[gptalk] Re: GPO Auditing
- From: "Ireton, Doug" <doug.ireton@xxxxxxxx>
- To: <gptalk@xxxxxxxxxxxxx>
- Date: Wed, 23 Aug 2006 14:10:17 -0700
Try this blog entry for GPO auditing:
Monitoring Group Policy Changes with Windows Auditing
http://blogs.msdn.com/ericfitz/archive/2005/08/04/447951.aspx
Thanks,
_________________________________________
Doug Ireton, Group Policy Engineer
SASE - Infrastructure Applications
Technology Solutions Group
Washington Mutual
1111 Third Avenue, EET 1734, Seattle, WA 98101
206.377.1854 direct | 206.412.3684 mobile
doug.ireton@xxxxxxxx
This communication may contain privileged or other confidential information. If
you have received it in error, please advise the sender by reply email and
immediately delete the message and any attachments without copying or
disclosing the contents. Thank you.
________________________________
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Sullivan, Kevin
Sent: Thursday, August 17, 2006 9:05 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: GPO Auditing
OK, Iâm inâ
<plug>
There is one other third party product you should take a look at. GPOVault from
DesktopStandard. There is a free version you can check out or eval the
enterprise version. What it does is manage Group Policy in an offline
repository so all changes are tracked and maintained over time. It is a plug
into the GPMC which makes for a very simple design and very quick uptime.
You can see who made what changes when and when those changes were actually
deployed to the live environment. You can roll back any changes to any point in
the history of the GPO. You can protect your live environment by not giving any
explicit permissions to the live environment and only allowing management
through the role based delegation in the Vault (this is only in the Enterprise
version). Of course there is an approval based workflow process so that lower
level delegates have to have their changes checked prior to deployment to the
live environment. Lotâs of other great stuff.
</plug>
The third party solutions really took the bull by the horns and provided a lot
of the missing pieces to management of Group Policy. This is one of the areas
that has been lacking quite a bit. Yeah there has been a MOM pack for a while
now and I know a few folks who get some good info out of it but it does not
address the issues around fully managing your Group Policy environment.
<plug>
Donât forget the free version of GPOVaultâ
</plug>
Kevin
________________________________
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Darren Mar-Elia
Sent: Thursday, August 17, 2006 11:38 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: GPO Auditing
OK. Enough product pitching :-). This list is meant to devoid of that or
otherwise "vendor-neutral". To that end, in addition to SecureVantage, I will
reiterate that NetIQ, Quest and NetPro all provide detailed AD & GPO change
auditing, including some with MOM integration. You can definitely use any
garden variety monitoring product to tell you whether a GPO change has
occurred, but as I said initially, you typically need 3rd party products to get
more detail than that.
Darren
________________________________
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Ryan Brennan
Sent: Thursday, August 17, 2006 7:27 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: GPO Auditing
Garry,
You are 100% correct you can definitely monitor GPO changes with MOM by
scraping the Object Access 566 Events in the security logs. This generally
tells you that a GPO changed and person that changed it, etc - it does not tell
you what changed (settings/attributes) and the impact of that change.
The Secure Vantage MP allows you to have detailed Change Auditing and
Reporting; including GPO changes (566) and the Impact analysis of GPO attribute
changes on each server. Itâs very powerful and much more than just 566
Auditing; it uses RSOP to do discovery, auditing, and baselining of GPOs and
more importantly the RSOP of GPO attributes and lots of Reporting!
-ryan
________________________________
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Meaburn, Garry
Sent: Thursday, August 17, 2006 7:24 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: GPO Auditing
Hi you can also configure MOM to monitor for GPO changes without using the
Secure Vantageâs product. I currently use MOM to monitor any GPO or OU
changes
Regards,
Garry Meaburn
Odyssey Operations - Active Directory
________________________________
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Ryan Brennan
Sent: 16 August 2006 16:30
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: GPO Auditing
If youâre using MOM you could use Secure Vantageâs Group Policy PCMP
Product also to do GPO Auditing :)!
http://www.securevantage.com/ProductsPCMP.html.
-ryan
________________________________
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Darren Mar-Elia
Sent: Wednesday, August 16, 2006 10:17 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: GPO Auditing
Generally speaking, the GP auditing that is available is pretty weak, but if
you have directory access auditing enabled on your DCs, then you will see any
changes to the groupPolicyContainer object (the part of the GPO in AD) show up
in the security event log on the PDC emulator DC. That will at least tell that
a GPO changed and who made the change, but it won't show you what the change
was. For that, you would need a 3rd party product like those from NetIQ or
NetPro.
Darren
________________________________
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Difarnecio, Gino (Citco)
Sent: Wednesday, August 16, 2006 7:19 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] GPO Auditing
I would like to keep track of changes to my GPOâs. Any suggestions on the
best way to accomplish this task? I figure enabling auditing at the PDC in the
policy folder will generate an event if I log write attempts. Is there anything
else that needs to be done to accomplish this?
Thanks
Other related posts:
