Audit changes to GPOs

[Guest]

I am wondering how to enable auditing of GPOs so that we can determine who has made changes to which settings and when. Lately, mysterious changes have occurred and we would like to be able to determine who makes changes to our GPOs. I have enabled UserEnvLogging, GP editing failures and GP CSE, but nothing gives me the information I need

Any suggestions would be appreciated.

 

[Adam Arndt]

William,

To audit changes to GPOs you will first need to enable the ability to Audit
access to AD objects. (On your Domain Controllers OU goto Computer
Configuration\Windows Settings\Security Settings\Local Policies\Audit
Policy\"Audit Directory Service Access" and configure both Successes and
Failures (This will NOT automatically start logging everything, you will
still need to specify what objects and particular access you wish to audit))
Next goto the Properties of the GPO that you want to audit actions on and
goto the Security tab, (advanced features must be enabled) from the Security
Tab select the "Advanced..." button, and the Auditing tab; from the auditing
tab you can add the users and groups that you wish to audit and the specific
actions that you want to audit. Common examples: Delete, Delete Subtree,
Modify Permission, Modify Owner, etc. I would also recommend adding "Audit
Policy change" just incase you have an extra sneaky admin, as well.

Adam Arndt

 

[Srikanth N [MSFT]]

Currently, there is no exact solution to Audit a Group Policy. However, it
is possible to enable audit for Directory Service access (to monitor Domain
Group policies) and Object Access on the %systemroot%\System32\Grou Policy
(to monitor Local Group policies).

The following is necessary:

For domain policies:
1. Enable at domain level auditing for Directory Access
2. Search for Event IDs 565 in the Security logs containing the
following description:
"Object Type: groupPolicyContainer".
This will show that a policy has been accessed.
3. Search on the description "Client User Name:" which will show
the user who accessed the policy.
For local policies:
1. Enable at domain level auditing for Object Access
2. Enable auditing on the directory %systemroot%\system32\Group
Policy adding Authenticated Users, for every computer that wants to verify
changes to the Local Policies.
3. Search for Event IDs 560 in the Security logs containing the
following description:
"Object Name: %systemroot%\system32\Group Policy". This
will indicate that a local policy has been accessed.
4. Search on the description: "Client User Name:" this will show
which user account has modified the policy.

The following are some examples of these events:

- Domain Group Policy change:

Event Type: Success Audit
Event Source: Security
Event Category: Directory Service Access
Event ID: 565
Date: 8/18/2003
Time: 11:44:57 AM
User: EULESS\administrator
Computer: B-SHOPDNS
Description:
Object Open:
Object Server: DS
Object Type: groupPolicyContainer
Object
Name:
CN={556508B1-9FA0-4B9A-863B-57F131BABD62},CN=Policies,CN=System,DC=Domain,DC
=c
om
New Handle ID: 0
Operation ID: {0,3482475}
Process ID: 264
Primary User Name: COMPUTERNAME$
Primary Domain: DOMAIN
Primary Logon ID: (0x0,0x3E7)
Client User Name: Administrator
Client Domain: DOMAIN
Client Logon ID: (0x0,0x351657)
Accesses Write Property

Privileges -

Properties:
Write Property
%{00000000-0000-0000-0000-000000000000}
versionNumber

- Local Policy change:

Event Type: Success Audit
Event Source: Security
Event Category: Object Access
Event ID: 560
Date: 8/18/2003
Time: 12:20:04 PM
User: DOMAIN\administrator
Computer: COMPUTERNAME
Description:
Object Open:
Object Server: Security
Object Type: File
Object Name: D:\WINNT\system32\GroupPolicy
New Handle ID: 420
Operation ID: {0,10355152}
Process ID: 748
Primary User Name: COMPUTERNAME$
Primary Domain: DOMAIN
Primary Logon ID: (0x0,0x3E7)
Client User Name: administrator
Client Domain: DOMAIN
Client Logon ID: (0x0,0x9C974D)
Accesses SYNCHRONIZE
ReadData (or ListDirectory)

Privileges -

Additionally, you can also refer to some Third-Party Products that can
audit Group Policy changes. Please visit the link given below that has
information on Auditing Group Policy:

http://www.fullarmor.com/solutions/auditing/

Srikanth N

This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Derek Melber [MVP]]

William,

You won't find an exact solution built-in. Of course, enabling AD auditing
is good, but it won't help you for what you are looking for exactly. If you
want a robust solution, check out FAZAM Auditing. This is a tool that does
exactly what you are looking for.

--
Derek Melber
BrainCore.Net
(e-mail address removed)

I am wondering how to enable auditing of GPOs so that we can determine who

has made changes to which settings and when. Lately, mysterious changes have
occurred and we would like to be able to determine who makes changes to our
GPOs. I have enabled UserEnvLogging, GP editing failures and GP CSE, but
nothing gives me the information I need.