OK, I'm in... <plug> There is one other third party product you should take a look at. GPOVault from DesktopStandard. There is a free version you can check out or eval the enterprise version. What it does is manage Group Policy in an offline repository so all changes are tracked and maintained over time. It is a plug into the GPMC which makes for a very simple design and very quick uptime. You can see who made what changes when and when those changes were actually deployed to the live environment. You can roll back any changes to any point in the history of the GPO. You can protect your live environment by not giving any explicit permissions to the live environment and only allowing management through the role based delegation in the Vault (this is only in the Enterprise version). Of course there is an approval based workflow process so that lower level delegates have to have their changes checked prior to deployment to the live environment. Lot's of other great stuff. </plug> The third party solutions really took the bull by the horns and provided a lot of the missing pieces to management of Group Policy. This is one of the areas that has been lacking quite a bit. Yeah there has been a MOM pack for a while now and I know a few folks who get some good info out of it but it does not address the issues around fully managing your Group Policy environment. <plug> Don't forget the free version of GPOVault... </plug> Kevin ________________________________ From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Darren Mar-Elia Sent: Thursday, August 17, 2006 11:38 AM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Re: GPO Auditing OK. Enough product pitching :-). This list is meant to devoid of that or otherwise "vendor-neutral". To that end, in addition to SecureVantage, I will reiterate that NetIQ, Quest and NetPro all provide detailed AD & GPO change auditing, including some with MOM integration. You can definitely use any garden variety monitoring product to tell you whether a GPO change has occurred, but as I said initially, you typically need 3rd party products to get more detail than that. Darren ________________________________ From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Ryan Brennan Sent: Thursday, August 17, 2006 7:27 AM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Re: GPO Auditing Garry, You are 100% correct you can definitely monitor GPO changes with MOM by scraping the Object Access 566 Events in the security logs. This generally tells you that a GPO changed and person that changed it, etc - it does not tell you what changed (settings/attributes) and the impact of that change. The Secure Vantage MP allows you to have detailed Change Auditing and Reporting; including GPO changes (566) and the Impact analysis of GPO attribute changes on each server. It's very powerful and much more than just 566 Auditing; it uses RSOP to do discovery, auditing, and baselining of GPOs and more importantly the RSOP of GPO attributes and lots of Reporting! -ryan ________________________________ From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Meaburn, Garry Sent: Thursday, August 17, 2006 7:24 AM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Re: GPO Auditing Hi you can also configure MOM to monitor for GPO changes without using the Secure Vantage's product. I currently use MOM to monitor any GPO or OU changes Regards, Garry Meaburn Odyssey Operations - Active Directory ________________________________ From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Ryan Brennan Sent: 16 August 2006 16:30 To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Re: GPO Auditing If you're using MOM you could use Secure Vantage's Group Policy PCMP Product also to do GPO Auditing :)! http://www.securevantage.com/ProductsPCMP.html. -ryan ________________________________ From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Darren Mar-Elia Sent: Wednesday, August 16, 2006 10:17 AM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Re: GPO Auditing Generally speaking, the GP auditing that is available is pretty weak, but if you have directory access auditing enabled on your DCs, then you will see any changes to the groupPolicyContainer object (the part of the GPO in AD) show up in the security event log on the PDC emulator DC. That will at least tell that a GPO changed and who made the change, but it won't show you what the change was. For that, you would need a 3rd party product like those from NetIQ or NetPro. Darren ________________________________ From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Difarnecio, Gino (Citco) Sent: Wednesday, August 16, 2006 7:19 AM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] GPO Auditing I would like to keep track of changes to my GPO's. Any suggestions on the best way to accomplish this task? I figure enabling auditing at the PDC in the policy folder will generate an event if I log write attempts. Is there anything else that needs to be done to accomplish this? Thanks