GPOADmin provides two options to determine if an object has been changed outside the scope of the system in the live enterprise environment. You can manually check any object for compliance (Scopes of Management and WMI filters must be checked manually), and you can let the GPOADmin Watcher Service detect unauthorized modifications to GPOs. For more information on configuring the Watcher service, see the Quick Start Guide.
If you are running the Watcher Service, noncompliant GPOs are automatically flagged with a yellow exclamation point, regardless of their status:
If a difference is determined between the last historical backup and the live object, a user with the appropriate permissions will be able to either:
• Roll back: Restore the object in the live environment from the most current backup found in the system to overwrite the unauthorized live change.
• Roll back with Links: Restore a Group Policy Object in the live environment from the most current backup, including its links to Scopes of Management, and overwrite the unauthorized live change.
You can also roll back links from a different history version. For information, see “Restoring Links to a Previous Version” on page 63.
To ensure that you are notified immediately of noncompliant GPOs, make sure the Watcher Service is running.
You can view a list of all objects that have been flagged as noncompliant in the Unauthorized Modifications Search Folder in the GPOADmin console.
When the Watcher Service detects a noncompliant GPO under version control, it creates a backup of the change and increases the minor version number by one. If the noncompliant GPO is Workflow Disabled, it creates a backup of the change and increases the major version number by one. For details on enabling or disabling workflow, see “Enabling/Disabling Workflow”
on page 56.
• Incorporate Live: Accept the live changes as being authorized and more up-to-date than what is currently already in the system. This will automatically back up those changes into the system and increment the version number of the backup to the next major number.
• Leave the live object alone in its noncompliant state.
If an object has been deleted in the live environment, a user with the appropriate permissions will be able to:
• Restore the object in the live environment
• Restore a Group Policy Object in the live environment and restore its links to Scopes of Management.
• Unregister the object from the Version Control system
To check if any registered objects have been changed since their last backup
1. Right-click the required object in the Available state and select Check Compliance.
– OR –
Right-click the Version Control Root node or subcontainer, and select Check Compliance.
2. Click Next to run the compliance check.
The objects that are not compliant are displayed.
3. Select the required course of action by clicking in the Action field to open the list of options, and click Next.
4. If you are restoring GPO links, select the More (...) button to see the details of the links you will be restoring.
If the change to the live environment occurs while the GPO is checked out, when you check it in you can choose what version of the GPO to accept.
If a SOM has been deleted, you will only have the option to Unregister.
If you are using the GPMC Extension you can select the GPO and click Workflow | Check Compliance.
In the Restore Links box, you can review the settings that will be restored (right side) and use the toolbar buttons at the top to change the link order, remove links, or set other group policy properties.
5. Click OK save the Restore Links settings.
6. Click Finish.
At this point the modified SOMs affected by the restored links, if registered, are put into a Pending Approval State. If not registered, the changes are made in the live environment.
To make a flagged GPO compliant
1. Right-click the noncompliant GPO and choose one of the following
• Incorporate Live
• Rollback
If you choose Incorporate Live, you cannot restore links.
2. Enter a comment and click OK.
– OR –
Select the Restore GPO Links option in the Comment box.
3. In the Restore Links box, review the settings that will be restored (right side) and use the toolbar buttons at the top to change the link order, remove links, or set other group policy properties.
Hover over a link to get more information. If a link has an exclamation mark beside it, the Scope of Management Object is not Available.
4. Click OK save the Restore Links settings.
At this point the modified SOMs affected by the restored links, if registered, are put into a Pending Approval State. If not registered, the changes are made in the live environment.
To restore a deleted GPO with links
When a Group Policy Object is deleted in the live environment, its status shows as Noncompliant - Deleted in GPOADmin.
1. Right-click the noncompliant GPO and select Restore.
2. Select the Restore GPO Links option in the Comment box.
If you attempt to deploy a noncompliant compliant GPO, you have the option of running the Compliance Wizard or proceeding with the deployment.
3. In the Restore Links box, review the settings that will be restored (right side) and use the toolbar buttons at the top to change the link order, remove links, or set other group policy properties.
Hover over a link to get more information. If a link has an exclamation mark beside it, the Scope of Management Object is not Available.
4. Click OK save the Restore Links settings.
At this point the modified SOMs affected by the restored links, if registered, are put into a Pending Approval State. If not registered, the changes are made in the live environment.