You must perform several tasks to prepare the GP Repository for use. These tasks include:
Connecting a GPA Console to a GP Repository
Adding domains to the GP Repository
Creating categories and sub‑categories in the domains
Adding GPA users and defining user security
The following sections provide instructions to complete each of these tasks.
Before you can begin working with GPOs in the GP Repository, you must establish a connection between the GPA Console you are using and the GP Repository. You can connect to the GP Repository using either Microsoft Windows or SQL Server credentials. Using Microsoft Windows credentials gives you the advantage of a single logon. You can connect to the GP Repository using the same credentials you used to log on to the GPA Console computer.
If your Microsoft SQL Server does not accept your Microsoft Windows credentials as valid or if you are connecting to a GP Repository from a GPA Console in an untrusted domain, you have the option to use SQL Server credentials to connect to the GP Repository. For more information about untrusted domains, see Setting Up Untrusted Domains.
Users who connect to the GP Repository using Microsoft Windows credentials only need to provide their Microsoft Windows credentials the first time they connect to the GP Repository. The GPA Console continues to use the same Microsoft Windows credentials each time a user connects to the GP Repository.
Users who connect to the GP Repository using SQL Server credentials must provide their SQL Server password once when they start the GPA Console and connect to the GP Repository. The GPA Console will not prompt for a user's SQL Server password again when connecting to the GP Repository unless the user stops and starts the GPA Console.
NOTE:If you are connecting to a GP Repository for the first time, you need to first configure the GPA Console with the Repository Authorization Code for the GP Repository. For more information about configuring the Repository Authorization Code on the GPA Console, see Section 3.3.2, Changing the Repository Authorization Code.
To connect to a GP Repository:
Log on to a GPA Console computer with an account that has domain administrator privileges.
Start the GPA Console in the NetIQ Group Policy Administrator program group.
In the left pane, expand GP Repository.
On the Action menu, click New, and then click Connect to Database.
If you have installed the GPA Console on the same computer as the Microsoft SQL Server, type local in the SQL Server list.
If you have not installed the GPA Console on the same computer as the Microsoft SQL Server, select the computer where you have installed the Microsoft SQL Server.
NOTE:If the Server list does not display the name of the Microsoft SQL Server, verify that the Microsoft SQL Server is accessible over the network from the GPA Console computer you are using. If the server is accessible, type the server name in the Server list. If DNS does not provide name resolution, type the IP address of the Microsoft SQL Server in the Server list.
Select whether you want to use Microsoft Windows or SQL Server authentication to access the GP Repository.
If you specify SQL Server credentials, provide valid credentials for the GP Repository.
Click OK.
To disconnect a particular GP Repository, select the GP Repository. On the Action menu, click Disconnect.
The first step after connecting to a GP Repository is to set up domains within the GP Repository that correspond to the domains in Active Directory where you are managing GPOs. These domains provide an Active Directory context for the GPOs you import into the GP Repository. The GP Repository domains enable GPA to maintain information about each GPO in Active Directory, including:
Security settings
Active Directory links to OUs, domains, and sites
Network paths
Active Directory domain where the GPO is located
GPA uses this information to export GPOs from the GP Repository to Active Directory. If you are working with multiple domains, GPA uses this information to migrate GPOs between domains in the GP Repository. For more information about the interaction between Active Directory and the GP Repository, see Section 1.2, How GPA Works.
From the GPA Console, you can select the Domain Controller (DC) the software uses for GP Explorer or GP Repository operations. When using domains with multiple domain controllers (DCs), you can specify for the console to use only the Primary Domain Controller (PDC), any available DC, or the currently specified DC to perform a GPO operation from the GP Repository.
NOTE:When configuring the console to connect to specific domain controllers, consider using domain controllers within the same AD site as the console. If you choose a domain controller in a different site, you will find that configuring a few settings will require replication to occur between the domain controller in the console's site and the selected domain controller in the other site. For more information, refer to NetIQKB72431.
To configure a domain controller:
Log on to the GPA Console computer with any domain user account.
NOTE:If the logon user account does not have Local Admin permissions on the console machine, this domain account must have Full Control permissions on the DcOptions registry key for the console to retain any future DC configuration settings.
Start the GPA Console in the NetIQ Group Policy Administrator program group.
In the left pane, expand GP Repository, and then select the GP Repository.
Select the domain.
Click Action > Properties.
On the General tab of the domain properties window, select one of the following options:
Primary Domain Controller (PDC) Operations Master: GPA Console uses a specific PDC, and if that DC later becomes unavailable on the network, GPA notifies you that the domain controller is inaccessible and asks you to change the DC and refresh the GP Repository for any future operations.
Any Available Domain Controller: GPA Console uses any available DC, and if the DC in use becomes unavailable on the network, GPA finds another DC and continues to work without notifying you or sending any error messages.
This Domain Controller: GPA Console uses a specific domain controller, and if the DC becomes unavailable on the network, the GPA Console notifies you the specified DC is not accessible and asks you to confirm that the DC is online and try again or select another available DC.
Click OK.
Refresh the database connection in the GP Repository to see the changes to the selected DC.
When the GPA Console does not detect any available DCs, the software lets you work in the domain with limited scope.
You can include trusted and untrusted domains when GPA indexes GPOs, and you can view indexing statistics for each domain. GPA updates the indexes for the GP Repository any time you make changes to Repository GPOs. When you include trusted and untrusted domains in the indexes, you also set the schedule for GPA to update domain indexes.
To include a domain for indexing and view indexing statistics:
In the left pane of the GPA Console, expand GP Repository, and then select the GP Repository.
Select the domain.
Click Action > Properties.
On the Indexing Properties tab, select the option to include the domain for indexing.
If you are managing multiple domains, repeat Step 2 through Step 4 for each domain to index.
Review the indexing statistics for that domain. If the status is in progress, click Refresh to see if the indexing completes while you have the window open.
If you want to delete current indexes and completely rebuild them, click Rebuild Indexes
You can add trusted Active Directory domains to the GP Repository from a GPA Console computer in any domain trusted by the domain you want to add.
To add a trusted domain to the GP Repository:
Log on to a GPA Console computer with an account that has domain administrator permissions on the domain you want to add.
Start the GPA Console in the NetIQ Group Policy Administrator program group.
In the left pane, expand GP Repository, and then select the GP Repository.
On the Action menu, select New > Domain.
Specify or browse to the domain you want to add, and then click OK.
Adding an untrusted domain to the GP Repository requires you to complete several related steps:
Add the untrusted domain to the GP Repository
Create a SQL Server login to the GP Repository that GPA Consoles in the untrusted domain use to communicate with the GP Repository
Specify Microsoft Windows credentials from the untrusted domain to which you assign specific permissions in GPA.
NOTE:
If the untrusted domain is on a different DNS server from the domain on which the GP Repository resides, you need to add users from this untrusted domain using a GPA Console computer belonging to the untrusted domain.
By setting up untrusted access credentials, users can perform operations such as generating reports on untrusted domains.
If there are untrusted domains with different DNS servers, you need to configure DNS forwarding from each of these domains to other untrusted domains and these domains should be able to resolve their names and IP addresses.
For more information about permissions and security in GPA, see Section 4.1, Understanding the GPA User Security Model. For more information about the interaction between Active Directory and the GP Repository, see Section 1.2, How GPA Works.
You can add untrusted domains to the GP Repository from any GPA Console computer.
To add an untrusted domain to the GP Repository:
Log on to a GPA Console computer with an account that has domain administrator permissions.
Start the GPA Console in the NetIQ Group Policy Administrator program group.
In the left pane, expand GP Repository, and then select the GP Repository.
On the Action menu, select New > Domain.
Select Untrusted Domain.
Specify the DNS or NetBIOS name of the untrusted domain you want to add, and then click OK.
Provide the user name and credentials of an account that has domain administrator permissions in the untrusted domain, and then click OK.
To manage GPOs in the untrusted domain you added, you must configure the GP Repository with a SQL Server logon account that GPA Consoles in the untrusted domain use to connect to the GP Repository. GPA Consoles in the untrusted domain should connect using SQL Server authentication since the domain where you installed the GP Repository does not trust Microsoft Windows credentials from the domain where you installed the GPA Console.
You must also specify a Microsoft Windows user account in the untrusted domain to which you will assign specific GPA permissions. GPA users log on to GPA Console computers in the untrusted domain to perform GPA operations using this Microsoft Windows account. You can specify multiple Microsoft Windows accounts to support your GPA security model.
Use the Remote User Login wizard to create the SQL Server logon account as well as specify the Microsoft Windows credentials from the untrusted domain to which you will assign specific GPA permissions.
To set up a SQL Server logon account and remote user for an untrusted domain using the Remote User Login wizard:
Log on to a GPA Console computer in a domain trusted by the domain where you installed the GP Repository with an account that has domain administrator permissions and database administrator permissions and is a member of the securityadmin role for Microsoft SQL Server.
Start the GPA Console in the NetIQ Group Policy Administrator program group.
In the left pane, expand GP Repository, and then select the GP Repository.
On the Action menu, select Add Untrusted Domain User, and then click Next.
If there are no SQL Server logon accounts listed, or if you want to create a new SQL Server logon account, click Add and follow Steps a - c. Otherwise, click Next.
Type the name of the SQL Server logon account you want to create in the User Login field.
Type the password for the new SQL Server logon account in the Password field.
Confirm the password in the Re‑Enter Password field, and then click OK.
To specify Windows Credentials from an Untrusted Domain
Add the untrusted domain and create the SQL Server logon for the domain
Type the user name of an account from the untrusted domain you are adding to the GP Repository in the User Name field. Specify an account to which you will assign specific GPA permissions. For more information about permissions and security in GPA, see Section 4.1, Understanding the GPA User Security Model.
Specify the NetBIOS name or IP address of the domain controller for the untrusted domain in the Domain Controller field.
Under Connect As, type the user name of a domain administrator account in the untrusted domain in the User field.
Under Connect As, type the password for the domain administrator account in the Password field, and then click Next. The Remote User Login wizard uses these credentials to verify the account to which you will assign GPA permissions.
Click Finish.
You can use the Remote User Login wizard as many times as necessary to set up the GPA users you need in the untrusted domain. You must define security permissions for each remote user you add to the GP Repository. For more information about GPA security, see Section 4.1, Understanding the GPA User Security Model.
Categories allow you to group and organize GPOs in the GP Repository. For example, you can group GPOs related to security in a Security Settings category, while you can group those related to desktop management in a Desktop Settings category. You can also create categories in the GP Repository that correspond to OUs in Active Directory. Determine how you want to organize and manage GPOs in the GP Repository before you create your categories. You need to create at least one category before you can create or import GPOs into the GP Repository.
Categories in the GP Repository are not equivalent to OUs in Active Directory. You can create categories that correspond to OUs to help organize GPOs in the GP Repository the same way they are linked in Active Directory, but categories have no effect on GPOs. For example, placing a GPO in a category is not the same as linking a GPO to an OU.
Categories allow you to specify security permissions, such as creating, editing, deleting, importing, and editing, for GPOs within a particular category. For more information about permissions and security in GPA, see Section 4.1, Understanding the GPA User Security Model.
Group Policy Administrator defines categories as one of these types:
System Categories
User‑Defined Categories
The GP Repository has several predefined system categories:
This category contains a list of all GPOs in a GP Repository domain. The All category provides a quick way to find any GPO by GPO name. You can only view reports on GPOs in this category. You cannot modify or delete GPOs in this category.
This category contains a backup of Active Directory GPOs. The GP Repository export feature allows users to export GPOs you create in the GP Repository to an Active Directory domain. During this export process, if a GPO with the same GUID already exists in the Active Directory domain, the GP Repository backs up the live domain GPO in the Backup category. This node does not appear until the GP Repository creates the first backup GPO. For more information, see Section 5.8.2, Backing Up GPOs Prior to Export.
This category contains a list of all GPOs in a GP Repository domain that are waiting for approval for export to Active Directory.
This category contains a list of all GPOs in a GP Repository domain that you have approved for export to Active Directory.
You can add your own categories to the GP Repository in addition to those categories available in GPA. You can also create subcategories within a category or another subcategory.
IMPORTANT:When naming a category, avoid ending the name with a backslash (\). A category with a name that ends with a backslash will have the following effects:
Operations that depend on indexing, such as merging or searching in GP analysis mode, will not function properly.
The Preview Export command will not run for any GPOs in the category.
Attempting to export a GPO from this category will fail with a "System.Runtime.InteropServices.COMException".
The Browse for Category window only shows the categories listed above the misnamed category and does not show the misnamed category itself, nor the categories that are listed after it. For example, if there are five categories named A, B, C\, D, and E, only categories A and B will be listed.
To create a category or subcategory:
Log on to a GPA Console computer with an account that has permissions to create categories in the GP Repository.
Start the GPA Console in the NetIQ Group Policy Administrator program group.
In the left pane, expand GP Repository.
If you want to create a new category, select the domain where you want to create the category.
If you want to create a new subcategory, select the category under which you want to create the subcategory.
On the Action menu, click New > Category.
Specify the name for the category, and click OK. A category name should be unique within a domain.
NOTE:You cannot create categories called All or Backup. These are special categories reserved by GPA.
You can determine the approval status of a GPO in several ways. When you select a category in the left pane of the GPA Console, the result pane provides a summary of every GPO in the category. The Approval Status column displays the approval status of each GPO.
A GPO can have the following approval states:
Waiting for Approval
Not Approved
Approved
Exported
You can also display the GPOs Pending Approval category and the GPOs Pending Export category in the GP Repository. The GPOs Pending Approval category displays all GPOs that are waiting for approval for export to Active Directory. The GPOs Pending Export category displays all GPOs in the GP Repository that have approval for export to Active Directory. Specify which of these category options display by selecting GP Repository and choosing Properties from the Action menu.
To configure GPA to display the GPOs Pending Export and GPOs Pending Approval categories:
Log on to a GPA Console computer with an account that has Customize Deployment Options permissions.
Start the GPA Console in the NetIQ Group Policy Administrator program group.
In the left pane, click GP Repository.
On the Action menu, click Properties.
Click the GPO Category Options tab.
Select the check box next to the category you want to display, and then click OK.
The left pane displays the GPOs Pending Export and GPOs Pending Approval categories.
The final step in preparing the GP Repository for use is adding GPA users and defining the permissions each user has to perform GPO‑related tasks in the GP Repository. To add new users to the GP Repository, use an account that has Manage GPR Security permissions in the GP Repository. The user account you used to install the GP Repository has permissions to perform all tasks in the GP Repository and has Manage GPR Security permissions for all levels in the GP Repository. In addition, any member of the GPA_REPOSITORY_MANAGEMENT group has the same permissions. For more information about GPA security, see Section 4.1, Understanding the GPA User Security Model.
NOTE:
If you add any users to the GPA_REPOSITORY_MANAGEMENT group, those users must log off and log on again for the new security permissions to take effect.
You may have specified your own group account instead of the GPA_REPOSITORY_MANAGEMENT group during the GP Repository installation.
When adding new GPA users, you can specify whether the new user will use Microsoft Windows credentials or SQL Server credentials to connect to the GP Repository. Using Microsoft Windows credentials gives you the advantage of a single sign‑on. You connect to the GP Repository using the same credentials you used to log on to the GPA Console computer.
If your Microsoft SQL Server does not accept your Microsoft Windows credentials as valid or if you are connecting to a GP Repository from a GPA Console in an untrusted domain, you have the option to use SQL Server credentials to connect to the GP Repository. If you add a new user with SQL Server credentials, this creates a new SQL Server logon account on the Microsoft SQL Server. For more information about untrusted domains, see Setting Up Untrusted Domains.
NOTE:A non-SQL administrator user must have the securityadmin role in SQL Server and the db_owner database role in the GPO_Repository database to be able to add users to the GP Repository and to remove users from the GP Repository.
To add a new user to the GP Repository:
Log on to a GPA Console computer with an account that has Manage GPR Security permissions or is a member of the GPA_REPOSITORY_MANAGEMENT group and a member of the securityadmin role for Microsoft SQL Server.
Start the GPA Console in the NetIQ Group Policy Administrator program group.
In the left pane, expand GP Repository and select the GP Repository to which you want to add a user.
On the Action menu, click Add Repository User. GPA displays a window that contains the list of current GP Repository users.
NOTE:You can also use this window to remove GP Repository user or group accounts. Do not delete the default accounts, such as the Administrator account or the account you use to install the GP Repository.
If you want to add a Microsoft Windows user account to the GP Repository server, click Microsoft Windows User and then click Add.
Select from a list of user accounts granted public access to the GPA Repository, or type the user account or group you want to add. You can add the user or a domain group from the current domain or from the list of trusted domains. You can add Domain, Local, Global, or Universal groups.
Click OK.
NOTE:To perform this action, you must have permission to create new SQL Server logon accounts on the GPA Repository SQL Server.
If you want to create a new SQL Server user account, click SQL User and then click Add.
Specify the user name and password for a new SQL Server user account.
Click OK.
Click Close.
By default, GPA users do not have permissions to perform any GPA tasks. You need to specifically grant permissions to each GPA user. Additionally, you need to define the scope of the permissions you grant. That is, you need to specify what levels in the GP Repository the user permissions apply to, whether domains, categories, or GPOs.
You define GPA user security permissions and scope in GPA by assigning GPA users to specific GPA roles or by defining individual permissions for a GPA user for each object in the GP Repository. For more information about assigning roles and defining individual security permissions for GPA users, see Section 4.2, Defining GP Repository Security Permissions and Scope.
You can also set security filtering to mask and lock GPOs from certain users and groups. When you set this level of security, the GPA Console no longer allows all users to see and edit all GPOs.
GPA allows the GP administrator to specify where GP Editors can link GPOs at a domain, OU, and site level, providing granular management of GP security. GPA disables this feature by default, which allows GP Editors to link GPOs to any domain, OU, or site. When you enable this feature, GP Admins can select which targets GP Editors can link GPOs to.
To enable GP Editor Link Security:
Expand GP Repository and select the repository to configure.
On the Action menu, click Properties.
Click Customize Options, and then click the GP Editor Link Security tab.
Select Enable GP Editor Link Security, and then click OK.
When you enable this feature, only GPA security administrators will be allowed to add or modify GPO links in the Repository by default. Use the GP Editor Link Security window to grant GPO link permissions to GP Editors on specific domains, OUs, and sites.
To grant GPO link permissions to GP Editors:
Expand GP Repository and select the domain to configure.
On the Action menu, select GP Editor Link Security.
Select the containers and users to grant appropriate permissions for your environment.
Have users test their ability to link GPOs to appropriate containers, and adjust permission settings when needed.