Grup Plicy Manager Quick start Guide Sftware versin 4.0.0.0 General Infrmatin: inf@cinsystems.cm Online Supprt: supprt@cinsystems.cm Cpyright CinSystems Inc., All Rights Reserved Page 1
CinSystems Inc. ALL RIGHTS RESERVED. This guide may nt be reprduced r transmitted in part r in whle by any means, electrnic r mechanical, including phtcpying and recrding fr any purpse ther than the purchaser's use under the licensing agreement, withut the written permissin f CinSystems Inc. The sftware applicatin in this guide is prvided under a sftware license (EULA) r nn-disclsure agreement. This prduct may nly be used in accrdance with the terms f the applicable licensing agreement. This guide cntains prprietary infrmatin prtected by cpyright. Fr questins regarding the use f this material and prduct, cntact us at: CinSystems Inc. 6640 185 th Ave NE Redmnd, WA-98052, USA http://www.cinsystems.cm Phne: +1.425.605.5325 Trademarks CinSystems, CinSystems Inc., the CinSystems Inc. lg, CinSystems Grup Plicy Manager (GPO Manager) are trademarks f CinSystems. Other trademarks and registered trademarks used in this guide are prperty f their respective wners. Cpyright CinSystems Inc., All Rights Reserved Page 2
Cntents Overview... 4 Highlights f the prduct... 5 System Requirements... 5 Backup Repsitry (Strage Methd)... 6 Installatin n Windws Server 2008... 6 Installatin n Windws Server 2012... 6 Installatin n Windws 8... 6 Installatin n Windws 7... 7 Installatin n Windws Server 2003 R2... 8 Cnfiguring the Applicatin... 8 Step-By-Step Walkthrugh... 10 Add GPO t versining... 10 T add a GPO fr versin... 10 Check Out and Edit GPOs... 11 T check ut a GPO... 11 T edit a GPO... 11 T check in and request apprval... 11 Cpyright CinSystems Inc., All Rights Reserved Page 3
Overview Grup Plicy allws users administratrs t implement specific cnfiguratins fr users and cmputers. Grup Plicy settings are cntained in Grup Plicy bjects (GPOs), which are linked t the fllwing Active Directry directry service cntainers: sites, dmains, r rganizatinal units (OUs). The settings within GPOs are then evaluated by the affected targets, using the hierarchical nature f Active Directry. By using Grup Plicy, users can define the state f smene s wrk envirnment nce, and then rely n Windws Server 2000/2003/2008/2012 t cntinually frce the Grup Plicy settings applied acrss an entire rganizatin r t specific grups f peple and cmputers. As security issues are becming paramunt within any rganizatins. Within Active Directry (AD), the Grup Plicy Objects (GPOs) are at the frefrnt f an rganizatin's ability t rll ut and cntrl functinal security. Cre aspects f user life cycle such as passwrd plicies, lgn hurs, sftware distributin, and ther critical security settings are handled thrugh GPOs. It is paramunt fr Organizatins t have prper methds t cntrl the settings f these GPOs and t deply GPOs in a meaningful and safe manner with cnfidence, easily backup and restre GPOs when they are either incrrectly updated r crrupt. Windws Grup Plicy is pwerful and allws user centralized management. Hwever, uncntrlled and unintentinal changes can have disastrus cnsequences. Fr example, unintended effects f a GPO change culd stp hundreds f users frm lgging n, exclude access t critical sftware applicatins, r expse system settings. The Grup Plicy Management Cnsle (GPMC) frm Micrsft is a useful tl fr the individual administratr, but additinal functinality such as GPO wrkflw management, check in/check ut, change cntrl, backup/restre, reprts and rllback is needed t effectively manage GPOs acrss the enterprise. CinSystems GPO Manager ffers a mechanism t cntrl this highly imprtant cmpnent f Active Directry. GPOs, Scpe f Management links, and WMI filters are backed up in a secure, distributed manner and then placed under versin cntrl. GPO Manager ffers fllwing benefits and mre: Gives Active Directry administratrs and security persnnel cntrl f GPO changes, t eliminate system utages and security expsures Allws administratrs t edit and test GPOs and have them apprved befre they are deplyed Prvides a way t quickly rll back changes Archives all GPO settings Leverages, cmplements and extends native Micrsft technlgy, including Grup Plicy Management Cnsle (GPMC), t strengthen infrastructure investments Cpyright CinSystems Inc., All Rights Reserved Page 4
Highlights f the prduct Versin Cmparisns: Quickly verify setting cnsistency and imprve GPO auditing with advanced, side-by-side GPO versin cmparisns at different intervals. Enhanced Grup Plicy Cmparisn and side-by-side tw distinct GPO S, tw Versins and with Existing GPO with a Checkut cpy GPO cmparisns t verify setting cnsistency. GPO histry and Cmpare: t recrd all changes t GPO s Delete versin histry: t manage and reduce size f backup stre Und GPO changes: Rlled back t previus versins. Apprval-based wrkflw: prcess t ensure that changes adhere t change management best practices befre their deplyment. Cnfigure wrkflw: t enable rganizatinal requirements and set fr specified users r grups n edit settings, clak and unclak and lck and unlck. Wrkflw Cmmenting: Track the request, review and apprval prcess with cmments and e-mail ntificatins at any stage. Scheduling: Enable apprved changes t be implemented immediately r n a schedule. Micrsft Grup Plicy Management Cnsle (GPMC) fr familiar lk and feel. Claking: Hidden pre-prductin GPS frm all but selected administratrs. GPO check-in and check-ut t prevent simultaneus editing cnflicts. GPO lcking: t prevent unwanted changes t prduct GPOs. Backup and Restre: Schedules the ALL GPO s Backup r selected GPO s t be taken at a specified date and time Delegatin and permissins management: Delegates r prvide Read, Edit, Apply Permissins n GPO t Users Day t Day task : Perfrm cmmn GPO Actins/Tasks like Create, Edit, Delete, Link, Rename,Backup, Imprt, Restre GPO, add cmments t GPO, View, Enable, Disable Manage security: Apply Filters t GPO Cpy /Paste : Create a duplicate GPO with same settings Reprts: Creates Reprt f all GPO S at a specified Lcatin. Advance Categrizing: Easily find GPOS that are Linked, Unlinked, Orphaned, Disabled, Deleted etc. Replicatin: T replicate the data amng the Available dmain cntrllers Delegatin: T grant Permissin fr Users t create GPO. T Apply WMI Filter. Grant Permissin n All GPO s: T grant permissin fr users n all GPO s t read, Edit,delete. System Requirements CinSystems GPO Manager needs: 2 GHz prcessr 4 GB RAM r greater 100 MB hard disk space Windws Server 2003 Service Pack 2, Windws Server 2003 R2, Windws Server 2008, Windws Server 2008 R2, Windws Server 2012/ 2012R2,Windws Server 2016, Windws 8 r Windws 7 perating systems Cpyright CinSystems Inc., All Rights Reserved Page 5
MMC 3.0.NET Framewrk 3.5 and 4.0 Micrsft Grup Plicy Management Cnsle with Service Pack 1 r Remte Server Administratin Tls System must be dmain jined Backup Repsitry (Strage Methd) Yu have the ptin f chse the fllwing fr the lcatin f the physical backup cpy f the bject versins and ther cnfiguratin: A netwrk share fr the majrity f deplyments, netwrk share is the best apprach as it prvides a high perfrmance backup stre with a minimum f cnfiguratin and maintenance verhead. Installatin n Windws Server 2008 Install.Net framewrk4.0 (specify frm where)? Dwnlad CinSystems GPO Manager Walk thrugh the installatin wizard After the install the fllwing GPO Manager icn will be added t the desktp Installatin n Windws Server 2012 Install.Net framewrk4.0 (specify frm where)? Dwnlad CinSystems GPO Manager Walk thrugh the installatin wizard After the install, GPO Manager icn will be added t the desktp Installatin n Windws 8 Install.Net Framewrk 4.0 Dwnlad and Install RSAT Tls frm site: http://www.micrsft.cm/en-us/dwnlad/details.aspx?id=7887 G t cntrl panel. Click n Prgrams, click n Turn Windws Features n r ff Cpyright CinSystems Inc., All Rights Reserved Page 6
Installatin n Windws 7 Install.Net Framewrk 4.0 Dwnlad and Install RSAT Tls frm site: http://www.micrsft.cm/en-us/dwnlad/details.aspx?id=7887 G t cntrl panel. Click n Prgrams, click n Turn Windws Features n r ff Select Remte Server Administratin Tls; Turn n Grup Plicy Management Tls. Click n k Dwnlad CinSystems GPO Manager Walk thrugh the installatin wizard After the install, GPO Manager icn will be added t the desktp Cpyright CinSystems Inc., All Rights Reserved Page 7
Installatin n Windws Server 2003 R2 Install.Net framewrk4.0 Make sure yu have Windws Server Service pack 2 installed Dwnlad and Install GPMC Service pack 1 frm site: http://www.micrsft.cm/enus/dwnlad/details.aspx?id=21895 Dwnlad and Install MMC3.0 frm belw site: http://supprt.micrsft.cm/kb/907265 Dwnlad CinSystems GPO Manager Walk thrugh the installatin wizard After the install, GPO Manager icn will be added t the desktp Cnfiguring the Applicatin Install the CinSystems GPO Manager. Open the applicatin by duble clicking n the GPO Manager icn frm the desktp. Click n Cnfiguratin tab and then click n Cnnect. We can cnfigure the dmain credentials in tw ways: Using Credentials tab r by using Add Credential Manually tab. 1. If the system is dmain jined then in Credentials tab we will get dmain name autmatically. Enter UserName(dmain user name) and Passwrd and click n Shw buttn, it will display the list f dmain cntrllers, select One Dmain cntrller as Primary. Cpyright CinSystems Inc., All Rights Reserved Page 8
2. Thrugh Add Credential Manually ptin we can cnfigure the dmain credentials manually. Here we need t enter dmain cntrller name, dmain name, dmain user name and passwrd details. After that click n Shw buttn, it will display the list f dmain cntrllers, select One Dmain cntrller as Primary. Next, Select the Repsitry Lcatin tab. Select Netwrk lcatin s that it can be accessible frm any system jined in the same dmain as managed GPO s. Ensure this is a file share and all users f the applicatin have read and write privilege t the shared flder. Nte:1.If yu installed the applicatin n ther Systems that was jined in Dmain (If applicatin is installed n a Dmain cntrller and Repsitry lcatin is already defined) click n Fetch Repsitry Lcatin buttn in Repsitry lcatin. The Applicatin will shw the repsitry lcatin frm the previus installs. 2. If yu installed the applicatin n ther Systems that was jined in Dmain, The user which is use t lgin t CinSystems GPO Manager must be in Dmain Admins Grup and must be added int Lcal Administratrs grup t the lcal machine. Cpyright CinSystems Inc., All Rights Reserved Page 9
Select Audit Path Lcatin, GPOs Wrkflw audit data will be saved in this lcatin in the frm f XML. Next, Select the Backup/Restre Lcatin tab, select the lcatin fr backup and restre f GPOs. Click n Submit buttn. Step-By-Step Walkthrugh This step-by-step walkthrugh takes yu thrugh CinSystems GPO Manager Scenari that includes the fllwing: Cnnect t the Versin Repsitry Registering an bject/gpo, by attempting t edit Check ut and edit an bject Check in the bject and request apprval. CinSystems GPO Manager prvides rles that enable users t perfrm actins within the GPO Manager wrkspace. The fllwing scenari is created n the assumptin that the administratr has already delegated the User and Mderatr rles t the required users. T view the rles applied t a specific cntainer, right-click it, select Prperties, and click the Security tab. Fr cmplete infrmatin n hw t create and delegate rles, see Cnfiguring Rle-based Delegatin in this guide. Add GPO t versining Initially all GPOs are unregistered. T add GPOs t the Versin Cntrl system, they must be first pen fr edit and saved. This prcess frces the system t register the GPO in versin cntrl and maintain their GPO status (User and Cmputer settings enabled r disabled), links, security, and WMI filters. T add a GPO fr versin Expand CinSystems GPO Manager, ensure under cnfiguratin, the cnnect, The Repsitry lcatin and the Backup and Restre lcatin are defined. Nw select the GPO, right click and Edit and clse the editr. Once bjects have been added, they are lcated in the selected cntainer under the versining with their initial versin number set t 1.0. They are nw available t be checked ut and edited. Cpyright CinSystems Inc., All Rights Reserved Page 10
Check Out and Edit GPOs Befre users can edit registered GPOs, the GPOs must be checked ut. The wrkflw is as fllws: Check ut the GPO frm the system, make the required edits, and Check in the changes t the system. Versin infrmatin is updated in the system s histry when the GPO is checked back in. Only ne persn within the system can check ut and wrk n any GPO at a given time. Checking ut a GPO fr the first time creates a cpy f the riginal GPO. The cpy is an exact duplicate f the riginal GPO until it passes thrugh the apprval prcess. T check ut a GPO Expand the GPO Manager Wrk space and select the available GPO. Right-click a GPO and select checkut. Enter a cmment and click OK. Once yu have a GPO checked ut, yu can edit the settings frm the Grup Plicy Management Editr as well as edit the Security and WMI Filter settings. When yu check ut a GPO, the changes are made t a cpy f the live GPO. Thse changes d nt affect the GPO settings n the netwrk until the changes are checked in and deplyed. T edit a GPO Right-click a checked ut GPO and select Edit. Click Launch Editr and make the required changes. If required, select the Security tab and click Add r Remve t mdify the current security filter. Enter r search fr the required user, cmputer, r grup, and click OK. Click the Advanced buttn t select advanced permissins. T add r remve a WMI filter, select the WMI Filter tab and chse a filter frm the list f available WMI filters. Click OK. Yu nw have the ptin t check in the GPO t be stred fr later use r check in and request apprval f the changes. T check in and request apprval Expand the Versin Cntrl Rt nde and select the checked ut GPO. Right-click and select Check In. Enter a cmment and click OK. Right-click the GPO and select Request Apprval. Enter a cmment and click OK. The GPO status will be Pending Apprval until the changes are apprved r rejected by a user with the apprpriate permissins. When the GPO has been apprved it is ready t be deplyed int the live envirnment. Cpyright CinSystems Inc., All Rights Reserved Page 11
Cntact Ntes: Fr technical supprt r feature requests, please cntact us at Supprt@CinSystems.cmr 425.605.5325 Fr sales r ther business inquiries, we can be reached at Sales@CinSystems.cmr 425.605.5325 If yu d like t view a cmplete list f ur Active Directry Management slutins, please visit us nline at www.cinsystems.cm Disclaimer The infrmatin in this dcument is prvided in cnnectin with CinSystems prducts. N license, express r implied, t any intellectual prperty right is granted by this dcument r in cnnectin with the sale f CinSystems prducts. EXCEPT AS SET FORTH IN CIONSYSTEMS LICENSE AGREEMENT FOR THIS PRODUCT, CIONSYSTEMS INC. ASSUMES NO LIABILITY WHATSOEVER AND DISCLAIMS ANY EXPRESS, IMPLIED OR STATUTORY WARRANTY RELATING TO ITS PRODUCTS INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT. IN NO EVENT SHALL CIONSYSTEMS INC. BE LIABLE FOR ANY DIRECT, INDIRECT, CONSEQUENTIAL, PUNITIVE, SPECIAL OR INCIDENTAL DAMAGES (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION OR LOSS OF INFORMATION) ARISING OUT OF THE USE OR INABILITY TO USE THIS DOCUMENT, EVEN IF CIONSYSTEMS INC. HAS BEEN ADVISED IN WRITING OF THE POSSIBILITY OF SUCH DAMAGES. CinSystems may update this dcument r the sftware applicatin withut ntice. CinSystems Inc. 6640 185 th Ave NE, Redmnd, WA-98052, USA www.cinsystems.cm Ph: +1.425.605.5325 This guide is prvided fr infrmatinal purpses nly, and the cntents may nt be reprduced r transmitted in any frm r by any means withut ur written permissin. Cpyright CinSystems Inc., All Rights Reserved Page 12