Permissions and Roles Reference for an explanation of GPOVault permissions and delegation.
For instructions on Editing a GPO or Renaming a GPO, see the Editor Tasks section of this guide.
Unable to Change Default Template
Setting or changing the default GPO template requires Create Template and List Contents permissions. This task is typically performed by an Editor or GPOVault Administrator.
For instructions on setting or changing the default GPO template, see Setting a Default Template in the Editor Tasks section of this guide.
Unable to Deploy a GPO
To deploy a GPO, the Deploy GPO permission is required. By default, GPOVault Administrators and Approvers have this permission. Others can begin the process of deploying a GPO and submit a request for deployment. This request is sent to the email addresses listed in the To field on the Domain Delegation tab. An Approver or GPOVault Administrator must approve the request.
GPOVault Local Edition only: In native Group Policy, Approvers must be members of the Group Policy Creator Owners group or have full delegated access to the Group Policy Object con