How to track changes made to a GPO

A Group Policy Object (GPO) is a collection of Group Policy settings that determines how a system will look and behave for a defined set of users. It is important for system administrators to audit Group Policy changes made by delegated users.

The following is a comparison to track the changes made to a GPO using native auditing and ManageEngine's ADAudit Plus, a comprehensive real-time Active Directory auditing solution.

Download for FREE Free, fully functional 30-day trial
  • With Native AD Auditing

  • With ADAudit Plus

  • Login to ADAudit Plus web console as an administrator.

  • Navigate to the Reports tab and from the GPO Management section in the left pane, select the GPO History report.

  • Select the domain and click Generate.

  • Select Export As to export the report in any of the preferred formats (CSV, PDF, HTML, CSVDE and XLSX).

  • Following are the limitations to track the changes made in GPOs using native auditing:

  • The report obtained in Event Viewer is not reader-friendly. Details specific to “Who, What, When and Where” will not be displayed in the same place, and before and after values will not be available side-by-side.

  • It's difficult to generate the report for different time zones and date formats.

  • ADAudit Plus will generate the report of GPO history and display it in a simple and intuitively designed UI.

  • Step 1: Configure DS Objects and File System auditing
  • Follow the steps given below to enable Directory Service Objects auditing:

  • Go to Start Menu -> Administrative Tools.

  • Launch “Group Policy Management Console”.

  • Go to Forest -> Domains -> Domain Controllers.

  • Next, right-click on the “Default Domain Controllers Policy”. From the context menu, click on “Edit” to open the “Group Policy Management Editor” window.

  • Go to “Computer Configuration” -> “Policies” -> “Windows Settings” -> “Security Settings” -> “Advanced Audit Policy Configuration” -> “Audit Policies” in the editor window.

  • In the “Audit Policies”, click on “DS Access”. The following policies will be displayed:

    1. Audit Directory Service Access

    2. Audit Directory Service Changes

    3. Audit Directory Service Replication

    4. Audit Detailed Directory Service Replication

  • Double-click on each of these policies and enable both “Success” and “Failure” auditing as shown in the figure below.

  • Follow the same steps to enable the auditing of “Object Access” -> “Audit File System” in “Advanced Audit Policy Configuration”.

  • Step 2: Configure Group Policy Container Objects auditing
  • Follow the steps given below to enable Group Policy Container Objects auditing:

  • Launch ADSIEdit.msc (Active Directory® Service Interfaces Editor).

  • Go to the left pane and right-click on the root “ADSI Edit”. Select “Connect to” option from the context menu. Connect to the current domain controller (DC), which appears with “Default Naming Context”.

  • Click “OK” to connect.

  • In the left panel, a tree will appear. Double click on the node of “Default naming Context” and go to “DC=www,DC=domain,DC=com” -> “CN=System” -> “CN=Policies”.

  • Right click on the “CN=Policies” and navigate to Properties.

  • Go to “Security” tab and click on “Advanced” button to access its Advanced Security Settings.

  • Navigate to “Auditing” tab in the Advanced Security Settings.

  • Use the “Add” button to add the user for whom the auditing has to be enabled. The following window appears.

  • Enter name of the user for which you want to enable the auditing. You can also type “Everyone” to audit all users’ changes.

  • Click “Check Names” to confirm the username.

  • Click on “OK” to add the user. “Auditing Entry for Policies” dialog box appears.

  • Choose the entries for which the user’s action will be audited. Select “Full Control” for auditing both “successful” and “failed” events.

  • Select the “Apply these auditing entries to objects and/or containers within this container only” checkbox to apply the changes to the child objects as well.

  • Click on “OK” to apply these auditing entries. “Auditing” tab of Advanced Security Settings will appear.

  • Click “Apply” and “OK” to apply the auditing settings.

  • Step 3: Configure SYSVOL folder auditing
  • Follow the below steps to enable SYSVOL folder auditing where the Group Policy Templates are stored:

  • In Windows Explorer, browse the %systemroot% folder.

  • Go to the “SYSVOL” folder, and right-click on it. Click on “Properties”.

  • Navigate to the “Security” tab and click “Advanced”. The “Advanced Security Settings” for SYSVOL folder will be displayed.

  • Navigate to “Auditing” tab, and click on the “Edit” button. The following auditing settings will be displayed.

  • Click on “Add” button to add the user for which the auditing has to be enabled.

  • Choose the auditing entries.

  • You can also choose to audit the files and sub-folders as well.

  • Click “OK” to complete the process.

  • Step 4: View the result
  • After the above auditing setting has been applied, every change to the GPO will be tracked and can be viewed from the Event Viewer.

Native auditing becoming a little too much?

Simplify Active Directory auditing and reporting with ADAudit Plus.

Get Your Free Trial Fully functional 30-day trial

Related How-tos

Request Support

Thanks

One of our solution experts will get in touch with you shortly.

    Please enter business email address
  •  
     
  • By clicking 'Send Request', you agree to processing of personal data according to the Privacy Policy.

© 2019 Zoho Corp. All rights reserved.