After installing GPA, you may need to make specific changes to the configuration of the GPA Console, such as:
Configuring the GPA Console to use Export Only and Untrusted Access accounts
Changing the Repository Authorization Code the GPA Console uses
Connecting to a GPA Server
Configuring Domain Indexing
Hiding or showing GPA Console nodes
After you create the Export Only and Untrusted Access accounts and have installed or upgraded GPA, configure GPA to use the accounts. Configure GPA to use these accounts for each untrusted domain. You do not need to configure Untrusted Access accounts for trusted domains. You can configure Export Only accounts for trusted domains, but this is not required.
For more information about creating an Export Only account, see Section 2.4.2, Creating the Export Only Account. For more information about creating the Untrusted Access account, see Section 2.4.3, Creating the Untrusted Access Account.
To configure GPA to use the Export Only and Untrusted Access accounts:
Log on to the GPA Console computer with an account that has GPA Security Manager permissions for the GP Repository domain that you want to use the Export Only or Untrusted Access account. For more information about GPA security, see Section 4.1, Understanding the GPA User Security Model.
Start the GPA Console in the Group Policy Administrator program folder.
In left pane, expand GP Repository and select the untrusted domain you want to configure to use the Export Only or Untrusted Access account.
On the Action menu, click Properties.
On the Accounts tab, select the account you want to use and then type the user name and password.
Click OK.
Repeat the previous steps for each domain that you want to use an Export Only or an Untrusted Access account.
IMPORTANT:You can execute the GPAServerConfig command to change the Export Only and Untrusted Access accounts or update the account password.
Every GPA Console requires a Repository Authorization Code to connect with a GP Repository. The Repository Authorization Code is a unique identifier for each GP Repository that is set on the GP Repository. You can configure each GPA Console with one Repository Authorization Code, and each GPA Console can display any GP Repository with the same code.
Changing the Repository Authorization Code on the GPA Console does not change the Repository Authorization Code for the GP Repository. For more information about changing the Repository Authorization Code on the GP Repository, see Section 3.2.3, Changing the GPA Security Account and Repository Authorization Code.
NOTE:Each GPA user who starts the GPA Console for the first time must provide the Repository Authorization Code for the GP Repository with which the GPA Console is communicating. Each GPA user needs to provide the Repository Authorization Code only once.
To change the Repository Authorization Code the GPA Console uses:
Log on to the GPA Console computer with an account that has GPA Security Manager permissions.
Start the GPA Console in the Group Policy Administrator program folder.
In the left pane, click GP Repository.
On the Action menu, click Properties.
Click the Repository Authorization Code tab.
Type the Repository Authorization Code you want to use in the Authorization Code field, and then click OK.
You must connect to a GPA Server for some activities, such as searching for GPOs.
To connect to a GPA Server:
In the left pane of the GPA Console, expand GP Explorer, and right-click the forest of the domain you want the console to use.
Click Pick GPA Server.
Follow the instructions on the window to connect to a GPA Server.
If you want to change the GPA Server, type a name in the Server Name field or click Connect to DB.
If you want to verify that the console can reach the server, click Validate.
Click OK.
You can configure default indexing settings for the domains you want GPA to include when you search for GPOs. These settings can be changed later when you are searching for GPOs or creating reports.
To configure domain indexing:
In the left pane of the GPA Console, expand GP Analysis and click Search.
Click Action > Configure Domain Index.
Select or clear the check boxes for each AD domain or GP Repository you want to include or exclude for indexing.
If you want to change the preferred domain controller, click on the domain controller in the Preferred DC column and type the name of the DC you want GPA to use to collect GPO data for the AD domain on that row.
If you want to add unmanaged domains, click Get Unmanaged Domains and select additional trusted AD domains to include in your searches.
Click OK.
GPA lets you choose which users or groups can see which nodes on the GPA Console. To show or hide nodes you must be a member of the GPA-CONSOLE-VISIBILITY-MANAGEMENT group, which is created at the time of installation if the group does not already exist in the Active Directory. For more information about the GPA-CONSOLE-VISIBILITY-MANAGEMENT group, see Creating the GPA Console Nodes Visibility Group.
To manage node visibility:
In the left pane of the GPA Console, right-click Group Policy Administrator and select Show/Hide nodes.
If it is not already selected, select Configure GPA Console Nodes Visibility.
Use the Users/Groups list box to add or remove objects whose viewing abilities you want to configure.
Select an object from the Users/Groups list box and select or clear the appropriate check boxes in the Console Nodes list box. Selecting the check box will make the node visible to the targeted user or group; clearing the check box will hide the node from the targeted user or group.
Click OK.