Comprehensive Change Control and Enhanced Management for Group Policy Objects

User Guide

GPOVault™ is a Group Policy Management Console (GMPC) extension that provides comprehensive change control and enhanced management for Group Policy Objects (GPOs). GPMC is the platform of choice for centrally administering Group Policy. The free Microsoft console provides excellent support for most aspects of GPO management, but provides no change control features. GPOVault adds change control, notification, approval, rollback, offline editing, templates, and difference reporting directly into the GPMC.

On This Page

Welcome
Installing and Configuring GPOVault
Getting Started with GPOVault
GPOVault Administrator Tasks
Editor Tasks
Approver Tasks
Reviewer Tasks
Troubleshooting
Support
Appendix 1: Introduction to Group Policy
Appendix 2: GPOVault User Interface
Appendix 3: Permissions and Roles Reference
Glossary

Welcome

Welcome to GPOVault™, DesktopStandard’s extension for Group Policy Management Console (GPMC) that provides comprehensive change control and enhanced management for Group Policy Objects (GPOs). GPOVault extends the capabilities of the GPMC, providing such muchneeded functionality as:

• Offline editing for GPOs so that they can be created and tested before being deployed to a production environment

• Version control so that multiple versions of a GPO can be retained in an archive, available for rollback if needed

• Role-based delegation so that responsibility for editing, approving, and reviewing GPOs can be shared among multiple people

• Check-in/check-out capability for GPOs so that multiple Editors cannot inadvertently overwrite each other’s work

• Difference reporting to quickly analyze changes to the GPO compared to any version stored in the archive

• GPO templates for beginning with a standard array of settings when creating new GPOs

Tip: Getting started with GPOVault

For setup instructions, see the Installing and Configuring GPOVault section in this user guide.

For an introduction to the concept of change control and how to use GPOVault to apply it, see the Welcome and Getting Started with GPOVault sections. (For an introduction to Group Policy, see Appendix 1: Introduction to Group Policy.)

For step-by-step instructions on how to perform tasks using GPOVault, see the GPOVault Administrator Tasks, Editor Tasks, Approver Tasks, or Reviewer Tasks section as appropriate.

For detailed information on GPOVault menu options, icons, and other aspects of the user interface, see Appendix 2: GPOVault User Interface.

For detailed information on what permissions are associated with specific tasks and roles, see Appendix 3: Permissions and Roles Reference.

In case of any difficulty with GPOVault, see the Troubleshooting and Support sections at the end of this user guide for resources and assistance.

Introduction to GPOVault

Microsoft provides the Group Policy Management Console (GPMC) as the primary product for managing Group Policy in an enterprise. There are many benefits to the GPMC, the main one being that it provides an intuitive interface with a Group Policy-centric view of the environment.

Despite the great value in the GPMC, key capabilities are absent. There is no mechanism for offline editing of the GPOs, there is no mechanism for version control, and the delegation model (albeit powerful) has limitations. The GPMC needs a check-in/check-out mechanism so that changes to the infrastructure can be approved, tracked, and audited. The audit trail is critical with regard to Group Policy because these GPOs are delivering critical standardization, security, and compliance configuration to systems across the enterprise.

Enter GPOVault™ by DesktopStandard. GPOVault has been developed to provide this much needed additional functionality to the GPMC. It extends the GPMC in an intuitive manner that makes adoption of a full change management product easily accessible.

(For a brief introduction to Group Policy concepts, see Appendix 1: Introduction to Group Policy later in this guide.)

Change Control with GPOVault

There was a time when a network administrator could manage the entire network directly and could afford to make and test changes on the live network. The network administrator was the only one making changes to user accounts and device configurations, so there was no issue of conflicting changes coming from multiple Group Policy administrators. You could make and test changes on the live network in evenings or on weekends when no one would be inconvenienced if the network was down for a few hours.

Today, none of those practices are still feasible. Network administration at most companies requires the work of multiple people, who must interact in concert without overwriting each other’s work or jeopardizing the company’s infrastructure. Companies now have customers (and perhaps employees) in so many time zones that their network needs to be online 24×7.

How can an administrator keep the work of multiple Group Policy administrators from conflicting? How can you allow these GP administrators the access they need to get their jobs done without allowing them so much access that they interfere with each other or have too great an opportunity to inadvertently damage the network infrastructure? How can you alter settings in an offline environment so that changes will not immediately affect the network? How can you archive and manage multiple versions of GPO settings?

GPOVault by DesktopStandard adds the much-needed functionality of change control to the Group Policy Management Console. GPOVault extends the GPMC, providing offline editing of GPOs, version control for GPOs, role-based delegation of control, check-in/check-out capability, difference reporting, and GPO templates.

Enterprise and Local Edition

GPOVault is available in two distinct versions, GPOVault Local Edition and GPOVault Enterprise, which are licensed differently.

GPOVault Local Edition

GPOVault Local Edition (also simply referred to as GPOVault) is the standalone version of GPOVault. It is available free of charge and does not require a license. GPOVault Local Edition does not have a server component and uses the native Windows permissions of the Group Policy administrator for all operations.

GPOVault Enterprise

GPOVault Enterprise is the client/server version of GPOVault. With GPOVault Enterprise, all operations are controlled through the GPOVault Service and execute with the service’s credentials.This Windows service enforces the delegation model by acting as a security proxy for access to the archive and the live GPO environment, tightening control over these critical archives.

GPOVault Enterprise is licensed per domain controller. To obtain a free evaluation license or to purchase a license for GPOVault Enterprise, contact DesktopStandard Sales at https://www.desktopstandard.com/sales.

New in GPOVault

The following features and enhancements are new in version 2.2 of GPOVault:

• Report GPO links

• Backup and restore of GPO links, including option during deployment to restore all links, selected links, or none

• Change permissions on multiple GPOs at once

• General section added to settings reports, including details, links, security filtering, WMI filtering, and delegation

The following features and enhancements were first incorporated into version 2.1 of GPOVault:

• Extensions tab added to all GPOs and Group Policy links displayed in the GPMC

• Delegate privileges to built-in security principals and computers

• Add a license by running the install through Add or Remove Programs and selecting Modify

• Change the owner of a GPO upon deployment

• Display the names and dates modified of both GPOs compared in an XML-based difference report

Installing and Configuring GPOVault

This section includes instructions and helpful tips for installing GPOVault and upgrading archives from a previous version of GPOVault, as well as information about configuration and licensing.

Prerequisites

To install GPOVault, you must first have the Group Policy Management Console (GPMC) installed. You can download the GPMC through the Group Policy home page at https://www.microsoft.com/GroupPolicy. The GPMC runs on Windows Server 2003 and Windows XP with SP1 or later. For Windows XP SP1 systems, an additional QFE (a patch, which is included in XP SP2) is required.

Installing GPOVault

GPOVault Enterprise includes separate installers for the server and clients. GPOVault Local Edition includes only the client installer.

Tip: Upgrading GPOVault

If you are upgrading from a previous version of GPOVault, see Upgrading Archives from a Previous Version later in this section.

If you are upgrading from GPOVault 2.2 to GPOVault Enterprise 2.2, you must perform the server installation (see below), but you do not need to reinstall the client on systems where GPOVault 2.2 is already installed, nor do you need to upgrade GPOVault 2.2 archives.

Server Installation (GPOVault Enterprise Only)

With GPOVault Enterprise, all operations are controlled through the GPOVault Service and execute with the service’s credentials. This Windows service enforces the delegation model by acting as a security proxy for access to the archive and the live GPO environment.

GPOVault Enterprise should be installed only on the member server that will host the GPOVault Service. To install the GPOVault Service on a server:

1. Double-click the gpovents.msi file.

2. In the Welcome dialog box, click Next.

   

3. In the License Agreement dialog box, accept the terms and click Next.

4. In the Customer Information dialog box, enter your User Name and Organization. Also, select whether this installation is for Anyone who uses this computer or only for you, then click Next.

5. In the Setup Type dialog box:

   • To accept the default root installation folder: Click Complete -> Next.

   • To specify the root installation folder: Click Custom -> Next. In the Custom Setup dialog box, click Change, select a folder, then click Next.

6. In the GPOVault Service Account dialog box, select a service account under which the GPOVault service will run, then click Next.

   

   Tip: Selecting the GPOVault Service Account

   The GPOVault Service Account must have full access to the GPOs that it will manage and Log On As A Service permission. If you will be managing GPOs on a single domain, you can make the Local System account for the primary domain controller the GPOVault Service Account.

   If you will be managing GPOs on multiple domains or if a member server will be the GPOVault server, you should configure a different account as the GPOVault Service Account since the Local System account for one domain controller would be unable to access GPOs on other domains.

7. In the GPOVault Owner dialog box, click Browse, select a single account to serve as the GPOVault Owner, then click Next.

   

8. In the License Import dialog box, click Browse and select the GPOVault Enterprise license that you have obtained from DesktopStandard, then click Next.

   Obtaining a license

   To obtain a free evaluation license for GPOVault Enterprise or to purchase a license, contact DesktopStandard Sales at https://www.desktopstandard/sales.

9. Click Install to proceed.

10. Click Finish to exit the wizard.

    

After GPOVault Enterprise Server is installed, you can start and stop the GPOVault service by clicking Start -> Control Panel -> Administrative Tools -> Services, then right-clicking GPOVault Service and selecting Start or Stop.

Client or Standalone Installation

GPOVault should be installed on the systems of Editors, Approvers, and Reviewers—anyone who creates, edits, deploys, reviews, or deletes GPOs. It is not necessary to install GPOVault on the systems of end-users of your network who do not perform these tasks.

If you are upgrading from GPOVault 2.2 to GPOVault Enterprise 2.2, you do not need to reinstall GPOVault on any client systems where GPOVault is already installed. However, the GPOVault Service must be installed on the server as described in the previous section.

To install GPOVault Enterprise – Client or GPOVault Local Edition:

1. Double-click the gpoventc.msi file (for GPOVault Enterprise – Client) or gpovault.msi file (for GPOVault Local Edition).

2. In the Welcome dialog box, click Next.

   

3. In the License Agreement dialog box, accept the terms and click Next.

4. In the Customer Information dialog box, enter your User Name and Organization. Also, select whether this installation is for Anyone who uses this computer or only for you, then click Next.

5. In the Setup Type dialog box:

   • To accept the default root installation folder: Click Complete -> Next.

   • To specify the root installation folder: Click Custom -> Next. In the Custom Setup dialog box, click Change, select a folder, then click Next.

6. Click Install to proceed.

7. Click Finish to exit the wizard.

   

GPOVault Enterprise: Ownership of the vault is initially set during installation of GPOVault Enterprise. (The GPOVault Owner can later be changed only by deleting a particular registry key and then modifying the installation. For instructions or assistance, refer to the Knowledge Base on the DesktopStandard website or contact DesktopStandard Support. (See the Support section of this guide for contact information.)) Additional delegations should be configured for other Group Policy administrators.

GPOVault Local Edition: After GPOVault is installed, the first person to launch the GPMC is granted ownership of the vault. (The owner cannot be changed except by reinstalling GPOVault.) The permission granted to this user is Full Control and is displayed in the details pane on the Domain Delegation tab when the Change Control node is selected. Additional delegations should be configured for other Group Policy administrators.

Upgrading Archives from a Previous Version

If upgrading from a previous version of GPOVault to version 2.2, you must upgrade each archive database file created using the previous version so that it will function with version 2.Performing this upgrade is independent of the installation of GPOVault Enterprise 2.2 or GPOVault 2.2, but is required only once for each archive.

WARNING: Upgrading archives will reset security

Upgrading the archives will remove all security descriptors from the archive database and therefore will reset all domain- and GPO-level security for GPOs.

Additionally, the GPOVault Owner will be reset. In GPOVault Local Edition, the owner will become the first person to launch the GPMC after this upgrade. In GPOVault Enterprise, the owner will become the GPOVault Owner selected during the initial server installation.

To upgrade archives from a previous version of GPOVault:

1. After installing GPOVault 2.2 or GPOVault Enterprise 2.2, click Start -> Programs -> Accessories -> Command Prompt.

2. Enter cd C:\Program Files\DesktopStandard\GPOVault\Tools and press Enter. (If you selected an installation folder for GPOVault other than the default, navigate within that folder to \DesktopStandard\GPOVault\Tools.)

3. Enter upgrade <ArchivePath>\gpostate.xml where <ArchivePath> is the full path to the archive to be upgraded, then press Enter.

   • In GPOVault Enterprise, the default archive path within the host selected is %AllUsersProfile%\Application Data\DesktopStandard\GPOVault\Archive

   • In GPOVault Local Edition, the default archive path is %UserProfile%\Local Settings\Application Data\DesktopStandard\GPOVault\Archive

   

4. Delegate access at the domain level and/or to individual GPOs. (See Delegating Domain-Level Access and Delegating Access to an Individual GPO in the GPOVault Administrator Tasks section of this guide.)

The old archive database file is backed up to gpostate.xml.bak, and the updated archive can now be displayed via the Change Control node of the Group Policy Management Console.

Configuring GPOVault

See the Getting Started with GPOVault section of this guide for an overview of and tips on how to begin using GPOVault to manage GPOs in your organization more effectively.

To enable GPO administrators in a multi-user environment to use the capabilities of GPOVault and to delegate access to GPOs either individually or at the domain level, see the GPOVault Administrator Tasks section in this guide. For additional information on delegation using GPOVault, see Appendix 3: Permissions and Roles Reference.

Selecting an archive location

While the default archive location in a local folder is appropriate for evaluating GPOVault, for a multi-user environment you should select an archive location that is accessible to all Group Policy administrators, such as a shared folder (\\<servername>\<archive>) or a host server. For more information, see the GPOVault Administrator Tasks section in this guide.

File system permissions

GPOVault Enterprise: Membership in the Group Policy Creator Owners group should be restricted so that it is not used to circumvent GPOVault management of access to GPOs. (In the GPMC, see Forest -> [MyDomain] -> Group Policy Objects -> Delegation.)

GPOVault Local Edition: All GPOVault Administrators, Editors, Approvers, and Reviewers must have file system permissions for the archive location. In native Group Policy, Editors and Approvers must be members of the Group Policy Creator Owners group or have delegated access to the Group Policy Object container. (In the GPMC, see Forest -> [MyDomain] -> Group Policy Objects -> Delegation.)

Licensing

GPOVault Local Edition does not require a license. (For information about the differences between GPOVault Enterprise and GPOVault Local Edition, see the Welcome section in this guide.)

GPOVault Enterprise is licensed per domain controller. To obtain a free evaluation license or to purchase a license for GPOVault Enterprise, contact DesktopStandard Sales at https://www.desktopstandard.com/sales.

After your license request is approved, a license key will be emailed to you. You can import the license key during the installation of the server component of GPOVault Enterprise, by modifying the installation of the server component of GPOVault Enterprise, or manually.

Importing a License (GPOVault Enterprise Only)

If you have not yet installed GPOVault Enterprise

If you have received a license key file from DesktopStandard and have not yet installed the server component of GPOVault Enterprise, you can import the license during the installation process. See Server Installation earlier in this guide.

To add a license key if you have already installed the server component of GPOVault Enterprise:

1. On the server on which GPOVault Enterprise is installed, click Start -> Control Panel -> Add or Remove Programs.

2. Click GPOVault™ Enterprise, then Change.

3. In the Welcome dialog box, click Next.

4. In the Program Maintenance dialog box, click Modify -> Next.

5. In the Custom Setup dialog box, click Next.

6. In the License Import dialog box, click Browse and select the license.xml file that you received from DesktopStandard. Click Next.

7. Click Install to proceed.

8. Click Finish to exit the wizard.

9. Click Start -> Control Panel -> Administrative Tools -> Services, then right-click GPOVault Service and select Restart to apply the license.

You have imported the license for GPOVault Enterprise. Because GPOVault Enterprise is licensed per domain controller through the server component, it is not necessary to deploy the license to clients or to GPOs.

Manually Importing a License (GPOVault Enterprise Only)

To manually add a license key if you have already installed the server component of GPOVault Enterprise, stop the GPOVault Service, copy the license.xml file to %AllUsersProfile%\Application Data\DesktopStandard\GPOVault, and then restart the GPOVault Service.

Getting Started with GPOVault

This section provides you with an overview of the key concepts needed for using GPOVault, along with tips on where to find additional information.

GPO Development with Change Control

A network administrator who has also worked in a position that includes development tasks may already be familiar with applications such as Microsoft Visual SourceSafe that provide change control (also called version control or source code control) for programming development. If your career path has not taken that direction, the concept of change control may be new to you.

The terms check in and check out are used in much the same way as in a library. To use a book that is in a library, you check it out from the library. No one else can use it while you have it checked out. When you are finished with the book, you check the book back into the library so that others can use it.

With GPOVault, you check out a copy of a GPO from the vault to edit it. The state of the GPO will be identified in the GPMC as checked out, preventing any other Editors from editing it. When you are finished editing the GPO, you check the GPO into the vault so that it can be edited by others, reviewed, or deployed to the production environment.

Roles-Based Delegation

GPOVault provides a comprehensive roles-based delegation model that is easy to use. Permissions in the context of GPOVault are focused on three levels: forest, domain, and GPO. The forest-level permissions provide access to all domains to be included. Domain-level permissions allow GPOVault Administrators to provide access to individual domains without providing access

to other domains. GPO-based delegation provides the finest level of permissions in the environment. This enables GPOVault Administrators to allow access only to specific GPOs. Together, the three levels provide a rich delegation model that tightens control of your critical configuration data.

Within GPOVault, there are specifically defined roles. These roles are GPOVault Administrator (Full Control), Approver, Reviewer, and Editor. GPOVault provides a GPOVault Administrator with the flexibility to customize GPO access to fit the needs of your organization. By default, only Approvers have the power to deploy GPOs to the production environment, protecting the environment from inadvertent mistakes by less experienced Editors. Also by default, Reviewers are able to view GPO settings in reports without being able to alter the GPO settings. However, with custom permissions, a GPOVault Administrator can give Editors permission to deploy GPOs, Reviewers the ability to edit GPOs, senior Editors full access to GPOs, or any special combination of permissions needed to fit the unique requirements of your organization.

Default Permissions for Roles	List Contents	Read Settings	Edit Settings	Create GPO	Deploy GPO	Delete GPO	Modify Options	Modify Security	Create Template
Reviewer
Editor
Approver
GPOVault Administrator (Full Control)

Key:

By default, this role has these permissions.

Tip: Roles, permissions, and delegation

For detailed information on which permissions are required for particular tasks in GPOVault, see Appendix 3: Permissions and Roles Reference in this guide.

Delegation in a Multiple Editor Environment

In an environment where multiple Group Policy administrators make changes to GPOs, a GPOVault Administrator delegates permission to an Editor or Editors to make changes to a GPO. Once an Editor has finished making changes, the GPO is submitted to Reviewers (such as peer Editors or Approvers) for review, and finally an Approver deploys the GPO to the production environment.

A typical development process for an Editor and an Approver

Tip: How do I...?

The tasks section of this guide is separated by role. For example, step-by-step instructions for tasks typically performed by an Editor are provided in the Editor Tasks section. Because all roles include the role of Reviewer, however, information on reviewing settings and comparing GPOs is provided in the Reviewer Tasks section.

Finding the Change Control Node

GPOVault adds a Change Control node to each domain displayed in the Group Policy Management Console. In an environment where multiple domains are managed with the GPMC, each domain is listed under the Domains node in the console tree. Each domain has a Change Control node under it, and there is one archive (or vault) per domain.

Tip: GPOVault user interface

For detailed information on GPOVault controls, menus, icons, and settings, including those not accessed through the Change Control node, see Appendix 2: GPOVault User Interface in this guide.

GPOVault Administrator Tasks

In an environment in which multiple people develop GPOs, GPOVault provides the flexibility to choose whether all GPOVault users perform the same tasks and have the same level of access or whether GPOVault Administrators delegate control to Editors who make most changes to GPOs and to Approvers who then deploy GPOs to the production environment. GPOVault Administrators can configure permissions for GPOVault users to meet the needs of your organization.

This section provides information on using GPOVault to perform tasks that are typically the responsibility of a GPOVault Administrator, such as modifying domain-wide and vault-wide options and configuring permissions for GPOVault users. By default, a GPOVault Administrator is an individual with Full Control—all GPOVault permissions. The Modify Options and Modify Security permissions are unique to the role of GPOVault Administrator.

Tip: Creating, editing, deploying, or deleting GPOs

For information on creating, deploying, or deleting GPOs, see the Approver Tasks section in this guide.

For information on editing, renaming, labeling, or archiving GPOs, creating templates, or setting a default template, see the Editor Tasks section in this guide.

For information on reviewing settings and comparing GPOs, see the Reviewer Tasks section in this guide.

Tip: File system permissions

GPOVault Enterprise: Membership in the Group Policy Creator Owners group should be restricted so that it is not used to circumvent GPOVault management of access to GPOs. (In the GPMC, see Forest -> [MyDomain] -> Group Policy Objects -> Delegation.)

GPOVault Local Edition: All GPOVault Administrators, Editors, Approvers, and Reviewers must have file system permissions for the archive location. In native Group Policy, Editors and Approvers must be members of the Group Policy Creator Owners group or have delegated access to the Group Policy Object container. (In the GPMC, see Forest -> [MyDomain] -> Group Policy Objects -> Delegation.)

Modifying the Archive Location

GPOVault provides vault functionality including offline editing of GPOs as well as centralized storage for all previous versions of each GPO. By providing a share path to or specifying a server for the archive, this archive can be used by multiple Group Policy administrators.

To modify the archive location:

1. In the Group Policy Management Console, click Forest -> Domains -> [MyDomain] -> Change Control.

2. In the details pane, click the Archive Location tab.

3. Specify the location of the GPOVault archive to display. (Automatically detect server will be available in future versions of GPOVault.):

   • GPOVault Enterprise: Click Manually specify server address. Enter the host name for  the server to host the archive. The port used by the GPOVault Service is port 4600, and the path within the server is %AllUsersProfile%\Application Data\DesktopStandard \GPOVault\Archive. (This path can be modified using an advanced procedure. For details, refer to the Knowledge Base on the DesktopStandard website or contact DesktopStandard Support for assistance. (See the Support section of this guide.))

   • GPOVault Local Edition: Click Use a local or shared folder archive. Enter a path for the archive, or click the browse button to navigate to a location. (By default, the archive is stored in %UserProfile%\Local Settings\Application Data\DesktopStandard\GPOVault\Archive, but it can be stored anywhere on a file system.)

4. Click Apply, then click Yes to confirm.

5. Repeat for each GPOVault installation used by Editors who are working together.

Tip: Selecting an archive location

While the default archive location in a local folder is appropriate for evaluating GPOVault, for a multi-user environment you should select an archive location that is accessible to all Group Policy administrators, such as a shared folder or a host server.

The location selected determines what archive is displayed on the Contents tab for you and to what location the Domain Delegation tab settings are applied. In a multi-user environment, each individual using GPOVault must set this path to the shared archive used by all Group Policy administrators for the domain.

Delegating Domain-Level Access

Set up the delegation model for your environment so that the delegated GPO administrators will have the appropriate access to and control over GPOs. There are baseline permissions to be applied that will make the operation of GPOVault more efficient, but permissions can be granted in any manner that meets the needs of your organization.

To delegate access so that selected users and groups have certain permissions to all GPOs throughout a domain:

1. In the Group Policy Management Console, click Forest -> Domains -> [MyDomain] -> Change Control.

2. Click the Domain Delegation tab, then click the Advanced button.

3. On the Permissions dialog box, click the checkbox for each role to be assigned to an individual, then click the Advanced button. (Note: Editor and Approver include Reviewer permissions.)

4. On the Advanced Security Settings dialog box, select a GPO administrator and click Edit.

5. For Apply onto, select This object and nested objects, configure any special permissions beyond the standard GPOVault roles, then click OK on the Permission Entry dialog box.

   

6. On the Advanced Security Settings dialog box, click OK.

7. On the Permissions dialog box, click OK.

   

Tip: Delegating read access to GPOVault

To delegate read access to any Group Policy administrators who use GPOVault, you must grant  them List Contents as well as Read Settings permissions. This will enable them to view GPOs on the Contents tab of GPOVault. Set the permission to apply to This object and nested objects. Other permissions must be explicitly delegated. For details on GPOVault permissions, see Appendix 3: Permissions and Roles Reference in this guide.

Tip: Provide Editors with read access to deployed GPOs

Editors must have Read permission for the deployed copy of a GPO to make full use of Microsoft’s Software Installation extension to Group Policy. For more information, see Software Installation Extension Fails to Install Software in the Troubleshooting section of this guide.

Delegating Access to an Individual GPO

A GPOVault Administrator can delegate the management of a controlled GPO so that selected groups and Editors can edit it, Reviewers can review it, and Approvers can approve it.

To delegate the management of a controlled GPO:

1. In the Group Policy Management Console, click Forest -> Domains -> [MyDomain] -> Change Control.

2. On the Contents tab in the details pane, click the Controlled tab to display controlled GPOs, then click the GPO to delegate.

   

3. Click the Add button, then select the users or groups to be permitted access, then click OK.

   

4. To customize the permissions for each, click the Advanced button on the Contents tab and check role permissions to allow or deny. (For more detailed control, click Advanced in the Permissions dialog box.)

5. Click Apply -> OK in the Permissions dialog box window.

   

Configuring Email Notification

When an Editor or Reviewer attempts to create, deploy, or delete a GPO, a request for this action is sent to a designated email address or addresses. An Approver must approve these actions for them to be implemented.

To configure email notification for GPOVault:

1. In the Group Policy Management Console, click Forest -> Domains -> [MyDomain] -> Change Control.

2. In the details pane, click the Domain Delegation tab.

3. In the From field, enter the email alias for GPOVault from which notifications to Approvers will be sent.

4. In the To field, enter valid email addresses for all Approvers who should receive requests for approval.

5. In the SMTP server field, enter a valid SMTP mail server.

6. In the User name and Password fields, enter the credentials of a user with access to the SMTP service.

7. Click Apply.

Tip: Email configuration—a domain-level setting

Email notification for GPOVault is a domain-level setting. You can provide different Approver email addresses or GPOVault aliases on each domain’s Domain Delegation tab, or use the same addresses throughout your environment.

Starting and Stopping the GPOVault Service (GPOVault Enterprise Only)

The GPOVault Service enables clients to manage live and archived GPOs and enforces the GPOVault delegation model, providing a level of security beyond that available with Windows alone.

To start or stop the GPOVault Service:

1. On the GPOVault server, click Start -> Control Panel -> Administrative Tools -> Services.

2. In the list of services, right-click GPOVault Service and select Start, Restart, or Stop. (For additional options, double-click GPOVault Service.)

Tip: Stopping the GPOVault Service
Stopping or disabling the GPOVault Service will prevent GPOVault clients from performing any operations (such as listing or editing GPOs) through the server.

Modifying the GPOVault Service Account (GPOVault Enterprise Only)

The GPOVault Service is the Windows service that enables GPOVault clients to manage live and archived GPOs and enforces the GPOVault delegation model, providing a level of security beyond that available with Windows alone. If this service is stopped or disabled, GPOVault clients cannot perform operations through the server.

Tip: Selecting the GPOVault Service Account

The GPOVault Service Account must have full access to the GPOs that it will manage and Log On As A Service permission. If you will be managing GPOs on a single domain, you can make the Local System account for the primary domain controller the GPOVault Service Account.

If you will be managing GPOs on multiple domains or if a member server will be the GPOVault server, you should configure a different account as the GPOVault Service Account since the Local System account for one domain controller would be unable to access GPOs on other domains.

The GPOVault Service Account is initially selected during the Server Installation of GPOVault Enterprise. To modify the GPOVault Service Account after installation:

1. In Windows, click Start -> Control Panel -> Administrative Tools -> Services.

2. In Services, double-click GPOVault Service.

3. Click the Log On tab and select an account to serve as the GPOVault Service Account, then click OK.

Editor Tasks

This section provides information on using GPOVault to perform tasks that are typically the responsibility of an Editor—a person authorized by a GPOVault Administrator to make changes to GPOs. By default, an Editor has permission to list the contents of GPOs, read GPO settings, edit GPO settings, delete a GPO, rename a GPO, create a GPO template, and set the default template.

Tip: Reviewing settings and comparing GPOs

Because the permissions of an Editor include all those of a Reviewer, an Editor can also review settings and compare GPOs. See Reviewing Settings and Comparing GPOs under the Reviewer Tasks section in this guide for details.

Modifying the Archive Location

GPOVault provides vault functionality including offline editing of GPOs as well as centralized storage for all previous versions of each GPO. By using a shared folder or a server for the archive, this archive can be used by multiple Group Policy administrators. If you are working in an environment with multiple Group Policy administrators, request the archive location from a GPOVault Administrator.

To modify the archive location:

1. In the Group Policy Management Console, click Forest -> Domains -> [MyDomain] -> Change Control.

2. In the details pane, click the Archive Location tab.

3. Specify the location of the GPOVault archive to display. (Automatically detect server will beavailable in future versions of GPOVault.):

   

   • GPOVault Enterprise:

     Click Manually specify server address. Enter the host name for the server to host the archive.  The port used by the GPOVault Service is port 4600.

   • GPOVault Local Edition:

     Click Use a local or shared folder archive. Enter the path for the archive, or click the browse button to navigate to the archive location.

4. Click Apply, then click Yes to confirm.

5. Repeat for each GPOVault installation used by Editors who are working together.

Tip: Impact of the archive location path

The archive location path selected determines what archive is displayed on the Contents tab for you and to what location the Domain Delegation tab settings are applied. In a multi-user environment, each individual using GPOVault must set this path to the shared archive used by all Group Policy administrators for the domain.

Creating, Controlling, or Archiving a GPO

To use GPOVault to provide change control for a GPO, you must first control the GPO with GPOVault. New GPOs created through the Change Control node will automatically be controlled. As an Editor, you may not have permission to complete the control, creation, or deletion of a GPO, but you do have the permission necessary to begin the process and submit your request to an Approver.

Requesting Control of a Previously Uncontrolled GPO

To control a previously uncontrolled GPO:

1. In the Group Policy Management Console, click Forest -> Domains -> [MyDomain] -> Change Control.

2. On the Contents tab in the details pane, click the Uncontrolled tab to display the uncontrolled GPOs.

3. Right-click the GPO to be controlled with GPOVault, then click Control.

4. Unless you have special permission to control GPOs, you must submit a request for control. To receive a copy of the request, enter your email address in the Cc field. Enter a comment to be displayed in the History of the GPO and click Submit.

5. A window displaying GPOVault Progress will appear. When the overall progress is complete, click Close. The GPO will be removed from the list on the Uncontrolled tab and added to the Pending tab.

When an Approver has approved your request, the GPO will be moved from the Pending tab to the Controlled tab.

Tip: Withdrawing a request

To withdraw your request before it has been approved, click the Pending tab. Right-click the GPO, then click Withdraw. The GPO will be returned to the Uncontrolled tab.

Requesting the Creation of a New Controlled GPO

To create a new GPO with change control managed through GPOVault:

1. In the Group Policy Management Console, click Forest -> Domains -> [MyDomain] -> Change Control.

2. Right-click the Change Control node, then click New Controlled GPO.

3. Unless you have special permission to create GPOs, you must submit a request for creation. In the New Controlled GPO dialog box:

   1. To receive a copy of the request, enter your email address in the Cc field.

   2. Enter a name for the new GPO.

   3. Optional: Enter a comment for the new GPO.

   4. To deploy the new GPO to the production environment immediately upon approval, click Create live. To create the new GPO offline without immediately deploying it upon approval, click Create offline.

   5. Select the GPO template to use as a starting point for the new GPO.

   6. Click Submit.

4. A window displaying GPOVault Progress will appear. When the overall progress is complete, click Close. The new GPO will be displayed in the list of GPOs on the Pending tab.

When an Approver has approved your request, the GPO will be moved from the Pending tab to the Controlled tab.

Tip: Withdrawing a request

To withdraw your request before it has been approved, click the Pending tab. Right-click the GPO, then click Withdraw. The GPO will be destroyed.

Archiving a GPO

If changes are made to a GPO outside of GPOVault, you can perform an archive operation to save a copy of the currently deployed version of a GPO to the vault, bringing them to a consistent state.

To archive a GPO:

1. In the Group Policy Management Console, click Forest -> Domains -> [MyDomain] -> Change Control.

2. On the Contents tab, click the Controlled tab to display the controlled GPOs.

3. Right-click the GPO, then click Archive.

4. Enter a comment for the audit trail of the GPO, then click OK.

Editing a GPO

If the GPO is not yet controlled by GPOVault, request control of the GPO. (See Creating, Controlling, or Archiving a GPO.)

To make changes to a GPO offline without immediately impacting the deployed version of the GPO, check out a copy of the GPO from the vault. Once changes are complete, check the GPO back into the vault and request deployment of the GPO to the production environment.

Checking out a GPO

To check a GPO out from the vault for editing:

1. In the Group Policy Management Console, click Forest -> Domains -> [MyDomain] -> Change Control.

2. On the Contents tab in the details pane, click the Controlled tab to display the controlled GPOs. Right-click the GPO to be edited, then click Check Out.

3. Enter a comment to be displayed in the History of the GPO while it is checked out, then click OK.

4. A window displaying GPOVault Progress will appear. When the overall progress is complete, click Close. On the Controlled tab, the state of the GPO is now identified as Checked Out.

Editing a GPO Offline

To make changes to a controlled GPO, you must first check out the GPO.

To edit a GPO offline:

1. On the Controlled tab, right-click the GPO to be edited, then click Edit.

2. A Group Policy Object Editor window will open to enable you to make changes to an offline copy of the GPO. When changes are complete, close the Group Policy Object Editor.

Tip: Using Software Installation packages

When editing a GPO, any Software Installation upgrade of a package in another GPO should reference the deployed GPO, not the checkedout copy. (For more information, see Software Installation Extension Fails to Install Software under Troubleshooting.)

Using a Test Environment

If you use a testing organizational unit (OU) to test GPOs before deployment to the production environment, you must have the necessary permissions to access the test OU.

To use a test OU:

1. While you have the GPO checked out for editing, in the Group Policy Management Console, click Forest -> Domains -> [MyDomain] -> Group Policy Objects.

2. Click the checked out copy of the GPO to be tested. The name will be preceded with [Checked Out]. (If it is not listed, click Action -> Refresh. Sort the names alphabetically, and [Checked Out] GPOs will typically appear at the top of the list.)

3. Drag and drop the GPO to the test OU.

4. Click OK in the dialog box asking whether to create a link to the GPO in the test OU.

When testing is complete, checking in the GPO will automatically delete the link to the checked out copy of the GPO.

Checking in a GPO

To check a GPO into the vault:

1. In the Group Policy Management Console, click Forest -> Domains -> [MyDomain] -> Change Control.

2. On the Contents tab in the details pane, click the Controlled tab to display the controlled GPOs.

   • If no changes have been made to the GPO, right-click the GPO and click Undo Check Out, then click Yes to confirm.

   • If changes have been made to the GPO, right-click the GPO and click Check In.

3. Enter a comment to be displayed in the audit trail of the GPO, then click OK.

4. A window displaying GPOVault Progress will appear. When the overall progress is complete, click Close. On the Controlled tab, the state of the GPO is now identified as Checked In.

Requesting Deployment of a GPO

To request the deployment of a GPO to the production environment:

1. In the Group Policy Management Console, click Forest -> Domains -> [MyDomain] -> Change Control.

2. On the Contents tab in the details pane, click the Controlled tab to display the controlled GPOs.

3. Right-click the GPO to be deployed and click Deploy.

4. Unless you have special permission to deploy GPOs, you must submit a request for deployment. To receive a copy of the request, enter your email address in the Cc field. Enter a comment to be displayed in the History for the GPO, then click Submit.

5. A window displaying GPOVault Progress will appear. When the overall progress is complete, click Close. The GPO will be displayed on the list of GPOs on the Pending tab.

When an Approver has approved your request, the GPO will be removed from the Pending tab to the Controlled tab and deployed.

Tip: Withdrawing a request

To withdraw your request before it has been approved, click the Pending tab. Right-click the GPO, then click Withdraw. The GPO will be returned to the Controlled tab.

Labeling a Version of a GPO

To insert a label into the History of a GPO (for example, to serve as a marker of a known good version for rollback):

1. In the Group Policy Management Console, click Forest -> Domains -> [MyDomain] -> Change Control.

2. On the Contents tab, click the Controlled tab to display the controlled GPOs.

3. Right-click the GPO to label, then click Label.

4. Enter a label and a comment to be displayed in the History of the GPO, then click OK.

5. A window displaying GPOVault Progress will appear. When the overall progress is complete, click Close.

Renaming a GPO or Template

To rename a GPO or template:

1. In the Group Policy Management Console, click Forest -> Domains -> [MyDomain] -> Change Control.

2. On the Contents tab, click the Controlled or Templates tab to display the item to rename.

3. Right-click the GPO or template to rename and click Rename.

4. Enter the new name for the GPO or template and a comment, then click OK.

5. A window displaying GPOVault Progress will appear. When the overall progress is complete, click Close. The GPO or template now appears under the new name on the Contents tab.

Tip: Deployed GPO name is updated upon redeployment

When you rename a GPO that has been deployed, only the name displayed in the archive is immediately updated. The name of the deployed copy in the production environment is updated when the GPO is redeployed.

Until the GPO is redeployed (or the production copy is deleted), the old GPO name is still in use in the production environment and therefore cannot be used for another GPO. Likewise, the archive copy cannot be renamed back to its original name until the GPO has been deployed (updating the name of the production copy name) or the production copy deleted.

Creating a Template and Setting a Default Template

Creating a GPO template enables you to save all of the settings of a particular version of a GPO to use as a starting point for creating new GPOs and to share that template with other Group Policy administrators. As an Editor, you can also specify which of the available templates will be the default template for all Group Policy administrators creating new GPOs.

Tip: Templates

A template is an uneditable, frozen version of a GPO for use as a starting point for creating new,  editable GPOs. Renaming or deleting a template does not impact GPOs created from that template. Because it cannot be altered, a template does not have a history.

Creating a Template

To create a template based on an existing GPO:

1. In the Group Policy Management Console, click Forest -> Domains -> [MyDomain] -> Change Control.

2. On the Contents tab in the details pane, click the Controlled or Uncontrolled tab to display available GPOs.

3. Right-click the GPO from which you want to create a template, then click Save as Template.

4. Enter a name for the template and a comment, then click OK.

5. A window displaying GPOVault Progress will appear. When the overall progress is complete, click Close. The new template now appears on the Templates tab.

Setting a Default Template

To set the default template for all Group Policy administrators to use when creating new GPOs:

1. In the Group Policy Management Console, click Forest -> Domains -> [MyDomain] -> Change Control.

2. On the Contents tab in the details pane, click the Templates tab to display available templates.

3. Right-click the template that you want to set as the default, then click Set as Default.

4. Click Yes to confirm.

5. A window displaying GPOVault Progress will appear. When the overall progress is complete, click Close.

The default template will have a blue icon and the state will be identified as Template (default) on the Templates tab.

Tip: The default template—an option, not a requirement

After you set a template as the default, that template will be the one initially selected in the New Controlled GPO dialog box when Group Policy administrators create new GPOs. However, they will have the option to select a different GPO template, including <Empty GPO>, which does not include any settings.

Deleting a GPO

As an Editor, you may not have permission to complete the deletion of a GPO, but you do have the permission necessary to begin the process and submit your request to an Approver.

To request the deletion of a controlled GPO:

1. In the Group Policy Management Console, click Forest -> Domains -> [MyDomain] -> Change Control.

2. On the Contents tab, click the Controlled tab to display the controlled GPOs.

3. Right-click the GPO to delete, then click Delete.

   • To delete only the archive in the vault while leaving the deployed version of the GPO untouched in the production environment, click Delete archive only.

   • To delete both the archive in the vault as well as the deployed version of the GPO in the production environment, click Delete archive and deployed versions.

     

   Unless you have special permission to delete GPOs, you must submit a request for deletion of the deployed GPO. To receive a copy of the request, enter your email address in the Cc field. Enter a comment to be displayed in the audit trail for the GPO, then click Submit.

4. A window displaying GPOVault Progress will appear. When the overall progress is complete, click Close. The GPO will be displayed on the list of GPOs on the Pending tab.

When an Approver has approved your request, the GPO will be moved from the Pending tab to the Recycle Bin tab, where it can be restored or destroyed.

Tip: Withdrawing a request

To withdraw your request before it has been approved, click the Pending tab. Right-click the GPO, then click Withdraw. The GPO will be returned to the Controlled tab.

Tip: Only controlled GPOs can be deleted from the vault

A GPO must be controlled by GPOVault before it can be deleted from the vault.

To delete an uncontrolled GPO from the production environment without first controlling it, in the Group Policy Management Console, click Forest -> Domains -> [MyDomain] -> Group Policy Objects. Right-click the uncontrolled GPO, then click Delete.

Approver Tasks

This section provides information on using GPOVault to perform tasks that are typically the responsibility of an Approver—a person authorized by a GPOVault Administrator to create, deploy, and delete GPOs and approve or reject requests and to create, deploy, or delete GPOs. By default, an Approver has permission to list GPOs, read GPO settings, create GPOs, deploy GPOs, and delete GPOs. Also, if an Approver creates or controls a GPO, that Approver has full control over it and so can perform tasks normally associated with an Editor on that GPO.

Tip: Reviewing settings and comparing GPOs

Because the permissions of an Approver include all those of a Reviewer, an Approver can also review settings and compare GPOs. See Reviewing Settings and Comparing GPOs under the Reviewer Tasks section in this guide for details.

Modifying the Archive Location

GPOVault provides vault functionality including offline editing of GPOs as well as centralized storage for all previous versions of each GPO. By using a shared folder or a server for the archive, this archive can be used by multiple Group Policy administrators. If you are working in an environment with multiple Group Policy administrators, request the archive location from a GPOVault Administrator.

To modify the archive location:

1. In the Group Policy Management Console, click Forest -> Domains -> [MyDomain] -> Change Control.

2. In the details pane, click the Archive Location tab.

3. Specify the location of the GPOVault archive to display. (Automatically detect server will be available in future versions of GPOVault.):

   

   • GPOVault Enterprise:

     Click Manually specify server address. Enter the host name for the server to host the archive. The port used by the GPOVault Service is port 4600.

   • GPOVault Local Edition:

     Click Use a local or shared folder archive. Enter the path for the archive, or click the browse button to navigate to the location.

4. Click Apply, then click Yes to confirm.

5. Repeat for each GPOVault installation used by Editors who are working together.

Tip: Impact of the archive location path

The archive location path selected determines what archive is displayed on the Contents tab for you and to what loction the Domain Delegation tab settings are applied. In a multi-user environment, each individual using GPOVault must set this path to the shared archive used by all Group Policy administrators for the domain.

Approving or Rejecting a Pending Action

The core responsibility of an Approver is to evaluate and then approve or reject requests for GPO creation, deployment, and deletion from Editors or Reviewers who do not have permission to complete those actions. The report capabilities of GPOVault can assist an Approver with evaluating a new version of a GPO.

To approve or reject a pending request:

1. In the Group Policy Management Console, click Forest -> Domains -> [MyDomain] -> Change Control.

2. 

   On the Contents tab, click the Pending tab to display the pending GPOs.

3. Right-click a pending GPO, then click either Approve or Reject.

4. If approving deployment, to review links to the GPO, click Advanced in the Approve Pending Operation dialog box. Move the mouse cursor over a node in the tree to display details. By default, all links to the GPO will be restored. To prevent a link from being restored, clear the checkbox for that link. To prevent all links from being restored, clear the Restore Links checkbox in the Deploy GPO dialog box.

   

5. Click Yes or OK to confirm approval or rejection of the pending action. If you have approved the request, the GPO will be moved to the appropriate tab for the action performed.

Tip: Email notification

If an Approver’s email address is included in the To field on the Domain Delegation tab, the Approver will receive email from the GPOVault alias when an Editor or Reviewer submits a request.

Creating, Controlling, or Archiving a GPO

To use GPOVault to provide change control for a GPO, you must first control the GPO with GPOVault. New GPOs created through the Change Control node will automatically be controlled.

Controlling a Previously Uncontrolled GPO

To control a previously uncontrolled GPO:

1. In the Group Policy Management Console, click Forest -> Domains -> [MyDomain] -> Change Control.

2. On the Contents tab in the details pane, click the Uncontrolled tab to display the uncontrolled GPOs.

3. Right-click the GPO to be controlled with GPOVault, then click Control.

4. Enter a comment to be displayed in the GPO’s history, then click OK.

5. A window displaying GPOVault Progress will appear. When the overall progress is complete, click Close. The GPO will be removed from the list on the Uncontrolled tab and added to the Controlled tab.

Creating a New Controlled GPO

To create a new GPO with change control managed through GPOVault:

1. In the Group Policy Management Console, click Forest -> Domains -> [MyDomain] -> Change Control.

2. Right-click the Change Control node, then click New Controlled GPO.

3. In the New Controlled GPO dialog box:

   

   1. Enter a name for the new GPO.

   2. Optional: Enter a comment for the new GPO to be displayed in the History for the GPO.

   3. To immediately deploy the new GPO to the production environment, click Create live. To create the new GPO offline without immediately deploying it, click Create offline.

   4. Select the GPO template to use as a starting point for the new GPO.

   5. Click OK.

4. A window displaying GPOVault Progress will appear. When the overall progress is complete, click Close. The new GPO will be displayed in the list of GPOs on the Controlled tab.

Delegating Access to a GPO

An Approver can delegate the management of a controlled GPO that was created by that Approver. Like a GPOVault Administrator, the Approver can delegate access to such a GPO so that selected groups and Editors can edit it, Reviewers can review it, and other Approvers can approve it. By default, an Approver cannot delegate access to GPOs created by someone else.

To delegate the management of a controlled GPO:

1. In the Group Policy Management Console, click Forest -> Domains -> [MyDomain] -> Change Control.

2. On the Contents tab in the details pane, click the Controlled tab to display controlled GPOs, then click the GPO to delegate.

   

3. Click the Add button, then select the users or groups to be permitted access, then click OK.

   

   

4. To customize the permissions for each, click the Advanced button on the Contents tab and check role permissions to allow or deny. (For more detailed control, click Advanced in the Permissions dialog box.)

5. Click Apply -> OK in the Permissions dialog box window.

Archiving a GPO

If changes are made to a GPO outside of GPOVault, you can perform an archive operation to save a copy of the currently deployed version of a GPO to the vault, bringing them to a consistent state.

To archive a GPO:

1. In the Group Policy Management Console, click Forest -> Domains -> [MyDomain] -> Change Control.

2. On the Contents tab, click the Controlled tab to display the controlled GPOs.

3. Right-click the GPO, then click Archive.

4. Enter a comment for the audit trail of the GPO, then click OK.

Checking in a GPO

To check in a GPO that has been checked out by an Editor:

1. In the Group Policy Management Console, click Forest -> Domains -> [MyDomain] -> Change Control.

2. On the Contents tab in the details pane, click the Controlled tab to display the controlled GPOs.

   • To discard any changes made by the Editor, right-click the GPO and click *Undo Check Out, *then click Yes to confirm.

   • To retain changes made by the Editor, right-click the GPO and click Check In.

3. Enter a comment to be displayed in the audit trail of the GPO, then click OK.

4. A window displaying GPOVault Progress will appear. When the overall progress is complete, click Close. On the Controlled tab, the state of the GPO is now identified as Checked In.

Deploying a GPO

GPOVault enables an Approver to either deploy a new version of a GPO or redeploy an earlier version from the GPO’s history.

Deploying a New or Edited GPO

To deploy a new or edited version of a GPO to the production environment:

1. In the Group Policy Management Console, click Forest -> Domains -> [MyDomain] -> Change Control.

   

2. On the Contents tab, click the Controlled tab to display the controlled GPOs.

3. Right-click the GPO to be deployed and click Deploy.

4. To review links to the GPO, click Advanced. Move the mouse cursor over a node in the tree to display details. By default,  all links to the GPO will be restored. To prevent a link from being restored, clear the checkbox for that link. To prevent all links from being restored, clear the Restore Links checkbox in the Deploy GPO dialog box.

   

5. Click Yes. A window displaying GPOVault Progress will appear. When the overall progress is complete, click Close.

Tip: Verifying deployment

To verify whether the most recent version of a GPO has been deployed, on the Controlled tab, double-click the GPO to display its History. In the History for the GPO, the State column will indicate whether a GPO has been deployed.

Deploying a Previous Version of a GPO

To deploy a previous version of a GPO to the production environment, overwriting the version currently in production:

1. In the Group Policy Management Console, click Forest -> Domains -> [MyDomain] -> Change Control.

2. On the Contents tab, click the Controlled tab to display the controlled GPOs.

3. Double-click the GPO to be deployed to display its History.

4. Right-click the version to be deployed and click Deploy -> Yes.

   

5. A window displaying GPOVault Progress will appear. When the overall progress is complete, click Close. In the History window, click Close.

Tip: Verifying the version

To verify that the version that has been redeployed matches the version intended, examine a difference report for the two versions. In the History window for the GPO, highlight the two versions, then right-click and select Difference and either HTML Report or XML Report.

Deleting, Restoring, or Destroying a GPO

GPOVault enables Approvers to delete a GPO (moving it to the Recycle Bin), restore a GPO from the Recycle Bin (returning it to the vault), or destroy a GPO (permanently deleting it so that it can no longer be restored).

Deleting a GPO

To delete a controlled GPO:

1. In the Group Policy Management Console, click Forest -> Domains -> [MyDomain] -> Change Control.

2. On the Contents tab, click the Controlled tab to display the controlled GPOs.

3. Right-click the GPO to delete, then click Delete.

   • To delete only the archive in the vault while leaving the deployed version of the GPO untouched in the production environment, click Delete archive only.

   • To delete both the archive in the vault as well as the deployed version of the GPO in the production environment, click Delete archive and deployed versions.

     

4. Enter a comment to be displayed in the audit trail for the GPO, then click OK.

5. A window displaying GPOVault Progress will appear. When the overall progress is complete, click Close.

The GPO is removed from the Controlled tab and is now displayed on the Recycle Bin tab, where it can be restored or destroyed. If only the archive was deleted, the GPO will also be displayed on the Uncontrolled tab.

Tip: Only controlled GPOs can be deleted from the vault

A GPO must be controlled by GPOVault before it can be deleted from the vault.

To delete an uncontrolled GPO from the production environment without first controlling it, in the Group Policy Management Console, click Forest -> Domains -> [MyDomain] -> Group Policy Objects. Right-click the uncontrolled GPO, then click Delete.

Restoring a Deleted GPO

To restore a deleted GPO:

1. In the Group Policy Management Console, click Forest -> Domains -> [MyDomain] -> Change Control.

2. On the Contents tab, click the Recycle Bin tab to display the deleted GPOs.

3. Right-click the GPO to restore, then click Restore.

4. Enter a comment to be displayed in the History of the GPO, then click OK.

5. A window displaying GPOVault Progress will appear. When the overall progress is complete, click Close.

The GPO is removed from the Recycle Bin tab and is now displayed on the Controlled tab.

Tip: Restoring a GPO does not redeploy the GPO

If a GPO was deleted from the production environment, restoring it to the vault will not automatically redeploy it to the production environment. To return the GPO to the production environment, deploy the GPO.

Destroying a GPO

To remove a GPO from the Recycle Bin so that it can no longer be restored:

1. In the Group Policy Management Console, click Forest -> Domains -> [MyDomain] -> Change Control.

2. On the Contents tab, click the Recycle Bin tab to display the deleted GPOs.

3. Right-click the GPO to destroy, then click Destroy.

4. Click Yes to confirm that you want to permanently delete the selected GPO and all backups from the vault.

5. A window displaying GPOVault Progress will appear. When the overall progress is complete, click Close.

The GPO is removed from the Recycle Bin tab and is permanently deleted.

Reviewer Tasks

This section provides information on using GPOVault to perform tasks that are the responsibility of a Reviewer—a person authorized by a GPOVault Administrator to review or audit GPOs. By default, a Reviewer has permission only to list GPOs and read GPO settings.

Modifying the Archive Location

GPOVault provides vault functionality including offline editing of GPOs as well as centralized storage for all previous versions of each GPO. By using a shared folder or a server for the archive, this archive can be used by multiple Group Policy administrators. If you are working in an environment with multiple Group Policy administrators, request the archive location from a GPOVault Administrator.

To modify the archive location:

1. In the Group Policy Management Console, click Forest -> Domains -> [MyDomain] -> Change Control.

2. In the details pane, click the Archive Location tab.

3. Specify the location of the GPOVault archive to display. (Automatically detect server will be available in future versions of GPOVault.):

   

   • GPOVault Enterprise:

     Click Manually specify server address. Enter the host name for the server to host the archive. The port used by the GPOVault Service is port 4600.

   • GPOVault Local Edition:

     Click Use a local or shared folder archive. Enter the path for the archive, or click the browse button to navigate to the location.

4. Click Apply, then click Yes to confirm.

5. Repeat for each GPOVault installation used by Editors who are working together.

Tip: Impact of the archive location path

The archive location path selected determines what archive is displayed on the Contents tab for you and to what location the Domain Delegation tab settings are applied. In a multi-user environment, each individual using GPOVault must set this path to the shared archive used by all Group Policy administrators for the domain.

Reviewing Settings and Comparing GPOs

GPOVault enables you to generate reports for reviewing settings in one GPO or for comparing settings in two GPOs or templates, a GPO and a template, two versions of one GPO, or a version of a GPO and a template. Additionally, you can display a diagram showing where a selected GPO is linked to organizational units.

Reviewing GPO Settings

To review settings in any version of a GPO:

1. In the Group Policy Management Console, click Forest -> Domains -> [MyDomain] -> Change Control.

2. On the Contents tab in the details pane, click a tab to display GPOs.

3. Double-click the GPO to display its history.

4. Right-click the GPO version for which to review the settings and click Settings -> HTML Report or XML Report to display a summary of the GPO’s settings.

Reviewing GPO Links

GPOVault enables you to display a diagram showing where a GPO or GPOs that you select are linked to organizational units. GPO link diagrams are updated each time that the GPO is controlled, archived, or checked in.

To display GPO links for one or more GPOs:

1. In the Group Policy Management Console, click Forest -> Domains -> [MyDomain] -> Change Control.

2. On the Contents tab in the details pane, click the Controlled, Pending, or Recycle Bin tab to display GPOs.

3. Select one or more GPOs for which to display links, then right-click a selected GPO and click Settings -> GPO Links to display a diagram of domains and organizational units with links to the selected GPO(s).

   

To display GPO links for one or more versions of a GPO:

1. In the Group Policy Management Console, click Forest -> Domains -> [MyDomain] -> Change Control.

2. On the Contents tab in the details pane, click the Controlled or Recycle Bin tab to display GPOs.

3. Double-click the GPO to display its history.

4. Right-click the GPO version for which to review the settings and click Settings -> HTML Report or XML Report to display a summary of the GPO’s settings.

Identifying Differences between GPOs, GPO Versions, or Templates

To compare two GPOs or templates, a GPO and a template, two versions of one GPO, or a version of a GPO and a template and determine which settings are different:

1. In the Group Policy Management Console, click Forest -> Domains -> [MyDomain] -> Change Control.

2. On the Contents tab in the details pane, click a tab to display GPOs (or templates, if comparing two templates). To compare:

   Two GPOs or templates:

   1. Highlight the two GPOs or templates.

   2. 

      Right-click one of the GPOs or templates and click Differences -> HTML Report or XML Report to display a difference report summarizing of the settings of the GPOs or templates.

   A GPO and a template:

   1. 

      Right-click the GPO and click Differences -> Template.

   2. Select the template and type of report, then click OK to display a difference report summarizing of the settings of the GPO and template.

      

   Two versions of one GPO:

   1. Double-click the GPO to display its history, then highlight the versions to be compared.

   2. Right-click one of the versions and click Differences -> HTML Report or XML Report to display a difference report summarizing of the settings of the GPOs.

      

   A GPO version and a template:

   1. Double-click the GPO to display its history.

   2. Right-click the GPO version of interest and click Differences -> Template.

      

   3. Select the template and type of report, then click OK to display a difference report summarizing of the settings of the GPO version and template.

      

      

   Key to Difference Reports:

             Item exists with identical settings in both GPOs (color varies with level)

   [#]     Item exists in both GPOs, but with changed settings (blue)

   [-]      Item exists only in the first GPO (red)

   [+]     Item exists only in the second GPO (green)

   Notes:

   • For items with changed settings, the changed settings are identified when the item is expanded. The value for the attribute in each GPO is displayed in the same order that the GPOs are displayed in the report.

   • Some changes to settings may cause an item to be reported as two different items (one present only in the first GPO, one present only in the second) rather than as one item that has changed.

Troubleshooting

This section provides answers to common questions about using GPOVault.

Tip: Change control and delegation

For an introduction to change control, see the Getting Started with GPOVault section of this guide.

For more detail about the delegation model provided by GPOVault, see Appendix 3: Permissions and Roles Reference in this guide.

Unable to Access an Archive

While the default archive location in a local folder is appropriate for evaluating GPOVault, for a multi-user environment you should select an archive location that will not generate user-specific archives and is accessible to all Group Policy administrators, such as a shared folder (\\<servername>\<archive>) or a host server.

The archive location path selected determines what archive is displayed on the Contents tab for you and to what location the Domain Delegation tab settings are applied. To avoid creating userspecific archives in a multi-user environment, each individual using GPOVault must set this path to a shared archive used by all Group Policy administrators for the domain. You can select a separate archive location for each domain or a single location for your entire environment, but access to the location is controlled at the domain level through the Domain Delegation tab.

GPOVault Enterprise only: The GPOVault Service must be running to enable Group Policy administrators to access an archive.

GPOVault Local Edition only: GPOVault Administrators, Editors, Approvers, and Reviewers must have file system permissions to the archive location.

Upgrading archives from GPOVault 1.0 or 2.0 to 2.1: When upgrading from GPOVault 1.0 or 2.0 to 2.1, you must upgrade each version 1.0 or 2.0 archive so that it will function with version 2.Performing this upgrade is independent of the installation of GPOVault Enterprise 2.1 or GPOVault 2.For instructions, see Upgrading Archives from GPOVault 1.0 or 2.0 in the Installing and Configuring GPOVault section of this guide.

More information:

• For instructions on selecting an archive location, see Modifying the Archive Location in the GPOVault Administrator Tasks section of this guide.

• For instructions on providing access to archives and setting permissions, see Delegating Domain-Level Access and Delegating Access to an Individual GPO in the GPOVault Administrator Tasks section.

• For details on the Archive Location tab, see Appendix 2: GPOVault User Interface in this guide.

• For instructions on starting the GPOVault Service, see Starting and Stopping the GPOVault Service in the GPOVault Administrator Tasks section of this guide.

GPO State Varies for Different GPOVault Users

Ensure that all GPOVault users select the same archive path for the archive of a particular domain to prevent the creation of user-specific archives. See Unable to Access an Archive above for more information.

Unable to Find Evaluation Archive to Reset or Delete

When installing GPOVault for the first time, a new archive is created. If a decision is later made to have multiple GPO administrators access this archive you, must either share out this location or create a new location and move the contents manually.

The best practice is to create a shared location and the direct all GPO administrators to that share  point or server. This will cause the least confusion and provide an intuitive path to the archive.

GPOVault 2.0 or 2.1: The default archive location depends upon the option selected on the Archive Location tab.

• Manually specify server address: This option is used for GPOVault Enterprise Edition. The default archive location within the host selected is %AllUsersProfile%\Application Data\DesktopStandard\GPOVault\Archive

• Use a local or shared folder archive: This option is used for GPOVault Local Edition. The default archive location is %UserProfile%\Local Settings\Application Data\DesktopStandard\GPOVault\Archive

GPOVault 1.0: The default archive location is %UserProfile%\Local Settings\Application Data\DesktopStandard\GPOVault\Archive

GPOVault Beta: The default archive location is %AllUsersProfile%\Application Data\DesktopStandard\GPOVault\Archive

Any users of GPOVault beta should completely remove the beta before beginning to work with the release version of the product. As stated above, there are changes in vault location and other less obvious changes that may cause confusion.

Unable to Modify Archive Location (GPOVault Enterprise Only)

If using GPOVault Enterprise, you manually specify a server address on the Archive Location tab. Within that host server, the default archive location is %AllUsersProfile%\Application Data\DesktopStandard\GPOVault\Archive.

However, you can change the archive location for GPOVault Enterprise by adding a particular registry item. For information, refer to the Knowledge Base on the DesktopStandard website or contact DesktopStandard Support for assistance. (See the Support section of this guide.)

Unable to Apply a New License (GPOVault Enterprise Only)

If you have replaced your license for GPOVault Enterprise, you must restart the GPOVault Service for the new license to take effect. For instructions, see the Licensing section of this guide.

Unable to View GPOs

To enumerate or view lists of GPOs in GPOVault, an Editor, Approver, or Reviewer must be granted List Contents permission by a GPOVault Administrator.

GPOVault permissions will cascade down from the domain to all GPOs currently in the vault. As new delegates are added at the domain level, their permissions must be set to apply to This object and nested objects.

GPOVault Local Edition only: GPOVault Administrators, Editors, Approvers, and Reviewers must have file system permissions to the archive location.

For instructions on setting permissions and delegating access to GPOs, see the GPOVault Administrator Tasks section of this guide. Details are provided for Delegating Domain- Level Access and Delegating Access to an Individual GPO. Also, see Appendix 3: Permissions and Roles Reference for an explanation of GPOVault permissions and delegation.

Unable to Use a Particular GPO Name

If a GPO name is already in use, you cannot create a new GPO with or rename an existing GPO to that name. If you attempt to do so, the following error is displayed: A GPO with that name already exists. Choose another name.

If the GPO name in question does not appear on the Controlled, Uncontrolled, or Pending tabs, you may lack permission to list the GPO. Also, if a GPO that has been deployed is renamed but not yet redeployed, it will be displayed under its old name in the production environment—therefore the old name is still in use. Once the GPO has been redeployed, its name will be updated in the production environment, freeing the name for use by another GPO.

Unable to Create a GPO

To create a new controlled GPO, the Create GPO permission is required. By default, GPOVault Administrators and Approvers have this permission.

Others can begin the process of creating a GPO and submit a request for creation. This request is sent to the email addresses listed in the To field on the Domain Delegation tab. An Approver or GPOVault Administrator must approve the request.

GPOVault Local Edition only: In native Group Policy, Approvers must be members of the Group Policy Creator Owners group or have full delegated access to the Group Policy Object container. (In the GPMC, see Forest -> [MyDomain] -> Group Policy Objects -> Delegation.) GPOVault Administrators, Editors, Approvers, and Reviewers must have file system permissions to the archive location.

More information:

• For instructions on setting permissions and delegating access to GPOs, see the GPOVault Administrator Tasks section of this guide. Details are provided for Delegating Domain-Level Access and Delegating Access to an Individual GPO. Also, see Appendix 3: Permissions and Roles Reference for an explanation of GPOVault permissions and delegation.

• For instructions on Creating or Controlling a GPO, see the Approver Tasks section of this guide.

• For instructions on requesting the creation of a GPO, see Creating, Controlling or Archiving a GPO in the Editor Tasks section of this guide.

Unable to Edit or Rename a GPO

To edit or rename a controlled GPO, the Edit Settings permission is required. By default, GPOVault Administrators and Editors have this permission. Additionally, you must check out a GPO before you can edit it.

A GPOVault Administrator must provide Editors with List Contents and Read Settings permissions at the domain level in GPOVault and Edit Settings permission at the GPO level.

GPOVault Local Edition only: In native Group Policy, Editors must either be members of the Group Policy Creator Owners group or have explicitly delegated access to the Group Policy Object container. (In the GPMC, see Forest -> [MyDomain] -> Group Policy Objects -> Delegation.). GPOVault Administrators, Editors, Approvers, and Reviewers must have file system permissions to the archive location.

More information:

• For instructions on setting permissions and delegating access to GPOs, see the GPOVault Administrator Tasks section of this guide. Details are provided for Delegating Domain-Level Access and Delegating Access to an Individual GPO. Also, see Appendix 3: Permissions and Roles Reference for an explanation of GPOVault permissions and delegation.

• For instructions on Editing a GPO or Renaming a GPO, see the Editor Tasks section of this guide.

Unable to Change Default Template

Setting or changing the default GPO template requires Create Template and List Contents permissions. This task is typically performed by an Editor or GPOVault Administrator.

For instructions on setting or changing the default GPO template, see Setting a Default Template in the Editor Tasks section of this guide.

Unable to Deploy a GPO

To deploy a GPO, the Deploy GPO permission is required. By default, GPOVault Administrators and Approvers have this permission. Others can begin the process of deploying a GPO and submit a request for deployment. This request is sent to the email addresses listed in the To field on the Domain Delegation tab. An Approver or GPOVault Administrator must approve the request.

GPOVault Local Edition only: In native Group Policy, Approvers must be members of the Group Policy Creator Owners group or have full delegated access to the Group Policy Object container. (In the GPMC, see Forest -> [MyDomain] -> Group Policy Objects -> Delegation.) All GPOVault Administrators, Editors, Approvers, and Reviewers must have file system permissions to the archive location.

More information:

• For instructions on setting permissions and delegating access to GPOs, see the GPOVault Administrator Tasks section of this guide. Details are provided for Delegating Domain-Level Access and Delegating Access to an Individual GPO. Also, see Appendix 3: Permissions and Roles Reference for an explanation of GPOVault permissions and delegation.

• For instructions on Approving or Rejecting a Pending Action (such as deployment) or Deploying a GPO, see the Approver Tasks section of this guide.

• For instructions on Requesting Deployment of a GPO, see the Editor Tasks section of this guide.

Unable to Delete a GPO

To delete a deployed GPO, the Delete GPO permission is required. By default, GPOVault Administrators and Approvers have this permission.

To delete a GPO archive, either the Delete GPO permission or Edit Settings permission is required. GPOVault Administrators, Approvers, and Editors have the permission necessary to delete a GPO archive from the vault.

Others can begin the process of deleting a GPO and submit a request for deletion. This request is sent to the email addresses listed in the To field on the Domain Delegation tab. An Approver or GPOVault Administrator must approve the request.

GPOVault Local Edition only: In native Group Policy, Approvers must be members of the Group Policy Creator Owners Group or have full delegated access to the Group Policy Object container. (In the GPMC, see Forest -> [MyDomain] -> Group Policy Objects -> Delegation.) GPOVault Administrators, Editors, Approvers, and Reviewers must have file system permissions to the archive location.

More information:

• For instructions on setting permissions and delegating access to GPOs, see the GPOVault Administrator Tasks section of this guide. Details are provided for Delegating Domain-Level Access and Delegating Access to an Individual GPO. Also, see Appendix 3: Permissions and Roles Reference for an explanation of GPOVault permissions and delegation.

• For instructions on Approving or Rejecting a Pending Action (such as deletion) or Deleting a GPO, see the Approver Tasks section of this guide.

• For instructions on requesting deletion of a GPO, see the Editor Tasks section of this guide.

Email Notification Not Received

For email notifications about pending actions to be sent by GPOVault, a GPOVault Administrator must provide a valid SMTP mail server and email addresses for Approvers on the Domain Delegation tab.

Email notifications are generated only when an Editor, Reviewer, or other individual who lacks the permission necessary to create, deploy, or delete a GPO submits a request for one of those actions to occur. There is no automatic notification of approval or rejection of a request.

More information:

• For instructions on Configuring Email Notification, see the GPOVault Administrator Tasks section of this guide.

• For details about the Domain Delegation tab, see Domain Delegation Tab in Appendix 2: GPOVault User Interface in this guide.

• For instructions on performing editing tasks that generate email notifications (such as requests to create, deploy, or delete a GPO), see the Editor Tasks section of this guide.

Unable to Perform Tracing

Tracing in GPOVault is turned off by default. It can be turned on by creating a specialized entry in the registry. For information, refer to the Knowledge Base on the DesktopStandard website or contact DesktopStandard Support for assistance. (See the Support section of this guide.)

Unable to Modify GPOVault Owner after Installation

GPOVault Enterprise: The GPOVault Owner is selected during initial installation of the server component of GPOVault Enterprise. It cannot be changed merely by uninstalling and reinstalling GPOVault Enterprise. However, the GPOVault Owner can be reset by deleting a particular registry item and then running the GPOVault Enterprise install and selecting Modify. For information, refer to the Knowledge Base on the DesktopStandard website or contact DesktopStandard Support for assistance. (See the Support section of this guide.)

GPOVault Local Edition: After GPOVault is installed, the first person to launch the GPMC will be granted ownership of the vault. The owner can be changed by reinstalling GPOVault.

Port 4600 Not Available for GPOVault Service

The port on which the GPOVault Service listens is port 4600. If this port is unavailable and another port must be used, please refer to the Knowledge Base on the DesktopStandard website or contact DesktopStandard Support for assistance changing the port. (See the Support section of this guide.) Alternatively, you can select an archive location that can be accessed via a shared folder, such as \\MyServer\Archive.

If changing the archive location or port, all Group Policy administrators must update the Archive Location tab accordingly. For instructions, see Modifying the Archive Location in the GPOVault Administrator Tasks, Editor Tasks, Approver Tasks, or Reviewer Tasks section of this guide.

Software Installation Extension Fails to Install Software

GPOVault preserves the integrity of Software Installation packages. Even though GPOs are edited offline, links between packages as well as cached client information are preserved.

When editing a GPO offline with GPOVault, a Software Installation upgrade of a package in another GPO should reference the deployed GPO, not the checked-out copy. The Editor must have Read permission for the deployed GPO.

Tip: Accessing the Software Installation extension

Software Installation is a Group Policy extension by Microsoft. See Editing a GPO in the Editor Tasks section of this user guide for instructions on launching Group Policy Object Editor and editing a GPO. To edit Software Installation settings for a GPO, in Group Policy Object Editor click Computer Configuration or User Configuration, then Software Settings -> Software Installation. Right-click Software Installation and/or one of the packages listed to display a menu of available actions.

Note: The Local Computer Policy GPO does not support certain extensions, including Software Installation.

Support

An online knowledge base as well as telephone and web-based support are available.

Resources

The DesktopStandard Knowledge Base provides how-to information and solutions to known problems. Access it on the DesktopStandard website at https://www.desktopstandard.com/kb/.

The Troubleshooting section in this user guide provides instructions for resolving common issues.

Before Contacting Support

Please obtain as much information about the problem as possible.

To expedite support, please have the following available:

• An image or the full text of any error messages

• The context of the problem, including affected platform(s)

• How to reproduce the problem

• For client problems: a copy of the XML configuration data that produces the problem, trace output, event log messages, and RSoP reporting data as available

Contacting Support

Hours: 8:00AM to 8:00PM ET                         08:00 to 20:00 ET (GMT -5)
                        Monday through Friday

Telephone: +1 603-433-5885

Web: https://www.desktopstandard.com/support and click Create Ticket

Appendix 1: Introduction to Group Policy

Group Policy is a framework for user and computer configuration on Windows 2000 and lateroperating systems that use Active Directory. Group Policy makes certain fundamentalassumptions about how users and computers should be configured in an enterprise environment. The primary assumption is that desired configurations are often common across multiple users and computers, and these groupings often reflect organizational structure.

Organization

Active Directory organizational units (OU) exist to facilitate this grouping and to enable such units to be members of other units. This organization is distinct from security group and domain organizations, which are both fundamentally oriented around security priorities and do not generally reflect an organization’s hierarchy. Group Policy settings can be applied to sites, domains, and OUs.

Group Policy Objects and Storage

A Group Policy Object (GPO) is a collection of configuration settings that can be applied to certain users and/or computers based on their membership in a site, domain, or organizational unit. Each GPO has a name and a globally unique identifier (GUID).

A GPO consists primarily of data that is stored in two distinct locations on a network, the Group Policy Container (GPC) and the Group Policy Template (GPT). The GPC is system and policy settings data that is stored in the Active Directory, associated with the GPO by its GUID. The GPT stores the actual configuration settings. GPO data is synchronized to all domain controllers on a given domain.

Editing Group Policy

The Group Policy Object Editor (GPOE) is the primary tool for Group Policy administrators to configure settings within a GPO. The GPOE is implemented as a Microsoft Management Console (MMC) snap-in that integrates various plug-ins known as Group Policy snap-in extensions. Configuration settings in the GPO are manipulated by a network administrator using graphical extensions that are integrated into the single GPOE application.

Applying Group Policy

Policy settings are applied by Client Side Extensions (CSEs). Processing of GPO settings by CSEs is periodically initiated by the winlogon operating system process. Settings are organized into user and computer configurations. Winlogon will initiate processing of user settings during user logon, and computer settings during computer boot. This is known as foreground processing. Additionally, both user and computer configuration will be initiated periodically, which is known as background processing. By default, background processing occurs every 90 minutes (with a random offset of 0 to 30 minutes), or every 5 minutes on domain controllers, although the parameters are subject to change by a Group Policy administrator. Some extensions support only user or computer configuration, and some support only foreground processing.

CSEs are extensions to client computer policy processing capability and generally correspond to a snap-in extension counterpart. CSEs implement the settings that exist in one or more GPOs. Winlogon calculates which GPOs are to be applied based on various criteria and launches each CSE as necessary. Winlogon provides the CSE with the path to each GPO (GPT and GPC), and the CSE processes the GPO settings accordingly.

Group Policy Reporting

The architecture for Group Policy reporting is called Resultant Set of Policy (RSoP). RSoP consists of two distinct modes—planning and logging. Logging mode is Group Policy’s reporting system. RSoP reports use data generated by CSEs that implement the RSoP reporting interface on Windows XP and later computers. The RSoP MMC snap-in is the primary tool for viewing Group Policy results. Like the GPOE, the RSoP snap-in integrates various plug-ins known as RSoP snapin extensions. Each extension reports on the configuration results from the last execution of its corresponding CSE for a particular computer or user.

Appendix 2: GPOVault User Interface

This section provides information on the controls and settings available within GPOVault.

Change Control Node

GPOVault adds a Change Control node to each domain displayed in the Group Policy Management Console. In an environment where multiple domains are managed with the GPMC, each domain is listed under the Domains node in the console tree. Each domain has a Change Control node under it, and there is one archive (or vault) per domain.

Within the details pane there are three tabs, providing access to both GPO-level and domain-level settings and commands for GPOVault.

Primary Tabs	Settings and Commands
Contents	GPO settings and commands and GPO-level delegation.
Domain Delegation	GPOVault email notification settings and domain-level delegation.
Archive Location	GPOVault domain-level archive settings

Contents Tab

The Contents tab on the Change Control pane provides access to Group Policy Objects and an action menu for managing GPOs. The options displayed in the action menu when selecting different items are dependent on your role, your permissions, and your ownership stake in the GPO being managed. Additionally, these action menus are different depending on the state of the GPO being managed.

The secondary tabs filter the list of GPOs displayed.

Secondary Tabs	Filtering
Controlled	GPOs managed by GPOVault.
Uncontrolled	GPOs not managed by GPOVault.
Pending	GPO changes awaiting approval by an Approver.
Templates	GPO templates for creating new GPOs and applying or comparing to existing GPOs.
Recycle Bin	Deleted GPOs.

Controlled Tab

The Controlled tab displays a list of GPOs managed by GPOVault, provides an action menu with commands for managing them, and displays a list of the groups and users who have permission to access each GPO. Additionally, the action menu provides access to the History and reports for each GPO displayed.

Right-clicking in the Group Policy Objects list on this tab displays an action menu including whichever of the following options are applicable:

Control and History	Effect
New Controlled GPO	Create a new GPO with change control managed through GPOVault and deploy it to the production environment. If you do not have permission to create a GPO, you will be prompted to submit a request. (This option is displayed if no GPO is selected when right-clicking in the Group Policy Objects list.)
History	Open a window listing all versions of the selected GPO saved within the vault. From the history, an administrator can obtain a report of the settings within a GPO, compare two versions of a GPO, compare a GPO to a template, or rollback to a previous version of a GPO. (For more information, see the History section below.)

Reports	Effect
Settings	Generate an HTML- or XML-based report displaying the settings within the selected GPO or display links to the selected GPO(s) from organizational units as of when the GPO(s) was most recently controlled, archived, or checked in.
Differences	Generate an HTML- or XML-based report comparing the settings within two selected GPOs or within the selected GPO and a template.

Editing	Effect
Edit	Launch Group Policy Object Editor to make changes to the selected GPO.
Check Out	Obtain a copy of the selected GPO from the vault for offline editing and prohibit anyone else from editing it until it is checked back into the vault. (Check out can be overridden by a GPOVault Administrator.)
Check In	Check the edited version of the selected GPO into the vault so that other authorized Editors can make changes or an Approver can deploy it to the production environment.
Undo Check Out	Return a checked out GPO to the vault without any changes.

Version Management	Effect
Archive	Update the GPO stored in the vault with the currently deployed version of the selected GPO.
Delete	Move the selected GPO to the Recycle Bin and select whether to leave the deployed version (if one exists) in production or to delete it as well as the archive. If you do not have permission to delete a GPO, you will be prompted to submit a request.
Deploy	Move the selected GPO that is checked into the vault to the production environment. This action makes it active on the network and overwrites the previously active version of the GPO if one existed. If you do not have permission to deploy a GPO, you will be prompted to submit a request.
Label	Mark the selected GPO with a descriptive label (such as “Known good”) and comment for recordkeeping. Labels appear in the State column and comments in the Comment column of the History, enabling an administrator to rollback to a previous version of a GPO identified with a particular label.
Rename	Change the name of the selected GPO. If the GPO has already been deployed, the name will be updated in the production environment when the GPO is redeployed.
Save as Template	Create a new template based on the settings of the selected GPO.

Miscellaneous	Effect
Refresh	Update the display of Group Policy Management Console to incorporate any changes. Some changes are not visible until the screen is refreshed.
Help	Display context-sensitive help for GPOVault.

Uncontrolled Tab

The Uncontrolled tab displays a list of GPOs not managed by GPOVault, provides an action menu with commands for bringing uncontrolled GPOs under the control of GPOVault as well as report options, and displays a list of the groups and users who have permission to access each GPO. Additionally, the action menu provides access to the History and reports for each GPO displayed.

Right-clicking in the Group Policy Objects list on this tab displays an action menu including whichever of the following options are applicable:

Control and History	Effect
History	Open a window listing all versions of the selected GPO saved within the vault. From the history, an administrator can obtain a report of the settings within a GPO, compare two versions of a GPO, compare a GPO to a template, or rollback to a previous version of a GPO. (For more information, see the History section below.)
Control	Bring the selected uncontrolled GPO under the change control management of GPOVault. If you do not have permission to control a GPO, you will be prompted to submit a request.
Save as Template	Create a new template based on the settings of the selected GPO.

Reports	Effect
Settings	Generate an HTML- or XML-based report displaying the settings within the selected GPO.
Differences	Generate an HTML- or XML-based report comparing the settings within two selected GPOs or within the selected GPO and a template.

Miscellaneous	Effect
Refresh	Update the display of Group Policy Management Console to incorporate any changes. Some changes are not visible until the screen is refreshed.
Help	Display context-sensitive help for GPOVault.

Pending Tab

The Pending tab displays a list of GPOs with pending requests for GPO management actions (such as creation, control, deployment, or deletion), provides commands for responding to those requests, and displays a list of the groups and users who have permission to access each GPO.

Additionally, the action menu provides access to the History and reports for each GPO displayed. Right-clicking in the Group Policy Objects list on this tab displays an action menu including whichever of the following options are applicable:

Control and History	Effect
History	Open a window listing all versions of the selected GPO saved within the vault. From the history, an administrator can obtain a report of the settings within a GPO, compare two versions of a GPO, compare a GPO to a template, or rollback to a previous version of a GPO. (For more information, see the History section below.)
Withdraw	Withdraw a pending request to create, control, or delete the selected GPO before the request has been approved.
Approve	Complete a pending request from an Editor to create, control, or delete the selected GPO.
Reject	Deny a pending request from an Editor to create, control, or delete the selected GPO.

Reports	Effect
Settings	Generate an HTML- or XML-based report displaying the settings within the selected GPO or display links to the selected GPO(s) from organizational units as of when the GPO(s) was most recently controlled, archived, or checked in.
Differences	Generate an HTML- or XML-based report comparing the settings within two selected GPOs or within the selected GPO and a template.

Miscellaneous	Effect
Refresh	Update the display of Group Policy Management Console to incorporate any changes. Some changes are not visible until the screen is refreshed.
Help	Display context-sensitive help for GPOVault.

Templates Tab

The Templates tab displays a list of available GPO templates and Group Policy administrators to create new GPOs based upon those templates. A template is a static version of a GPO that serves as a starting point when creating new GPOs. The template itself cannot be altered, but GPOs created from a template can be edited.

Since a template cannot be altered, templates have no history. However, like any GPO version, the settings of a template can be displayed with a settings report or compared to another GPO with a difference report.

Right-clicking in the Group Policy Objects list on this tab displays an action menu including whichever of the following options are applicable:

Control	Effect
New Controlled GPO	Create a new GPO based upon the selected template. The option to deploy the new GPO to the production environment is provided. If you do not have permission to create a GPO, you will be prompted to submit a request. (This option is displayed if no GPO is selected when right-clicking in the Group Policy Objects list.)

Reports	Effect
Settings	Generate an HTML- or XML-based report displaying the settings within the selected GPO template.
Differences	Generate an HTML- or XML-based report comparing the settings within two selected GPO templates.

Template Management	Effect
Set as Default	Set the selected template as the default to be used automatically when creating a new GPO.
Delete	Move the selected template to the Recycle Bin. If you do not have permission to delete a GPO, you will be prompted to submit a request.
Rename	Change the name of the selected template.

Miscellaneous	Effect
Refresh	Update the display of Group Policy Management Console to incorporate any changes. Some changes are not visible until the screen is refreshed.
Help	Display context-sensitive help for GPOVault.

Recycle Bin Tab

The Recycle Bin tab displays a list of GPOs that have been deleted from the archive, provides commands for restoring or destroying deleted GPOs, and displays a list of the groups and users who have permission to access each GPO. Additionally, the action menu provides access to reports for each GPO displayed.

Right-clicking in the Group Policy Objects list on this tab displays an action menu including whichever of the following options are applicable:

Reports	Effect
Settings	Generate an HTML- or XML-based report displaying the settings within the selected GPO or display links to the selected GPO(s) from organizational units as of when the GPO(s) was most recently controlled, archived, or checked in.
Differences	Generate an HTML- or XML-based report comparing the settings within two selected GPOs or within the selected GPO and a template.

Version Management	Effect
Destroy	Remove the selected GPO from the Recycle Bin so that it can no longer be restored.
Restore	Move the selected GPO from the Recycle Bin to Controlled. This does not restore the GPO to the production environment.

Miscellaneous	Effect
Refresh	Update the display of Group Policy Management Console to incorporate any changes. Some changes are not visible until the screen is refreshed.
Help	Display context-sensitive help for GPOVault.

Common Secondary Tab Features

Each secondary tab has two sections—Group Policy Objects and Groups and Users. The Group Policy Objects section displays a filtered list of GPOs and identifies the following characteristics for each GPO:

GPO Characteristic	Description
Name	Name of a Group Policy Object.
Computer (Comp.)	Automatically-generated version of the Computer Configuration portion of the GPO.
User	Automatically-generated version of the User Configuration portion of the GPO.
State	The state of the selected GPO: Uncontrolled: Not managed by GPOVault. Checked In: Available for authorized Editors to check out for editing or for an administrator to deploy. Checked Out: Currently being edited. Unavailable for other Editors to check out until the Editor who checked it out or a GPOVault Administrator checks it in. Pending: Awaiting approval from an administrator before being created, controlled, deployed, or deleted. Deleted: Deleted from the archive, but still able to be restored. Template: A static version of a GPO for use as a starting point when creating new GPOs. Template (default): By default, this template is the starting point used when creating a new GPO.
GPO Status	The Computer Configuration and the User Configuration can be managed separately from each other. The GPO Status indicates which portions of the GPO are enabled.
WMI Filter	Display any WMI filters that are applied to this GPO. WMI filters are managed under the WMI Filters node for the domain in the console tree of the GPMC.
Modified	For a controlled GPO, the most recent date when it was checked in after being modified or checked out to be modified. For an uncontrolled GPO, the date when it was last modified.
Owner	The Editor who checked in or the Approver who deployed the selected GPO.

When a GPO is selected, the Groups and Users section displays a list of the groups and users with access to that GPO. The allowed permissions and inheritance are displayed for each group or user.

Using the Add, Remove, Properties, and Advanced buttons, a GPOVault Administrator can configure permissions using either standard GPOVault roles (Editor, Reviewer, and Approver) or a customized combination of permissions.

Buttons	Effect
Add	Add a new entry to the security descriptor. Any User or Group in Active Directory can be added.
Remove	Remove the selected entry from the Access Control List.
Properties	Display the properties for the selected object. The properties page is the same one displayed for an object in Active Directory Users and Computers.
Advanced	Open the Access Control List Editor.

Tip: Roles, permissions, and delegation

For more information on roles, permissions, and delegation in GPOVault, see Appendix 3: Permissions and Roles Reference in this guide.

History Window

The History of a GPO can be displayed by double-clicking a GPO or by right-clicking a GPO and then clicking History. It is also displayed in the GPMC as a tab for each GPO.

The History displays a list of all versions of the selected GPO saved within the vault. From the History, you can obtain a report of the settings within a GPO, compare multiple versions of a GPO, or rollback to a previous version of a GPO.

The tabs within the History filter the events displayed.

Tabs	Filtering
Show All	Display all versions of the GPO.
Checked In	Display only checked-in versions of the GPO. The deployed version is omitted from this list.
Labels Only	Display only GPOs that have labels associated with them.

The following information is provided for each event in the History of the selected GPO:

GPO Characteristic	Description
Computer	Automatically-generated version of the Computer Configuration part of the GPO.
User	Automatically-generated version of the User Configuration part of the GPO.
Time	Timestamp of the version of the GPO when the action in the status field was performed.
State	The state of the selected version of the GPO: Deployed: This version of the GPO is currently live on the network. Checked In: This version of the GPO is available for authorized Editors to check out for editing or for an administrator to deploy. Checked Out: This GPO is currently checked out by an Editor and is unavailable for other Editors. (The checked out state is not recorded in the History except to indicate if a GPO is currently checked out.) Created: Identifies the date and time of the initial creation of the GPO. Labeled: Identifies a labeled version of a GPO.
GPO Status	The Computer Configuration and the User Configuration can be managed separately for each other. This status shows which portion(s) of the GPO are enabled.
Owner	The person who checked in or deployed the GPO.
Comment	A comment entered by the owner of a GPO at the time that this version was modified. Useful for identifying the specifics of the version in case of the need to roll back to a previous version.

Also, depending on whether a single GPO version or multiple GPO versions are selected, the Settings and Differences buttons display reports on GPO settings. Right-clicking GPO versions provides the option to display XML-based reports as well.

Buttons	Effect
Settings	Generate an HTML-based report displaying the settings within the selected version of the GPO.
Differences	Generate an HTML-based report comparing the settings within multiple selected versions of the GPO.

XML- and HTML-based reports

Key to Difference Reports:

          Item exists with identical settings in both GPOs (color varies with level)

[#] Item exists in both GPOs, but with changed settings (blue)

[-] Item exists only in the first GPO (red)

[+] Item exists only in the second GPO (green)

Domain Delegation Tab

The Domain Delegation tab on the Change Control pane enables a GPOVault Administrator to set permissions for Editors, Approvers, and Reviewers.

There are two sections on the Domain Delegation tab—mail notification setup and the management of role-based delegation for GPOVault at the domain level.

Mail Notification Setup

The mail notification setup section of this tab identifies the Approver(s) that will receive notification when operations are pending in GPOVault. The following settings are provided:

Setting	Description
From	The GPOVault alias from which notification is sent to Approvers. In an environment with multiple domains, this can be the same alias throughout the environment or a different alias for each domain.
To	A comma-delimited list of email addresses of Approvers to whom notification is to be sent.
SMTP server	The name of the mail server, such as SMTP.MyMailServer.com.
User name	A user with access to the SMTP server.
Password	User’s password for authentication to the SMTP server.
Confirm password	Confirm user’s password.

Domain-Level Role-Based Delegation Management

The role-based delegation management section of this tab displays and enables a GPOVault Administrator to delegate allowed, denied, and inherited permissions for each group and user on the domain with access to the vault. A GPOVault Administrator can configure permissions using either standard GPOVault roles (Editor, Reviewer, and Approver) or a customized combination of permissions.

Using the Add, Remove, Properties, and Advanced buttons, a GPOVault Administrator can configure domain-wide permissions.

Buttons	Effect
Add	Add a new entry to the security descriptor. Any User or Group in Active Directory can be added.
Remove	Remove the selected entry from the Access Control List.
Properties	Display the properties for the selected object. The properties page is the same one displayed for an object in Active Directory Users and Computers.
Advanced	Open the Access Control List Editor.

Tip: Roles, permissions, and delegation

For more information on roles, permissions, and delegation in GPOVault, see Appendix 3: Permissions and Roles Reference in this guide.

Archive Location Tab

The Archive Location tab on the Change Control pane enables a Group Policy administrator to select a location for the GPOVault archive.

• Automatically detect server: Detect the location of the GPOVault archive automatically. (Available in future releases.)

• Manually specify server address: Select a host name for the location of the GPOVault archive. (Used for GPOVault Enterprise Edition.)

• Use a local or shared folder archive: Select a path for the location of the GPOVault archive. The archive can be a local path or a shared path, but must be accessible to all GPO administrators. (Used for GPOVault Local Edition.)

Tip: Selecting an archive location

For a multi-user environment you should select an archive location that is accessible to all Group Policy administrators, such as a shared folder (\\<servername>\<archive>) or a host server.

The location selected determines what archive is displayed on the Contents tab for you and to what location the Domain Delegation tab settings are applied. In a multi-user environment, each individual using GPOVault must set this path to the shared archive used by all Group Policy administrators for the domain.

Other Enhancements to the GPMC

GPOVault adds two tabs to extend the functionality of the GPMC.

History Tab

GPOVault adds a History tab to all GPOs and Group Policy links displayed in the GPMC. The features of the History tab in the details pane of a GPO are the same as those of the History window displayed through the Change Control tab. For details on these features, see the History Window section above.

Extensions Tab

GPOVault adds an Extensions tab to all GPOs and Group Policy links displayed in the GPMC. This tab lists all extensions that have settings in the GPO (or all registered extensions if Show all registered extensions is checked) and identifies them as part of the user or computer context.

Appendix 3: Permissions and Roles Reference

GPOVault provides a comprehensive roles-based delegation model that is easy to use. Permissions in the context of GPOVault are focused on three levels: forest, domain, and GPO. The forest-level permissions provide access to all domains to be included. Domain-level permissions allow GPOVault Administrators to provide access to individual domains without providing access to other domains. GPO-based delegation provides the finest level of permissions in the environment. This enables GPOVault Administrators to allow access only to specific GPOs. Together, the three levels provide a rich delegation model that tightens control of your critical configuration data.

Within GPOVault, there are specifically defined roles. These roles are (GPOVault Administrator (Full Control), Approver, Reviewer, and Editor. In addition to GPOVault permissions, these roles require permissions outside of the GPOVault. They require native permissions to the archive and possibly appropriate group membership so that they can perform their functions. In GPOVault Enterprise, some of these permissions are not required because the GPOVault Service enforces the GPOVault delegation model using a Windows service as a proxy for all GPOVault client operations.

Default Permissions for Roles	List Contents	Read Settings	Edit Settings	Create GPO	Deploy GPO	Delete GPO	Modify Options	Modify Security	Create Template
Reviewer
Editor
Approver
GPOVault Administrator (Full Control)

Key:

By default, this role has these permissions.

Note: In addition to the GPO-level and domain-level tasks and permissions detailed on the following tables, access for the GPOVault Service Account and GPOVault Owner are configured during installation. The GPOVault Owner has full control for all GPOs.

GPOVault

Tasks, Permissions, and Roles

Permissions (List Contents)

Permissions (Read Settings)

Permissions (Edit Settings)

Permissions (Create GPO)

Permissions (Deploy GPO)

Permissions (Delete GPO)

Permissions (Modify Options)

Permissions (Modify Security)

Permissions (Create Template)

Roles (Reviewer)

Roles (Editor)

Roles (Approver)

Roles (GPOVault Administrator (Full Control))

Domain-Level Permission Actions and Tasks

Delegate domain-level Permissions

 

 

 

 

 

 

 

 

 

 

 

X

Configure email notification

 

 

 

 

 

 

 

 

 

 

X

View mail notification settings

 

 

 

 

 

 

 

X

X

X

X

Create a GPO or approve creation

 

 

 

 

 

 

 

 

 

X

X

Request creation of a GPO

 

 

 

 

 

 

 

 

X

X

 

 

Control an uncontrolled GPO

 

 

 

 

 

 

 

 

 

X

X

Request control of an uncontrolled GPO

 

 

 

 

 

 

 

X

X

 

 

Create a template

 

 

 

 

 

 

 

 

X

 

X

Set default template for creating new GPOs

 

 

 

 

 

 

 

 

X

 

X

List GPOs

 

 

 

 

 

 

 

 

X

X

X

X

Key:

This task requires this permission.

   By default, an individual with this role has the necessary permissions to perform this task.

Notes:

• To delegate domain-level access to an individual, you must select This object and nested objects under their Advanced Security Settings. (See Delegating Domain-Level Access in the GPOVault Administrator Tasks section for more information.)

• Editors must have Read permission for the deployed copy of a GPO to make full use of Microsoft’s Software Installation extension to Group Policy.

GPOVault

Tasks, Permissions, and Roles

Permissions (List Contents)

Permissions (Read Settings)

Permissions (Edit Settings)

Permissions (Create GPO)

Permissions (Deploy GPO)

Permissions (Delete GPO)

Permissions (Modify Options)

Permissions (Modify Security)

Permissions (Create Template)

Roles (Reviewer)

Roles (Editor)

Roles (Approver)

Roles (GPOVault Administrator (Full Control))

Domain-Level Permission Actions and Tasks

Delegate GPO-level permissions

D

 

 

 

 

 

 

 

 

 

(X)

X

Deploy a GPO or approve deployment

 

 

 

 

 

 

 

 

 

X

X

Change GPO links during deployment

 

 

 

 

 

 

 

 

X

X

Request deployment of a GPO

 

 

 

 

 

 

 

 

X

 

 

Delete a GPO archive (move to Recycle Bin/uncontrol) or approve deletion

 

1

 

 

1

 

 

 

 

X

X

X

Delete a deployed GPO or approve deletion

 

 

 

 

 

 

 

 

 

X

X

Request deletion of a deployed GPO

 

 

 

 

 

 

 

 

X

 

 

Delete a template

 

 

 

 

 

 

 

 

 

X

X

Destroy a GPO

 

 

 

 

 

 

 

 

 

X

X

Restore a GPO

 

1

 

1

1

 

 

 

 

X

X

X

Archive a GPO

 

1

 

1

1

 

 

 

 

X

X

X

Check out a GPO

 

 

 

 

 

 

 

 

X

(X)

X

Edit a GPO

 

*

 

 

 

 

 

 

 

X

(X)

X

Rename a GPO

 

 

 

 

 

 

 

 

X

(X)

X

Label a GPO

 

1

 

1

 

 

 

 

 

X

X

X

Check in a GPO/undo check out

 

1

 

1

 

 

 

 

 

X

X

X

View GPO history

 

 

 

 

 

 

 

 

X

X

X

X

View reports or GPO links

 

 

 

 

 

 

 

X

X

X

X

Key:

This task requires this permission.

D      Delegating GPO-level permissions requires List Contents permission at the domain level.

1      This task requires at least one of these permissions.

*1     * This task requires at least one of these permissions. To perform this task, an individual who has only this permission must be the Editor who checked out the GPO.

*      sOnly the individual who checked out the GPO or a GPOVault Administrator can perform this task.

X      By default, an individual with this role has the necessary permissions to perform this task.

(X)   The individual who creates or controls a GPO has full control over it. Others in this role do not.

Glossary

Administrator

See GPOVault Administrator.

Approve

To complete the implementation of an action (such as the creation, deployment, or deletion of a GPO) requested by an Editor or a Reviewer.

Approver

A person authorized by a GPOVault Administrator to deploy GPOs to the production environment. By default, an Approver has permission to list GPOs, read GPO settings, create GPOs, deploy GPOs, and delete GPOs.

Archive (n.)

The collection of all versions of controlled GPOs in a domain.

Archive (v.)

To update the version of the GPO in the archive with the currently deployed version of the GPO. This is used when changes are made to a GPO outside of GPOVault.

Archive Location

Path to an archive for a particular domain.

Change Control

The process of managing editing and deployment. GPOVault provides change control for GPOs, including offline editing, version control, delegation of access to multiple Editors, and check-in/check-out capability for approving and tracking access.

GPOVault enhances the functionality of the Group Policy Management Console by adding a Change Control node to the console tree, as well as other features.

Check In

Return an edited copy of a checked out GPO to the vault, enabling another authorized Editor to edit it.

Check Out

Obtain a copy of a GPO for offline editing, preventing the GPO from being edited by another authorized Editor.

Controlled GPO

A GPO for which GPOVault provides change control, including offline editing, version control, delegation of access to multiple Editors, and check-in/check-out capability for approving and tracking access.

Create GPO Permission

The GPOVault permission required to create a GPO. By default, GPOVault Administrators and Approvers have Create GPO permission. Others must request creation of GPOs.

Create Template Permission

The GPOVault permission required to save a GPO as a template or set the default template. By default, GPOVault Administrators and Editors have Create Template permission.

Default Template

The GPO template used as a starting point when creating a new GPO (unless another template is explicitly selected during creation).

See also Template.

Delete

Move the selected GPO to the Recycle Bin and select whether to leave the deployed version (if one exists) in production or to delete it as well.

Delete GPO Permission

The GPOVault permission required to delete GPOs. By default, GPOVault Administrators and Approvers have Delete GPO permission. Others must request deletion of GPOs.

Deploy

Copy a GPO from the vault to the production environment.

Deploy GPO Permission

The GPOVault permission required to deploy GPOs to a production environment. By default, GPOVault Administrators and Approvers have Deploy GPO permission. Others must request deployment of GPOs.

Destroy

Remove the selected GPO from the Recycle Bin so that it can no longer be restored.

Difference Report

An HTML- or XML-based report comparing the differences between settings within multiple selected GPOs or templates.

Edit Settings Permission

The GPOVault permission required to edit GPOs. By default, GPOVault Administrators and Editors have Edit Settings permission.

Editor

A person authorized by a GPOVault Administrator to edit GPOs. By default, an Editor has permissions to list GPOs, read GPO settings, edit GPOs, and create templates.

Editing

The process of making changes to a GPO, normally using the Group Policy Object Editor MMC snap-in.

Extension

A true Group Policy Client Side Extension (CSE) as specified in the Microsoft Windows platform SDK.

Full Control

All GPOVault permissions. An individual with full control is a GPOVault Administrator.

GPOVault Administrator

A person who assigns GPOVault permissions for Editors, Approvers, and Reviewers and who configures domain-level and vault-wide settings for GPOVault. A GPOVault Administrator has full control to administer the GPOVault system, including the permissions to list GPOs, read GPO settings, create GPOs, create templates, edit GPOs, deploy GPOs to a production environment, delete GPOs, modify security, and modify domain-level and vault-wide options.

GPOVault Owner

GPOVault provides a multi-tiered security model for delegating GPO operations.

GPOVault Enterprise: The account for the GPOVault Owner does not require any specific domain-level or local permissions, but through GPOVault receives full control over all GPOs and Group Policy operations accessible to the GPOVault Service Account. The GPOVault Owner is selected during installation.

GPOVault Local Edition: The individual who runs GPOVault for the first time automatically becomes the GPOVault Owner, receiving forest-wide full control over GPOs. Forest-wide full control can be delegated to other individuals by delegating full control over the archive for each domain to them.

GPOVault Service (GPOVault Enterprise only)

The Windows service that enables GPOVault clients to manage live and archived GPOs and enforces the GPOVault delegation model, providing a level of security beyond that available with Windows alone. If this service is stopped or disabled, GPOVault clients cannot perform operations through the server.

GPOVault Service Account (GPOVault Enterprise only)

The account under which the GPOVault Service runs. This account must have full access to GPOs on all domains that it will manage as well as Log On As A Service permission.

Group Policy

An Active Directory-based system for applying management policies to users and/or computers, as originally specified by Microsoft.

Group Policy Administrator

An individual who manages, approves, edits, or reviews GPOs. GPOVault Administrators, Editors, Approvers, and Reviewers are all Group Policy administrators.

Group Policy Management Console (GPMC)

Microsoft’s Group Policy Management Console, the unified console for managing Group Policy. The GPMC is accessed via Start -> Control Panel -> Administrative Tools -> Group Policy Management.

Group Policy Object (GPO)

A collection of configuration settings that may be applied to users and/or computers by the Group Policy system built into Windows networks. The GPO consists of data in the SYSVOL and Active Directory, both of which are synchronized across all domain controllers.

Group Policy Object Editor (GPOE)

The primary tool for editing policy settings in GPOs.

History

A list of all versions of a GPO stored within the vault. From the History, a GPOVault Administrator can obtain a report of the settings within a GPO, compare multiple versions of a GPO, or rollback to a previous version of a GPO.

Label

Mark a GPO with a descriptive label (such as “Known good”) for recordkeeping. Labels are visible in the Status column of the History, enabling a GPOVault Administrator to rollback to a previous version of a GPO identified with a particular label.

List Contents Permission

The GPOVault permission required to display a list of GPOs in GPOVault. By default, GPOVault Administrators, Approvers, Editors, and Reviewers have List Contents permission.

Microsoft Management Console (MMC)

The primary management console application for Microsoft Windows. GPMC, GPOE, and RSoP consoles are all MMC snap-ins.

Modify Options Permission

The GPOVault permission required to modify domain-level and vault-level settings in GPOVault. By default, GPOVault Administrators have Modify Options permission.

Modify Security Permission

The GPOVault permission required to modify access to GPOs. By default, GPOVault Administrators have Modify Security permission.

Offline Editing

Editing a GPO without saving changes into Active Directory (AD) or SYSVOL.

Initial release will implement this as an edit in AD/SYSVOL that does not impact actual end-users since the GPO is unlinked and disabled.

Offline Mode

The change control server has connected to an online vault, so it is saving to a locally specified GPMC backup folder.

Owner

The Editor who checked in or deployed a GPO.

See also GPOVault Owner.

Pending

Awaiting approval from an Approver to complete a task, including creating a new GPO, deploying a GPO to the production environment, or deleting a GPO.

Read Settings Permission

The GPOVault permission required to view the settings for an individual GPO. By default, GPOVault Administrators, Approvers, Editors, and Reviewers have Read Settings permission.

Resultant Set of Policy (RSoP)

The Group Policy technology behind logging and planning reports, also a MMC snap-in for viewing planning and logging data.

Reject

To deny a request from an Editor or Reviewer for the implementation of an action (such as the creation, deployment, or deletion of a GPO).

Reviewer

A person authorized by a GPOVault Administrator to review GPOs prior to their deployment. By default, a Reviewer has permission to list GPOs and read GPO settings. This level of access is useful for auditing or team review of a GPO.

Rollback

Redeploy the selected version of a GPO from its History.

Service Account

See GPOVault Service Account.

Settings

A general term for the policy settings of individual extensions in a GPO.

Settings Report

An HTML- or XML-based report displaying the settings within the selected GPO or template.

Template

A static version of a GPO that serves as a starting point for creating new GPOs.

Uncontrolled GPO

A GPO not managed by GPOVault. Until controlled, a GPO cannot use the change control management features provided by GPOVault, such as offline editing, version control, delegation of access to multiple Editors, and check-in/check-out capability for approving and tracking access.

Vault

The collection of all archives of controlled GPOs across all domains in an environment.

Vault Service

See GPOVault Service.

Withdraw

To cancel a request for approval of a pending action, such as the creation, deployment, or deletion of a GPO.

Download

Get the GPOVault User Guide