How to track when ‘Block GPO inheritance’ is enabled for a specific OU?

Active Directory allows you to assign a specific administrator to a particular OU and all the other child OUs within it. This allows you to deploy a set of security permissions to the resources within the OU. Child OUs carry a 'Block GPO Inheritance' feature that allows them to be exempted from the GPO settings that are assigned to the parent OU. While this feature proves useful in many administrative scenarios, it also creates a loophole where an attacker can block a specific OU from inheriting the security policies you have deployed. This would mean that the users and computers within that OU are vulnerable to malicious activity.

IT admins should monitor which OUs are exempted from inheriting GPOs.Though you can find this out using native AD, ADAudit Plus, a real-time AD auditing solution can help you get this information with just a few clicks. This article elaborates the steps for tracking changes to GPO inheritance with ADAudit Plus

Download for FREE Free, fully functional 30-day trial
  • With Native AD Auditing

  • With ADAudit Plus

  • How to track if 'Block GPO inheritance' is enabled using ADAudit Plus
  • In the ADAudit Plus console, navigate to the 'Reports' tab and select 'OU Management'----> 'Recently Modified OUs'. This gives you a report on changes made to organizational units.

  • Advanced search functionality offers you multiple filter attributes to look for a specific event.

  • Easily export your reports in CSV, HTML, PDF and XSL formats.

  • Correlate between other user management and computer management reports to spot anomalous behavior on the network.

  • Tracking Block Inheritance GPO enabled for an OU
  • Step 1: Enable OU Audit
  • Launch the Server Manager in your Windows Server.

  • Under 'Tools', navigate to the 'Group Policy Management Console' (GPMC).

  • On the left pane right click the 'Domain Controllers' option. You can choose the 'Create a new GPO and link it here option' or 'Link an existing GPO' option accordingly.

  • Right click the desired GPO and select 'Edit'. This opens up the 'Group Policy Management Editor'. Expand the node and select the 'Computer Configuration'.

  • You can then select 'Policies' and navigate to 'Windows Settings'. Under 'Windows Settings' select 'Security Settings' and then navigate to 'Advanced Audit Policy Configuration'.

  • In the 'Advanced Audit Policy Configuration' option select 'Audit Policies' and expand the node. Then select 'DS Access and double click the 'Audit Directory Service Access' option.

  • Configure this policy for both 'Success' and 'Failure'.

  • Also, configure 'Success and 'Failure' events for 'Audit Directory Service Changes'.

  • Exit the Group Policy Management Editor and return to the GPMC.

  • Go to the 'Domain Controllers' node and select the newly modified GPO. Under the 'Scope' tab on the right pane, you will find the 'Security Filtering' section. Select 'Add'.

  • This opens up the 'Select User, Computer or Group' window. Type 'everyone' in this window to apply this GPO to all objects.

  • You can now return to the GPMC. The group policy also needs to be applied through out the forest. You can do this by, opening up 'Run' on your server and executing gpupdate /force. You should receive a notification saying the policy update was successful.

  • Step 2: Activate AD Auditing in ADSI Edit.
  • From your 'Server Manager' go to 'Tools' and select 'ADSI Edit'.

  • Right click 'ADSI Edit' node from the left pane and select 'Connect to' option. This pulls up the 'Connection Settings' window.

  • Select the 'Default Naming Context' option from the 'Select a well-known Naming Context' drop down list.

  • Click 'Okay' and return to the ADSI Edit window. Expand 'Default Naming Context' and select the associated 'DC' subnode. Right click this subnode and click 'Properties'.

  • In the 'Properties' window, go to the 'Security' tab and select 'Advanced'. After that select 'Auditing' tab and click 'Add'.

  • Click on ' Select a principle'. This will bring up a 'Select User, Computer or Group' Window. Type 'Everyone' in the textbox and verify it with 'Check Names'.

  • The principle in the 'Auditing Entry' window now shows 'Everyone'. In the 'Type' drop-down select 'All' to audit for both 'success' and 'failure' events.

  • In the 'Select' drop-down choose 'This object and all descendant object's. This allows the auditing of the OU's descendant objects. Select 'Full Control' in the 'Permissions' section.

  • Click 'Apply' and 'Okay' and close the window.

  • Step 3: Use Event Viewer to track events
  • In the 'Event Viewer' you can look for the following Event IDs under 'Security Logs'.

  • Event ID: 4670 describes permissions on an object that were changed.

Does native auditing become a little too much?

Simplify file server auditing and reporting with ADAudit Plus.

Get Your Free Trial Fully functional 30-day trial

Related How-tos

Request Support

Thanks

One of our solution experts will get in touch with you shortly.

    Please enter business email address
  •  
     
  • By clicking 'Send Request', you agree to processing of personal data according to the Privacy Policy.

© 2019 Zoho Corp. All rights reserved.