[gptalk] Re: Which log to check to track changes made in Group Policy

• From: Thorbjörn Sjövold <thorbjorn.sjovold@xxxxxxxxxxxxxxx>
• To: <gptalk@xxxxxxxxxxxxx>
• Date: Wed, 4 Apr 2007 01:13:44 +0200

Thanks Darren for following up on that, that is perfectly true, I should have 
added to my previous post that AGPM supports locking down all Group Policy 
Objects in a way that you will force all Group Policy changes to be done 
through AGPM and stop any out-of-bands changes by simply only allowing the AGPM 
service being the only one to edit GPOs and the permissions for admins being 
enforced by the AGPM service instead, but then and only then will you be able 
to stop out-of-band changes and keep track on changes. If you do not want to do 
this, you need to go for auditing product to be certain. Also not all info on 
who did what is exposed in the UI although it is stored AGPM  XML data. 

 

Thorbjörn Sjövold

Special Operations Software

www.specopssoft.com <http://www.specopssoft.com/> 

thorbjorn.sjovold a t specopssoft.com

 

Download our free tool for remote Gpupdate with graphical reporting,

http://www.specopssoft.com/products/specopsgpupdate/

 

 

 

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On 
Behalf Of Darren Mar-Elia
Sent: den 4 april 2007 00:41
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Which log to check to track changes made in Group Policy

 

Just to echo that, basically the only foolproof method to find out who made a 
change to a GPO and exactly what setting was changed is to buy a 3rd party 
auditing product. Even products like APGM (nee GPOVault) require that you go 
through their interface to capture any change, and don't catch "out-of-band" 
changes that might get made. The 3rd party auditing products actually resolve 
who made the change, what the changed setting was, and what its before and 
after values were/are.

 

However, you can audit that *some* change was made to a given GPO simply by 
using native AD access auditing in the security logs of DCs. Most GP changes 
default to being made on the PDCe DC so you can reliably monitor its security 
log for changes to any groupPolicyContainer objects and that will generally 
catch any GP changes. Again, it will only tell you that *something* changed, 
not what that changed was.

 

 

Darren

 

 

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On 
Behalf Of Thorbjörn Sjövold
Sent: Tuesday, April 03, 2007 2:26 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Which log to check to track changes made in Group Policy

 

Group Policy is basically a combination of LDAP and files in the DCs so you 
need to enable auditing there then watch the security log on all DCs. But I 
would suggest that you check out Microsoft's new Advanced Group Policy Manager, 
AGPM, that makes it possible to pretty much change Group Policy administration 
into a proper workflow process where every single step can be monitored for who 
did what. I do not believe it is released yet, but should be pretty soon, so if 
you need this now, there are third party tools from both NetPro, Quest and 
others that monitors changes in AD and thus Group Policy.  Although I actually 
think you can still download GPOVault from DesktopStandard's old web site (AGPM 
used to be GPOVault before MS acquired DesktopStandard).

 

HTH,

 

Thorbjörn Sjövold

Special Operations Software

www.specopssoft.com <http://www.specopssoft.com/> 

thorbjorn.sjovold a t specopssoft.com

 

Download our free tool for remote Gpupdate with graphical reporting,

http://www.specopssoft.com/products/specopsgpupdate/

 

 

 

 

 

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On 
Behalf Of Washington, Booker
Sent: den 3 april 2007 23:14
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Which log to check to track changes made in Group Policy

 

If I wanted to check when a change was made to a policy within Group Policy, or 
to track all of the changes made to group olicy, which log would I check?

 

 

• References:
  • [gptalk] Re: Internet Explorer Processing Issues - automatic configuration script
    • From: Buonora, Craig \(GE, Research, consultant\)
  • [gptalk] Re: Internet Explorer Processing Issues - automatic configuration script
    • From: Darren Mar-Elia
  • [gptalk] Re: Internet Explorer Processing Issues - automatic configuration script
    • From: Buonora, Craig \(GE, Research, consultant\)
  • [gptalk] Re: Internet Explorer Processing Issues - automatic configuration script
    • From: Darren Mar-Elia
  • [gptalk] Re: Internet Explorer Processing Issues - automatic configuration script
    • From: Buonora, Craig \(GE, Research, consultant\)
  • [gptalk] Re: Internet Explorer Processing Issues - automatic configuration script
    • From: Darren Mar-Elia
  • [gptalk] Re: Internet Explorer Processing Issues - automatic configuration script
    • From: Buonora, Craig \(GE, Research, consultant\)
  • [gptalk] Re: Internet Explorer Processing Issues - automatic configuration script
    • From: Darren Mar-Elia
  • [gptalk] Which log to check to track changes made in Group Policy
    • From: Washington, Booker
  • [gptalk] Re: Which log to check to track changes made in Group Policy
    • From: Thorbjörn Sjövold
  • [gptalk] Re: Which log to check to track changes made in Group Policy
    • From: Darren Mar-Elia

Other related posts:

• » [gptalk] Which log to check to track changes made in Group Policy
• » [gptalk] Re: Which log to check to track changes made in Group Policy
• » [gptalk] Re: Which log to check to track changes made in Group Policy
• » [gptalk] Re: Which log to check to track changes made in Group Policy

1. Home
2. gptalk
3. Archive
4. 04-2007

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---