Just to echo that, basically the only foolproof method to find out who made a change to a GPO and exactly what setting was changed is to buy a 3rd party auditing product. Even products like APGM (nee GPOVault) require that you go through their interface to capture any change, and don?t catch ?out-of-band? changes that might get made. The 3rd party auditing products actually resolve who made the change, what the changed setting was, and what its before and after values were/are. However, you can audit that *some* change was made to a given GPO simply by using native AD access auditing in the security logs of DCs. Most GP changes default to being made on the PDCe DC so you can reliably monitor its security log for changes to any groupPolicyContainer objects and that will generally catch any GP changes. Again, it will only tell you that *something* changed, not what that changed was. Darren From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Thorbjörn Sjövold Sent: Tuesday, April 03, 2007 2:26 PM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Re: Which log to check to track changes made in Group Policy Group Policy is basically a combination of LDAP and files in the DCs so you need to enable auditing there then watch the security log on all DCs. But I would suggest that you check out Microsoft?s new Advanced Group Policy Manager, AGPM, that makes it possible to pretty much change Group Policy administration into a proper workflow process where every single step can be monitored for who did what. I do not believe it is released yet, but should be pretty soon, so if you need this now, there are third party tools from both NetPro, Quest and others that monitors changes in AD and thus Group Policy. Although I actually think you can still download GPOVault from DesktopStandard?s old web site (AGPM used to be GPOVault before MS acquired DesktopStandard). HTH, Thorbjörn Sjövold Special Operations Software www.specopssoft.com <http://www.specopssoft.com/> thorbjorn.sjovold a t specopssoft.com Download our free tool for remote Gpupdate with graphical reporting, http://www.specopssoft.com/products/specopsgpupdate/ From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Washington, Booker Sent: den 3 april 2007 23:14 To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Which log to check to track changes made in Group Policy If I wanted to check when a change was made to a policy within Group Policy, or to track all of the changes made to group olicy, which log would I check?