Training Guide

Article
10/24/2007

GPOVault

Enterprise and Local Edition

GPOVault is available in two distinct versions, GPOVault Local Edition and GPOVault Enterprise, which are licensed differently.

GPOVault Local Edition

GPOVault Local Edition (also simply referred to as GPOVault) is the standalone version of GPOVault. It is available free of charge and does not require a license. GPOVault Local Edition does not have a server component and uses the native Windows permissions of the Group Policy administrator for all operations.

GPOVault Enterprise

GPOVault Enterprise is the client/server version of GPOVault. With GPOVault Enterprise, all operations are controlled through the GPOVault Service and execute with the service’s credentials. This Windows service enforces the delegation model by acting as a security proxy for access to the archive and the live GPO environment, tightening control over these critical archives.

GPOVault Enterprise is licensed per domain. A single server may manage GPOs on any number of domains, however each domain must be specified in the license.

Change Control with GPOVault

Despite the great value in the GPMC, key capabilities are absent. There is no mechanism for offline editing of the GPOs, there is no mechanism for version control, and the delegation model (albeit powerful) has limitations. The GPMC needs a check-in/check-out mechanism so that changes to the infrastructure can be approved, tracked, and audited. The audit trail is critical with regard to Group Policy because these GPOs are delivering critical standardization, security, and compliance configuration to systems across the enterprise.

Enter GPOVault™ by DesktopStandard. GPOVault has been developed to provide this much-needed additional functionality to the GPMC. It extends the GPMC in an intuitive manner that makes adoption of a full change management product easily accessible.

GPOVault by DesktopStandard adds the much-needed functionality of change control to the Group Policy Management Console. GPOVault extends the GPMC, providing offline editing of GPOs, version control for GPOs, role-based delegation of control, check-in/check-out capability, difference reporting, and GPO templates.

Installing GPOVault Server

Prerequisites

To install GPOVault, you must first have the Group Policy Management Console (GPMC) installed. You can download the GPMC through the Group Policy home page at https://www.microsoft.com/GroupPolicy. The GPMC runs on Windows Server 2003 and Windows XP with SP1 or later. For Windows XP SP1 systems, an additional QFE (a patch, which is included in XP SP2) is required.

Installing GPOVault

GPOVault Enterprise includes separate installers for the server and clients. GPOVault Local Edition includes only the client installer.

Server Installation (GPOVault Enterprise Only)

With GPOVault Enterprise, all operations are controlled through the GPOVault Service and execute with the service’s credentials. This Windows service enforces the delegation model by acting as a security proxy for access to the archive and the live GPO environment.

GPOVault Enterprise should be installed only on the member server that will host the GPOVault Service. To install the GPOVault Service on a server:

Double-click the gpovents.msi file.
In the Welcome dialog box, click Next.
In the License Agreement dialog box, accept the terms and click Next.
In the Customer Information dialog box, enter your User Name and Organization. Also, select whether this installation is for Anyone who uses this computer or only for you, then click Next.
In the Setup Type dialog box:
- To accept the default root installation folder: Click Complete -> Next.
- To specify the root installation folder: Click Custom -> Next. In the Custom Setup dialog box, click Change, select a folder, then click Next.
In the GPOVault Service Account dialog box, select a service account under which the GPOVault service will run, then click Next.

Tip: Selecting the GPOVault Service Account The GPOVault Service Account must have full access to the GPOs that it will manage and Log On As A Service permission. If you will be managing GPOs on a single domain, you can make the Local System account for the primary domain controller the GPOVault Service Account. If you will be managing GPOs on multiple domains or if a member server will be the GPOVault server, you should configure a different account as the GPOVault Service Account since the Local System account for one domain controller would be unable to access GPOs on other domains.
In the GPOVault Owner dialog box, click Browse, select a single account to serve as the GPOVault Owner, then click Next.
In the License Import dialog box, click Browse and select the GPOVault Enterprise license that you have obtained from DesktopStandard, then click Next.
Click Install to proceed.
Click Finish to exit the wizard.

Manually Importing a License (GPOVault Enterprise Only)

To manually add a license key if you have already installed the server component of GPOVault Enterprise, stop the GPOVault Service, copy the license.xml file to %AllUsersProfile%\Application Data\DesktopStandard\GPOVault, and then restart the GPOVault Service.

Installing GPOVault Client

Client or Standalone Installation

GPOVault should be installed on the systems of Editors, Approvers, and Reviewers—anyone who creates, edits, deploys, reviews, or deletes GPOs. It is not necessary to install GPOVault on the systems of end-users of your network who do not perform these tasks.

If you are upgrading from GPOVault 2.2 to GPOVault Enterprise 2.2, you do not need to reinstall GPOVault on any client systems where GPOVault is already installed. However, the GPOVault Service must be installed on the server as described in the previous section.

To install GPOVault Enterprise – Client:

Double-click the gpoventc.msi file (for GPOVault Enterprise – Client).
In the Welcome dialog box, click Next.
In the License Agreement dialog box, accept the terms and click Next.
In the Customer Information dialog box, enter your User Name and Organization. Also, select whether this installation is for Anyone who uses this computer or only for you, then click Next.
In the Setup Type dialog box:
- To accept the default root installation folder: Click Complete -> Next.
- To specify the root installation folder: Click Custom -> Next. In the Custom Setup dialog box, click Change, select a folder, then click Next.
Click Install to proceed.
Click Finish to exit the wizard.

Archive Location

Modifying the Archive Location

GPOVault provides vault functionality including offline editing of GPOs as well as centralized storage for all previous versions of each GPO. By providing a share path to or specifying a server for the archive, this archive can be used by multiple Group Policy administrators.

To modify the archive location:

In the Group Policy Management Console, click Forest -> Domains -> [MyDomain] -> Change Control.
In the details pane, click the Archive Location tab.
Specify the location of the GPOVault ato display. (Automatically detect server wbe available in future versions of GPOVault.):
- GPOVault Enterprise: Click Manually specify server address. Enter the host name for the server to host the archive. The port used by the GPOVault Service is port 4600, and the path within the server is %AllUsersProfile%\Application Data\DesktopStandard \GPOVault\Archive. (This path can be modified using an advanced procedure. For details, refer to the Knowledge Base on the DesktopStandard website or contact DesktopStandard Support for assistance. (See the Support section of this guide.))
- GPOVault Local Edition: Click Use a local or shared folder archive. Enter a path for the archive, or click the browse button to navigate to a location. (By default, the archive is stored in %UserProfile%\Local Settings\Application Data\DesktopStandard \GPOVault\Archive, but it can be stored anywhere on a file system.)
Click Apply, then click Yes to confirm.
Repeat for each GPOVault installation used by Editors who are working together.

GPOVault Delegation

Delegating Domain-Level Access

Set up the delegation model for your environment so that the delegated GPO administrators will have the appropriate access to and control over GPOs. There are baseline permissions to be applied that will make the operation of GPOVault more efficient, but permissions can be granted in any manner that meets the needs of your organization.

To delegate access so that selected users and groups have certain permissions to all GPOs throughout a domain:

In the Group Policy Management Console, click Forest -> Domains -> [MyDomain] -> Change Control.
Click the Domain Delegation tab, then click the Advanced button.
On the Permissions dialog box, click the checkbox for each role to be assigned to an individual, then click the Advanced button. (Note: Editor and Approver include Reviewer permissions.)
On the Advanced Security Settings dialog box, select a GPO administrator and click Edit.
For Apply onto, select This object and nested objects, configure any special permissions beyond the standard GPOVault roles, then click OK on the Permission Entry dialog box.
On the Advanced Security Settings dialog box, click OK.
On the Permissions dialog box, click OK.

GPOVault SMTP Configuration

When an Editor or Reviewer attempts to create, deploy, or delete a GPO, a request for this action is sent to a designated email address or addresses. An Approver must approve these actions for them to be implemented.

To configure email notification for GPOVault:

In the Group Policy Management Console, click Forest -> Domains -> [MyDomain] -> Change Control.
In the details pane, click the Domain Delegation tab.
In the From field, enter the email alias for GPOVault from which notifications to Approvers will be sent.
In the To field, enter valid email addresses for all Approvers who should receive requests for approval.
In the SMTP server field, enter a valid SMTP mail server.
In the User name and Password fields, enter the credentials of a user with access to the SMTP service.
Click Apply.

See full-sized image

Controlling GPOs

To control a previously uncontrolled GPO:

In the Group Policy Management Console, click Forest -> Domains -> [MyDomain] -> Change Control.
On the Contents tab in the details pane, click the Uncontrolled tab to display the uncontrolled GPOs.
Right-click the GPO to be controlled with GPOVault, then click Control.
Unless you have special permission to control GPOs, you must submit a request for control. To receive a copy of the request, enter your email address in the Cc field. Enter a comment to be displayed in the History of the GPO and click Submit.
A window displaying GPOVault Progress will appear. When the overall progress is complete, click Close. The GPO will be removed from the list on the Uncontrolled tab and added to the Pending tab.

When an Approver has approved your request, the GPO will be moved from the Pending tab to the Controlled tab.

Editing Controlled GPOs

To make changes to a GPO offline without immediately impacting the deployed version of the GPO, check out a copy of the GPO from the vault. Once changes are complete, check the GPO back into the vault and request deployment of the GPO to the production environment.

Checking out a GPO

To check a GPO out from the vault for editing:

In the Group Policy Management Console, click Forest -> Domains -> [MyDomain] -> Change Control.
On the Contents tab in the details pane, click the Controlled tab to display the controlled GPOs.
Right-click the GPO to be edited, then click Check Out.
Enter a comment to be displayed in the History of the GPO while it is checked out, then click OK.
A window displaying GPOVault Progress will appear. When the overall progress is complete, click Close. On the Controlled tab, the state of the GPO is now identified as Checked Out.

Editing a GPO Offline

To make changes to a controlled GPO, you must first check out the GPO.

To edit a GPO offline:

On the Controlled tab, right-click the GPO to be edited, then click Edit.
A Group Policy Object Editor window will open to enable you to make changes to an offline copy of the GPO. When changes are complete, close the Group Policy Object Editor.

Checking in a GPO

To check a GPO into the vault:

In the Group Policy Management Console, click Forest -> Domains -> [MyDomain] -> Change -> Control.
On the Contents tab in the details pane, click the Controlled tab to display the controlled GPOs.
If no changes have been made to the GPO, right-click the GPO and click Undo Check Out, then click Yes to confirm.
If changes have been made to the GPO, right-click the GPO and click Check In.
Enter a comment to be displayed in the audit trail of the Gthen click OK.
A window displaying GPOVault Progress will appear. When the overall progress is complete, click Close. On the Controlled tab, the state of the GPO is now identified as Checked In.

Deploying GPO from GPOVault

To request the deployment of a GPO to the production environment:

In the Group Policy Management Console, click Forest -> Domains -> [MyDomain] -> Change Control.
On the Contents tab in the details pane, click the Controlled tab to display the controlled GPOs.
Right-click the GPO to be deployed and click Deploy.
Unless you have special permission to deploy GPOs, you must submit a request for deployment. To receive a copy of the request, enter your email address in the Cc field. Enter a comment to be displayed in the History for the GPO, then click Submit.
A window displaying GPOVault Progress will appear. When the overall progress is complete, click Close. The GPO will be displayed on the list of GPOs on the Pending tab.

When an Approver has approved your request, the GPO will be removed from the Pending tab to the Controlled tab and deployed.

Tip: Withdrawing a request

To withdraw your request before it has been approved, click the Pending tab. Right-click the GPO, then click Withdraw. The GPO will be returned to the Controlled tab.

Creating and Using Templates

Creating a GPO template enables you to save all of the settings of a particular version of a GPO to use as a starting point for creating new GPOs and to share that template with other Group Policy administrators. As an Editor, you can also specify which of the available templates will be the default template for all Group Policy administrators creating new GPOs.

Creating a Template

To create a template based on an existing GPO:

In the Group Policy Management Console, click Forest -> Domains -> [MyDomain] -> Change Control.
On the Contents tab in the details pane, click the Controlled or Uncontrolled tab to display available GPOs.
Right-click the GPO from which you want to create a template, then click Save as Template.
Enter a name for the template and a comment, then click OK.
A window displaying GPOVault Progress will appear. When the overall progress is complete, click Close. The new template now appears on the Templates tab.

Setting a Default Template Setting a Default Template

To set the default template for all Group Policy administrators to use when creating new GPOs:

In the Group Policy Management Console, click Forest -> Domains -> [MyDomain] -> Change Control.
On the Contents tab in the details pane, click the Templates tab to display available templates.
Right-click the template that you want to set as the default, then click Set as Default.
Click Yes to confirm.
A window displaying GPOVault Progress will appear. When the overall progress is complete, click Close.

The default template will have a blue icon and the state will be identified as Template (default) on* *the Templates tab.

Tip: The default template—an option, not a requirement

After you set a template as the default, that template will be the one initially selected in the New Controlled GPO dialog box when Group Policy administrators create new GPOs. However, they will have the option to select a different GPO template, including <Empty GPO>, which does not include any settings.

Deleting GPOs from GPOVault

As an Editor, you may not have permission to complete the deletion of a GPO, but you do have the permission necessary to begin the process and submit your request to an Approver.

To request the deletion of a controlled GPO:

In the Group Policy Management Console, click Forest -> Domains -> [MyDomain] -> Change Control.
On the Contents tab, click the Controlled tab to display the controlled GPOs.
Right-click the GPO to delete, then click Delete.
- To delete only the archive in the vault while leaving the deployed version of the GPO untouched in the penvironment, click Delete archive only.
- To delete both the archive in the vault as well as the deployed version of the GPO in the production environment, click Delete archive and deployed versions.
  
  Unless you have special permission to delete GPOs, you must submit a request for deletion of the deployed GPO. To receive a copy of the request, enter your email address in the Cc field. Enter a comment to be displayed in the audit trail for the GPO, then click Submit.
A window displaying GPOVault Progress will appear. When the overall progress is complete, click Close. The GPO will be displayed on the list of GPOs on the Pending tab. When an Approver has approved your request, the GPO will be moved from the Pending tab to the Recycle Bin tab, where it can be restored or destroyed.

Archive of GPOVault GPOs

The History of a GPO can be displayed by double-clicking a GPO or by right-clicking a GPO and then clicking History. It is also displayed in the GPMC as a tab for each GPO.

The History displays a list of all versions of the selected GPO saved within the vault. From the History, you can obtain a report of the settings within a GPO, compare multiple versions of a GPO, or rollback to a previous version of a GPO.

Identifying Differences between GPOs, GPO Versions, or Templates

To compare two GPOs or templates, a GPO and a template, two versions of one GPO, or a version of a GPO and a template and determine which settings are different:

In the Group Policy Management Console, click Forest -> Domains -> [MyDomain] -> Change Control.
On the Contents tab in the details pane, click a tab to display GPOs (or templates, if comparing two templates). To compare: On the Contents tab in the details pane, click a tab to display GPOs (or templates, if comparing two templates). To compare:

Two GPOs or templates:
1. Highlight the two GPOs or templates.
2. Right-click one of the GPOs or templates and click Differences -> HTML Report or XML Report to display a difference report summarizing of the settings of the GPOs or templates.
A GPO and a template:
- Right-click the GPO and click Differences -> Template.
1. Select the template and type of report, then click OK to display a difference report summarizing of the settings of the GPO and template.
Two versions of one GPO:
- Double-click the GPO to display its history, then highlight the versions to be compared.
1. Right-click one of the versions and click Differences-> HTML Report or XML Report to display a difference report summarizing of the settings of the GPOs.

A GPO version and a template:

  - Double-click the GPO to display its history.

<!-- end list -->

1.  Right-click the GPO version of interest and click *Differences*  -\> *Template*.  
    
    ![GPOVTG32.jpg](images/Bb608283.GPOVTG32(en-us,TechNet.10).jpg)

2.  Select the template and type of report, then click *OK* to display a difference report summarizing of the settings of the GPO version and template.
    
    ![GPOVTG33.jpg](images/Bb608283.GPOVTG33(en-us,TechNet.10).jpg)

![GPOVTG34.jpg](images/Bb608283.GPOVTG34(en-us,TechNet.10).jpg)

**Key to Difference Reports: Key to Difference Reports:**

          Item exists with identical settings in both GPOs (color varies with level)

**\[\#\]**     Item exists in both GPOs, but with changed settings (blue)

**\[-\]**      Item exists only in the first GPO (red)

**\[+\]**     Item exists only in the second GPO (green)

**Notes:**  

  - For items with changed settings, the changed settings are identified when the item is expanded. The value for the attribute in each GPO is displayed in the same order that the GPOs are displayed in the report.

  - Some changes to settings may cause an item to be reported as two different items (one present only in the first GPO, one present only in the second) rather than as one item that has changed.

GPOVault Lab

Finding the Change Control Node

GPOVault adds a Change Control node to each domain displayed in the Group Policy Management Console. In an environment where multiple domains are managed with the GPMC, each domain is listed under the Domains node in the console tree. Each domain has a Change Control node under it, and there is one archive (or vault) per domain.

Requesting the Creation of a New Controlled GPO

To create a new GPO with change control managed through GPOVault:

Logon to the Windows XP computer with the User name of: Editor and a Password of: Pa$$word.
Click Start -> Control Panel -> Administrative Tools and double-click Group Policy Management.
In the Group Policy Management Console, expand Forest -> Domains -> [MyDomain] -> Change Control.
Right-click the Change Control node, then click New Controlled GPO.
Unless you have special permission to create GPOs, you must submit a request for creation. In the New Controlled GPO dialog box:
1. Type “LockDown” without the quotes in the GPO Name field.
2. Optional: Enter a comment for the new GPO.
3. To deploy the new GPO to the production environment immediately upon approval, click Create live. To create the new GPO offline without immediately deploying it upon approval, click Create offline.
4. For this lab choose Create offline and select <EMPTY GPO> from the GPO Template drop down list.
5. Click Submit.
A window displaying GPOVault Progress will appear. When the overall progress is complete, click Close. The new GPO will be displayed in the list of GPOs on the Pending tab.

When an Approver has approved your request, the GPO will be moved from the Pending tab to the Controlled tab.

Approving or Rejecting a Pending Action

The core responsibility of an Approver is to evaluate and then approve or reject requests for GPO creation, deployment, and deletion from Editors or Reviewers who do not have permission to complete those actions. The report capabilities of GPOVault can assist an Approver with evaluating a new version of a GPO.

To approve or reject a pending request:

Logon to the Windows Server 2003 computer with the User name of: VaultAdmin and a Password of: Pa$$word
Click Start -> Outlook Express, click the Inbox. View the email message sent by Editor to request that a new GPO named LockDown be created.
Close Outlook Express.
Open the Group Policy Management Console by clicking Start -> Group Policy Management.
In the Group Policy Management Console, click Forest ->Domains -> [MyDomain] -> Change Control
On the Contents tab, click the Pending tab to display the pending GPOs.
Right-click the pending GPO named “LockDown”, then select Approve.
- Note: if you don’t see the pending GPO refresh the contents of the pending tab by right-clicking in the Group Policy Objects pane and select Refresh from the context menu.
Add a comment and then click the OK button to confirm approval the pending request. Once approved, the GPO will be moved to the controlled tab for the action performed.

Editing a GPO