Audit changes in a Group Policy

Discussion in 'Active Directory' started by Igor L. Kravchenko, Apr 13, 2007.

  1. Is there any way to setup auditing that will allow me to see if a new group
    policy was created or one of existing policies was modified in the domain or
    in the forest?
     
    Igor L. Kravchenko, Apr 13, 2007
    #1
    1. Advertisements

  2. Dear Igor,
    Yes, you can audit changes to Group Policy objects. However, the data that
    is included in the audit is limited. The Microsoft Developers Network
    contains an excellent blog on how to enable auditing for Group Policy and
    explains how to interpret the event log messages.
    http://blogs.msdn.com/ericfitz/archive/2005/08/04/447951.aspx

    DesktopStandard and NetIQ offer GPOVault and Group Policy Guardian that
    enhance the change control/auditing experience.

    Best regards.
     
    Hayman Ezzeldin, Apr 13, 2007
    #2
    1. Advertisements

  3. Igor L. Kravchenko

    acchong Guest

    You should see event id 566 registered in security log whenever a new GPO is
    created or existing GPO is modified.
     
    acchong, Apr 13, 2007
    #3
  4. Thank you for both of your replies. The problem is that, as is says in that
    blog, it cannot track exectly what was changed. This is what I am looking
    for.

    Any other tools that I could use?
     
    Igor L. Kravchenko, Apr 13, 2007
    #4
  5. Hayman Ezzeldin, Apr 13, 2007
    #5
  6. Igor L. Kravchenko

    Herb Martin Guest

    The short (but almost useless) answers is: YES it is possible.

    I am not sure however exactly which method would work or how
    easy it is.

    First thing that I would test: Enable auditing Account Management and try
    linking/unlinkin a GPO. If this works then you are good to go but
    I have no real reason for expecting GPO changes to be logged by
    Account Management Auditing.

    You can also try (pretty sure this is the certain way) to Audit object
    access for some Group (Admin or Everyone) on the OU PROPERTY
    "Write gpLink" (maybe "Write gpOptions" too).

    You can test this on one OU and if it works then just set it on the domain
    with inheritance propagation to all OUs.

    BTW: Why do you wish to audit this? Do you have a large number of
    people with the authority
     
    Herb Martin, Apr 13, 2007
    #6
  7. Igor L. Kravchenko

    Herb Martin Guest

    Are you trying to audit down to the GPO elements themselves?

    These are NOT AD "objects" or properties so they probably cannot
    be audited without one of the third party tools.

    GPOs themselves are physically stored in files in SysVol.
     
    Herb Martin, Apr 13, 2007
    #7
  8. Igor L. Kravchenko

    Gautam Anand Guest

    Herb,

    That is actually incorrect - GPO Elemets are stored Both as Active Directory
    Objects and in the SYSVOL.
    Its based on the GPO objects that:
    - you can audit GPO changes made both via monitoring the SYSVOL and the
    Active Directory.
    - you can delegate GPO creation/editing etc
    - GPO Ad Objects = GPC
    - GPO Sysvol ojects = GPT
    Ref: http://msdn2.microsoft.com/en-us/aa374180.aspx

    Cheers,
    Gautam
     
    Gautam Anand, Apr 15, 2007
    #8
  9. Igor L. Kravchenko

    Herb Martin Guest

    So you are saying the (detailed) elements stored in the GPO files are also
    stored in the AD?

    I doubt this is true and your referenced article seems to confirm my
    understanding http://msdn2.microsoft.com/en-us/aa374180.aspx --
    so I suspect that we are speaking of two different things.

    I believe the actual elements, the details of the varoius settings within
    the GPO are stored on the file system while the GPO object within
    AD contains only the settings about the GPO in general, including how
    to find those supporting files and element data.
     
    Herb Martin, Apr 15, 2007
    #9
  10. Igor L. Kravchenko

    Jesse1113

    Joined:
    Dec 13, 2011
    Messages:
    13
    Likes Received:
    0
    My IT department uses a tool called Group Policy Change Reporter from netwrix (NetWrix: #1 for Change Auditing - Simple, Lightweight, Affordable). The tool reports on newly created and deleted GPOs, changes made to GPO links and audit policies, password policies, software deploymenst, user desktops, and so on. It’s a pretty hand tool.
     
    Jesse1113, May 15, 2012
    #10
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.