It's important for IT administrators to audit all changes to Group Policy because it controls the working environment of all Active Directory (AD) objects including users and computers. Group Policy defines how different systems, users, and other AD objects interact with each other. A collection of Group Policy configurations set up by an IT administrator is known as a Group Policy Object (GPO).

Attackers looking to compromise an AD environment may attempt to target GPOs and make malicious changes. Auditing changes to GPOs will let an administrator know exactly what change was made, when it was made, who made the change, and where the change was made. This will harden the security of the AD environment and also enable the administrator to revert any unauthorized changes.

To audit changes to Group Policy, IT administrators have to first enable the auditing of DS objects, Group Policy Container Objects, and SYSVOL folder.

• How to enable auditing of DS objects

• Launch Server Manager in your Windows Server Operating System.

• Navigate to Tools -> Group Policy Management.

• Go to Domains -> Domain Controllers.

• Do one of two things:

  1. Right-click on Defaut Domain Controllers Policy, and then click on Edit to launch the Group Policy Management Editor, or
  2. Create a new GPO.

• Navigate to Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> Audit Policies -> DS Access.

• Enable auditing for both "success" and "failure" for each of Audit Detailed Directory Service Replication, Audit Directory Service Access, Audit Directory Service Changes, and Audit Directory Service Replication.

• Now go to Advanced Audit Policy Configuration -> Audit Policy -> Object Access.

• Enable both "success" and "failure" auditing for all 14 subcategories of event types.

• How to enable auditing of Group Policy Container Objects

• Navigate to Server Manager -> Tools -> ADSI Edit.

• Right click on ADSI Edit on the left pane, and select 'Connect to' to open Connection Settings. You will notice that the path points to your domain controller.

  

• Hit OK to connect.

• Open Default Naming Context.

• Navigate to DC = Domain -> DC = com -> CN=System -> CN=Policies.

• Right click on CN=Policies, and go to Properties.

• Go to Security -> Advanced -> Auditing -> Add.

• In the Auditing Entry for Policies wizard, choose Everyone for the principal.

  

• The Type should be "Success", and Applies to should be, "This object and all descendant objects."

• Under Permissions, choose all the entries for which actions will be audited. You may wish to audit "Create GroupPolicy Container Objects", "Delete", "Modify Permissions", and "Write VersionNumber" at a minimum.

• Click on OK.

• How to enable auditing of SYSVOL folder

• Go to your SYSVOL folder which is usually found at C:\Windows\SYSVOL.

• Right-click on the SYSVOL folder and go to Properties.

• Go to Security -> Advanced to open the Advanced Security Settings for the SYSVOL folder.

• Click on the Auditing tab, and then click on Add.

• Under Principal, choose, "Everyone" to enable auditing for changes made by everyone in your AD.

  

• Choose your auditing entries.

• Hit OK.

There are two ways to audit GPOs:

1) Using native tools such as Event Viewer, and 2) Using a comprehensive AD auditing solution such as ADAudit Plus. In this article, we will compare both the methods.

• Using native auditing tools (Event Viewer)

• Navigate to Start Menu -> Control Panel -> Administrative Tools -> Event Viewer.

• Filter the events for event ID 5136 as this gives the list of Group Policy changes, value changes, and GPO link changes.

Here's a sample screenshot of a search for event ID 5136:

• 

There are several disadvantages of using Event Viewer to audit GPO changes:

• It is not easy to use, as the data exists under various logs. The administrator has to therefore view several logs to get the full picture of what happened.

• There are no tabular reports or charts in Event Viewer for the IT administrator to use. This makes it difficult to visualize the data.

• The administrator has to sift through logs manually, take notes, and spend substantial effort to analyze what GPO was changed, who changed it, when they changed it, and where they changed it.

It's always better to use a comprehensive AD auditing solution like ADAudit Plus to audit all GPO changes. This will go a long way in protecting the AD of your organization.