[gptalk] Re: GPO Auditing

  • From: "Darren Mar-Elia" <darren@xxxxxxxxxx>
  • To: <gptalk@xxxxxxxxxxxxx>
  • Date: Thu, 17 Aug 2006 08:37:30 -0700

OK. Enough product pitching :-). This list is meant to devoid of that or
otherwise "vendor-neutral". To that end, in addition to SecureVantage, I
will reiterate that NetIQ, Quest and NetPro all provide detailed AD & GPO
change auditing, including some with MOM integration. You can definitely use
any garden variety monitoring product to tell you whether a GPO change has
occurred, but as I said initially, you typically need 3rd party products to
get more detail than that.
 
Darren
 

  _____  

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Ryan Brennan
Sent: Thursday, August 17, 2006 7:27 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: GPO Auditing



Garry,

 

You are 100% correct you can definitely monitor GPO changes with MOM by
scraping the Object Access 566 Events in the security logs.  This generally
tells you that a GPO changed and person that changed it, etc - it does not
tell you what changed (settings/attributes) and the impact of that change.

 

The Secure Vantage MP allows you to have detailed Change Auditing and
Reporting; including GPO changes (566) and the Impact analysis of GPO
attribute changes on each server. It's very powerful and much more than just
566 Auditing; it uses RSOP to do discovery, auditing, and baselining of GPOs
and more importantly the RSOP of GPO attributes and lots of Reporting!

 

 

-ryan

  _____  

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Meaburn, Garry
Sent: Thursday, August 17, 2006 7:24 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: GPO Auditing

 

Hi you can also configure MOM to monitor for GPO changes without using the
Secure Vantage's product. I currently use MOM to monitor any GPO or OU
changes 

 

Regards,

Garry Meaburn

Odyssey Operations - Active Directory

 

 

 

  _____  

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Ryan Brennan
Sent: 16 August 2006 16:30
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: GPO Auditing

If you're using MOM you could use Secure Vantage's Group Policy PCMP Product
also to do GPO Auditing :)!  http://www.securevantage.com/ProductsPCMP.html.

 

-ryan

 

  _____  

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Darren Mar-Elia
Sent: Wednesday, August 16, 2006 10:17 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: GPO Auditing

 

Generally speaking, the GP auditing that is available is pretty weak, but if
you have directory access auditing enabled on your DCs, then you will see
any changes to the groupPolicyContainer object (the part of the GPO in AD)
show up in the security event log on the PDC emulator DC. That will at least
tell that a GPO changed and who made the change, but it won't show you what
the change was. For that, you would need a 3rd party product like those from
NetIQ or NetPro.

 

Darren

 

 

  _____  

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Difarnecio, Gino (Citco)
Sent: Wednesday, August 16, 2006 7:19 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] GPO Auditing

I would like to keep track of changes to my GPO's. Any suggestions on the
best way to accomplish this task? I figure enabling auditing at the PDC in
the policy folder will generate an event if I log write attempts. Is there
anything else that needs to be done to accomplish this?

Thanks

Other related posts: