See answers inline...
Jack Ryan said:
1. If a GP is changed, is there any way to find out the actual user
who changed it?
Yes, so long as the portion of the policy that was changed is under Computer
Configuration\Security Settings . You must have "Audit Policy Change"
enabled for Success on the Default Domain Controller Policy. This will not
generate an event for policy changes in other areas like Administrative
Template settings.
2. What event ids do I have to look for in the DC's security log to
determine that a change occurred?
This article explains how to differentiate between an "actual" change to the
Security portion of a policy and those events registered by the system
during periodic checks:
272460 Information About Event 617 in the Security Event Log
http://support.microsoft.com/?id=272460
3. Does Windows maintain a version history of all GP's?, if so, how do
I go back to a previous version of my GP?
The operating system does not keep previous versions of the policy
dynamically. Use can use the Group Policy backup feature in gpmc.msc or
ntbackup and make backups of %SystemRoot%\Sysvol prior to making changes.
Enterprise Management with the Group Policy Management Console
http://www.microsoft.com/windowsserver2003/gpmc/default.mspx
Note: Avoid making manual copies of %SystemRoot%\Sysvol to other directories
or drives on the same DC. Junction points could be copied and when the
manual backup is deleted the deletion will traverse the junction point back
to the real Sysvol location and all policies will be lost. Once this occurs
the deletion will be replicated to the rest of the DCs.
324175 Best Practices for Sysvol Maintenance
http://support.microsoft.com/?id=324175
4. Is there any way to prevent DOMAIN ADMINISTRATORS from changing the
ADMINISTRATOR account password?
This comes down you trusting your administrators. If one of the
Administrators changes the password, revoke their admin rights.
