[gptalk] Re: GPO Auditing

Try this blog entry for GPO auditing:

 

Monitoring Group Policy Changes with Windows Auditing

 

http://blogs.msdn.com/ericfitz/archive/2005/08/04/447951.aspx

 

 

Thanks,

_________________________________________

 

Doug Ireton, Group Policy Engineer

SASE - Infrastructure Applications

Technology Solutions Group 

Washington Mutual

1111 Third Avenue, EET 1734, Seattle, WA 98101 

206.377.1854 direct | 206.412.3684 mobile

doug.ireton@xxxxxxxx

 

This communication may contain privileged or other confidential information. If 
you have received it in error, please advise the sender by reply email and 
immediately delete the message and any attachments without copying or 
disclosing the contents. Thank you.

________________________________

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On 
Behalf Of Sullivan, Kevin
Sent: Thursday, August 17, 2006 9:05 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: GPO Auditing

 

OK, Iâm inâ 

 

<plug>

There is one other third party product you should take a look at. GPOVault from 
DesktopStandard. There is a free version you can check out or eval the 
enterprise version. What it does is manage Group Policy in an offline 
repository so all changes are tracked and maintained over time. It is a plug 
into the GPMC which makes for a very simple design and very quick uptime.

 

You can see who made what changes when and when those changes were actually 
deployed to the live environment. You can roll back any changes to any point in 
the history of the GPO. You can protect your live environment by not giving any 
explicit permissions to the live environment and only allowing management 
through the role based delegation in the Vault (this is only in the Enterprise 
version). Of course there is an approval based workflow process so that lower 
level delegates have to have their changes checked prior to deployment to the 
live environment. Lotâs of other great stuff.

</plug>

 

The third party solutions really took the bull by the horns and provided a lot 
of the missing pieces to management of Group Policy. This is one of the areas 
that has been lacking quite a bit. Yeah there has been a MOM pack for a while 
now and I know a few folks who get some good info out of it but it does not 
address the issues around fully managing your Group Policy environment.

 

<plug>

Donât forget the free version of GPOVaultâ

</plug>

 

Kevin

 

________________________________

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On 
Behalf Of Darren Mar-Elia
Sent: Thursday, August 17, 2006 11:38 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: GPO Auditing

 

OK. Enough product pitching :-). This list is meant to devoid of that or 
otherwise "vendor-neutral". To that end, in addition to SecureVantage, I will 
reiterate that NetIQ, Quest and NetPro all provide detailed AD & GPO change 
auditing, including some with MOM integration. You can definitely use any 
garden variety monitoring product to tell you whether a GPO change has 
occurred, but as I said initially, you typically need 3rd party products to get 
more detail than that.

 

Darren

 

 

________________________________

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On 
Behalf Of Ryan Brennan
Sent: Thursday, August 17, 2006 7:27 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: GPO Auditing

Garry,

 

You are 100% correct you can definitely monitor GPO changes with MOM by 
scraping the Object Access 566 Events in the security logs.  This generally 
tells you that a GPO changed and person that changed it, etc - it does not tell 
you what changed (settings/attributes) and the impact of that change.

 

The Secure Vantage MP allows you to have detailed Change Auditing and 
Reporting; including GPO changes (566) and the Impact analysis of GPO attribute 
changes on each server. Itâs very powerful and much more than just 566 
Auditing; it uses RSOP to do discovery, auditing, and baselining of GPOs and 
more importantly the RSOP of GPO attributes and lots of Reporting!

 

 

-ryan

________________________________

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On 
Behalf Of Meaburn, Garry
Sent: Thursday, August 17, 2006 7:24 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: GPO Auditing

 

Hi you can also configure MOM to monitor for GPO changes without using the 
Secure Vantageâs product. I currently use MOM to monitor any GPO or OU 
changes 

 

Regards,

Garry Meaburn

Odyssey Operations - Active Directory

 

 

 

________________________________

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On 
Behalf Of Ryan Brennan
Sent: 16 August 2006 16:30
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: GPO Auditing

If youâre using MOM you could use Secure Vantageâs Group Policy PCMP 
Product also to do GPO Auditing :)!  
http://www.securevantage.com/ProductsPCMP.html.

 

-ryan

 

________________________________

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On 
Behalf Of Darren Mar-Elia
Sent: Wednesday, August 16, 2006 10:17 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: GPO Auditing

 

Generally speaking, the GP auditing that is available is pretty weak, but if 
you have directory access auditing enabled on your DCs, then you will see any 
changes to the groupPolicyContainer object (the part of the GPO in AD) show up 
in the security event log on the PDC emulator DC. That will at least tell that 
a GPO changed and who made the change, but it won't show you what the change 
was. For that, you would need a 3rd party product like those from NetIQ or 
NetPro.

 

Darren

 

 

________________________________

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On 
Behalf Of Difarnecio, Gino (Citco)
Sent: Wednesday, August 16, 2006 7:19 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] GPO Auditing

I would like to keep track of changes to my GPOâs. Any suggestions on the 
best way to accomplish this task? I figure enabling auditing at the PDC in the 
policy folder will generate an event if I log write attempts. Is there anything 
else that needs to be done to accomplish this?

Thanks

Other related posts: