[gptalk] Re: GPO Auditing

  • From: "Sullivan, Kevin" <ksullivan@xxxxxxxxxxxxxxxxxxx>
  • To: <gptalk@xxxxxxxxxxxxx>
  • Date: Thu, 17 Aug 2006 12:04:36 -0400

OK, I'm in... 

 

<plug>

There is one other third party product you should take a look at.
GPOVault from DesktopStandard. There is a free version you can check out
or eval the enterprise version. What it does is manage Group Policy in
an offline repository so all changes are tracked and maintained over
time. It is a plug into the GPMC which makes for a very simple design
and very quick uptime.

 

You can see who made what changes when and when those changes were
actually deployed to the live environment. You can roll back any changes
to any point in the history of the GPO. You can protect your live
environment by not giving any explicit permissions to the live
environment and only allowing management through the role based
delegation in the Vault (this is only in the Enterprise version). Of
course there is an approval based workflow process so that lower level
delegates have to have their changes checked prior to deployment to the
live environment. Lot's of other great stuff.

</plug>

 

The third party solutions really took the bull by the horns and provided
a lot of the missing pieces to management of Group Policy. This is one
of the areas that has been lacking quite a bit. Yeah there has been a
MOM pack for a while now and I know a few folks who get some good info
out of it but it does not address the issues around fully managing your
Group Policy environment.

 

<plug>

Don't forget the free version of GPOVault...

</plug>

 

Kevin

 

________________________________

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of Darren Mar-Elia
Sent: Thursday, August 17, 2006 11:38 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: GPO Auditing

 

OK. Enough product pitching :-). This list is meant to devoid of that or
otherwise "vendor-neutral". To that end, in addition to SecureVantage, I
will reiterate that NetIQ, Quest and NetPro all provide detailed AD &
GPO change auditing, including some with MOM integration. You can
definitely use any garden variety monitoring product to tell you whether
a GPO change has occurred, but as I said initially, you typically need
3rd party products to get more detail than that.

 

Darren

 

 

________________________________

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of Ryan Brennan
Sent: Thursday, August 17, 2006 7:27 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: GPO Auditing

Garry,

 

You are 100% correct you can definitely monitor GPO changes with MOM by
scraping the Object Access 566 Events in the security logs.  This
generally tells you that a GPO changed and person that changed it, etc -
it does not tell you what changed (settings/attributes) and the impact
of that change.

 

The Secure Vantage MP allows you to have detailed Change Auditing and
Reporting; including GPO changes (566) and the Impact analysis of GPO
attribute changes on each server. It's very powerful and much more than
just 566 Auditing; it uses RSOP to do discovery, auditing, and
baselining of GPOs and more importantly the RSOP of GPO attributes and
lots of Reporting!

 

 

-ryan

________________________________

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of Meaburn, Garry
Sent: Thursday, August 17, 2006 7:24 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: GPO Auditing

 

Hi you can also configure MOM to monitor for GPO changes without using
the Secure Vantage's product. I currently use MOM to monitor any GPO or
OU changes 

 

Regards,

Garry Meaburn

Odyssey Operations - Active Directory

 

 

 

________________________________

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of Ryan Brennan
Sent: 16 August 2006 16:30
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: GPO Auditing

If you're using MOM you could use Secure Vantage's Group Policy PCMP
Product also to do GPO Auditing :)!
http://www.securevantage.com/ProductsPCMP.html.

 

-ryan

 

________________________________

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of Darren Mar-Elia
Sent: Wednesday, August 16, 2006 10:17 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: GPO Auditing

 

Generally speaking, the GP auditing that is available is pretty weak,
but if you have directory access auditing enabled on your DCs, then you
will see any changes to the groupPolicyContainer object (the part of the
GPO in AD) show up in the security event log on the PDC emulator DC.
That will at least tell that a GPO changed and who made the change, but
it won't show you what the change was. For that, you would need a 3rd
party product like those from NetIQ or NetPro.

 

Darren

 

 

________________________________

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of Difarnecio, Gino (Citco)
Sent: Wednesday, August 16, 2006 7:19 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] GPO Auditing

I would like to keep track of changes to my GPO's. Any suggestions on
the best way to accomplish this task? I figure enabling auditing at the
PDC in the policy folder will generate an event if I log write attempts.
Is there anything else that needs to be done to accomplish this?

Thanks

Other related posts: