What are the benefits and features of GPA 6.7?

What's New?

GPA is an enterprise-wide, Group Policy change control solution that helps you quickly take advantage of the powerful features Group Policy technology offers. Much more than just a replacement for other tools, GPA helps you easily implement Group Policy technology and easily manage GPOs. The following sections outline the key features and functions provided by this version, as well as issues resolved in this release.

• Improve Security with Ability to Mask and Lock GPOs in the GP Repository
• Ability to Roll Out GPOs to Workstations
• Built-In Search Reports
• Added File Security After GPO Checkout
• Ability to Import AD Security Filtering
• Ability to Turn On or Off GPA Console Nodes
• Supports Microsoft Windows Server 2012 R2
• Supports German Language for Reports
• Addresses Several Issues

Improve Security with Ability to Mask and Lock GPOs in the GP Repository

GPA administrators can now set security filtering on users and groups to mask and lock the GPOs in the GP repository. When you set this level of security, the GPA Console no longer allows all users to see and edit all GPOs.

Ability to Roll Out GPOs to Workstations

You can now roll out updated GPOs from the GPA console to force GPOs to update under a container. GPA enables this feature when the GPA Console is installed on Windows Server 2012 and later or Windows 8 and later computers.

Built-In Search Reports

You now have the ability to generate reports with a single click. The search results are displayed on the right side of the GPA Console with all available GPO operations provided in the search results. This version includes reports to search for the following:

• Empty GPOs (no settings)
• Unlinked GPOs
• Disabled GPOs
• Duplicate GPOs
• GPOs with no security filtering set
• GPOS with versions out of sync (option only for repository GPOs)

Added File Security After GPO Checkout

GPA now provides access permission from the local shared folder of the GPA Console to the account that has checked out the GPOs and members of the GPA Repository Management group. This new feature prevents these checked-out files from being modified by unauthorized users.

Ability to Import AD Security Filtering

When importing GPOs using the Offline Mirror wizard and selecting the option to create identical categories to the AD OU structure, GPA imports the AD security filtering from each OU into each category in the GP Repository. This option ensures that users that do not have read and write permissions will not be able to see the categories and the GPOs inside them nor perform some category operations.

Ability to Turn On or Off GPA Console Nodes

You can now choose which nodes to display in the GPA Console.

Supports Microsoft Windows Server 2012 R2, Microsoft Windows 8.1, and Internet Explorer 11

This version supports installing the GPA Server and GPA Console components on computers running Microsoft Windows Server 2012 R2 and installing the GPA Console on computers running Windows 8.1. This version also supports using Internet Explorer 11 for reports.

Supports German Language for Reports

This version allows you to produce the following reports in the German language:

• GPO Settings
• RSoP
• Comparison and Differential

Addresses Several Issues

This version addresses the following issues:

• Resolves an Issue Where the Links Tab Sometimes Does Not List All GPO Links to the Selected Domain in GP Explorer (ENG207311)
• Resolves an Issue Where the Date Format in Reports Did Not Match the Regional and Local Date Settings (ENG318586, ENG327151)
• Resolves an Issue Where Some Users Could Not be Removed from the Repository (ENG326809)
• Resolves an Issue Where You Could Create Multiple GPOs With the Same Name (ENG327303)
• Resolves an Issue Where Migration Tables Were Not Updated Correctly (ENG327311)
• Resolves an Issuer Where the Installation Program Did Not Complete and Displayed Error 1722 Upgrading GPA ENG329512)
• Resolves an Issue Where the OK Button Remains Active During Activity Reports (ENG330821)
• Resolves an Issue Where the GPO Difference Report Does Not Translate Correctly in Non-English Environments (ENG331193)
• Resolves an Issue With Creating a New GPO on Microsoft Windows Server 2012 (ENG331458)
• Resolves an Issue Where the Save Button on the View History Page Does Not Save (ENG332049)
• Resolves an Issue Where the Difference Report Does Not Show AppLocker Changes (ENG332611)
• Resolves an Issue Where the GPA Console Closes Unexpectedly When You Select the ADMX Repository Tab (ENG333157)
• Resolves an Issue Where the GPA Console Crashes Sometimes When Applying Changes to GPO Security Filtering (ENG333788)
• Resolves an Issue Where GPO Settings Do Not Display When You Remove Certificates From a Duplicate GPO (ENG333830)
• Resolves an Issue Where Links Are Missing When You Migrate a GPO to an Untrusted Domain (ENG334192)
• Resolves an Issue Where GPA Server Experiences Database Timeouts, Console Crashes, and Excess Open Connections to the Database (ENG334717)
• Resolves an Issue Where Group Policy Containers Remain in Active Directory After GPOs Are Checked In (ENG331446)
  To fully implement this fix, ensure that the GPA server connected to the repository is up and running. To allow the GPA server running on the current/trusted domain to delete the GPO containers on other trusted domains, add the GPA Security account to the Domain Admins group of the trusted domain, or add the following permissions on the CN=FAZAM GP REPOSITORY SERVERS,CN=FULLARMOR container for the GPA Security account in each trusted domain where a GPA Console is installed:
  • Delete subtree
  • Delete container objects
• Resolves an Issue Where Difference Report Shows Settings that are the Same in Different GPOs (ENG336131)

Installing This Version

To install this version, run Setup.exe on each GPA Server and GPA Console computer.

For more information about how to install or upgrade GPA, see the User Guide on the Group Policy Administrator documentation Web site.

Note The new search functionality requires that you install the GPA Server component in your environment. This component was optional in previous releases.

GPA now requires the following more recent prerequisite versions:

• Microsoft Visual C++ 2010 Redistributable Package (x86) (or x64 for GPA Console)
• .NET Framework 4.0

The prerequisite checker installs these updated versions if you select that option.

If you do not add the GPA Security account to the Domain Admins group, add the following permissions on the CN=System container for the GPA Security account in every domain where you have the GPA Console installed:

• Read
• Modify
• Read all properties
• Write all properties
• Delete subtree
• Create Container objects
• Delete Container objects
• Create serviceConnectionPoint objects
• Delete serviceConnectionPoint objects

The following installation and upgrade issues are currently being researched. If you need further assistance with any issue, please contact NetIQ Technical Support (www.netiq.com/support).

• Recommend Upgrading Using Same User Account as the Original Installation
• Hotfix Files Not Removed During Uninstall
• Installing the GPA Console on a Computer with Microsoft SQL Server 2005 Express Edition and Either Microsoft Windows Server 2008 Service Pack 1 or 2 or Microsoft Windows Vista Service Pack 1 or 2 Generates Information Events
• Installing RSAT on Microsoft Windows Vista Service Pack 2
• Installing the GPA Console Using a Group Policy Object
• Installing Additional GPA Components if You Remotely Install the GP Repository

Recommend Upgrading Using Same User Account as the Original Installation

When upgrading from a previous version of GPA, log on with the same user account used during the original GPA installation. (ENG300042)

If you are unable to do this, complete the following steps:

1. Attempt to upgrade to the latest GPA version using a different user account than the original installation (UserB).
2. When the installation ends, review the log file for the name of the temp folder that is missing.
3. Locate the temp folder from the first user account (UserA) in %user profile%Temp.
4. Copy the temp folder contents from the UserB path to the UserA path.
5. Run the upgrade steps again.

Hotfix Files Not Removed During Uninstall

Uninstalling GPA does not remove files and folders created by the hotfix installer. You must remove these files and folders manually. (ENG314337)

Installing the GPA Console on a Computer with Microsoft SQL Server 2005 Express Edition and Either Microsoft Windows Server 2008 Service Pack 1 or 2, or Microsoft Windows Vista Service Pack 1 or 2 Generates Information Events

After installing the GPA Console on a computer with Microsoft SQL Server 2005 Express Edition and either Microsoft Windows Server 2008, including Service Pack 1 or 2, or Microsoft Windows Vista Service Pack 1 or 2, when you open the Event Viewer console and expand Windows Logs > Application, some of the application events have the description Login failed for user 'NT AUTHORITY\SYSTEM'. [CLIENT: named pipe]. You can ignore these events. (ENG255755)

Installing RSAT on Microsoft Windows Vista Service Pack 2

You cannot install Remote Server Administration Tools (RSAT) on Microsoft Windows Vista Service Pack 2 although RSAT is supported on Service Pack 2. To work around this issue, install RSAT on Microsoft Windows Vista Service Pack 1, and then upgrade to Microsoft Windows Vista Service Pack 2. For more information about this issue, see the Microsoft Web site. (DOC270814)

Installing the GPA Console Using a Group Policy Object

If you use a GPO to deploy the GPA Console installation, ensure all prerequisites for installing the GPA Console are installed on the target computer prior to applying the GPO containing the GPA software package. If the computer does not meet the prerequisites, the GPA installation fails. (ENG252451)

Installing Additional GPA Components if You Remotely Install the GP Repository

If you remotely install the GP Repository and then run the setup program again on the local computer, the setup program displays upgrade windows rather than allowing you to add additional GPA components. This issue is caused by registry entries on the local computer for the remote database installation. (ENG263510)

To work around this issue:

1. On the local computer, run the gpa.msi file and choose the Remove option.
2. Run the setup program to add GPA components to the local computer.

Known Issues

NetIQ Corporation strives to ensure our products provide quality solutions for your enterprise software needs. The following issues are currently being researched. If you need further assistance with any issue, please contact NetIQ Technical Support (www.netiq.com/support).

• Security Filtering Subcategories Always Inherit the View Category Permission
• Some Menu Options Are Not Active in Interactive Search

Security Filtering Subcategories Always Inherit the View Category Permission

When applying the View Category permission, you can see that Apply to is always set to This object and child objects and this cannot be modified. If a user has that permission under a parent category where the top level is Domain, the user will have the permissions for the whole domain. (ENG333413)

Some Menu Options Are Not Active in Interactive Search

When using the interactive search, you can now see the Undo checkout option. The Approve option is not available because there is no consolidation of menu items. (ENG336240)