How easy is it to track Group Policy changes using the event log?

Group Policy Objects contain the settings to control almost everything in Active Directory; including Sites, Domains, Organizational Units, Users, Groups, Computers and other objects. In large enterprises, multiple administrators manage objects centrally through the Group Policy Management Console (GPMC) from different computers in the domain. Often, users complain that their system settings have been changed without their knowledge.

Group Policy Auditing with Windows

Occasionally the IT team is responsible for these changes; however, it is possible that someone with the right to make changes in the Group Policy Management Console has altered settings for which there was no authorization. Changes in Group Policy Objects like these, that can often remain unknown to others, can create accountability issues. It is therefore very important to audit these changes to know who did what change, when and from which location

GPO Auditing is possible with Windows 2000 Server; however, it was always a bit noisy and did not provide granular levels of detail. In the latest versions of Windows Server, Microsoft introduced advanced auditing where users can granularly determine what to audit and what not to audit, thus creating a manageable number of logs.

Group Policy is used to perform numerous tasks; including configuring auditing and deciding what users can or cannot access. It is therefore necessary to monitor Group Policy changes. But how? Here, you will see the steps to enable Group Policy auditing in Active Directory.

How to enable auditing of Group Policy Objects

A Group Policy Object is stored in two parts – Group Policy Templates (defines the GPO template) and Group Policy Containers (an object in Active Directory pointing to GPO template). Group Policy Templates are stored in %sysroot%SYSVOL folder. The auditing of SYSVOL folder, Group Policy Container Objects and DS Objects has to be enabled in order to enable the Group Policy Objects.

How to enable auditing of DS objects

Perform the following steps to enable auditing of Directory Service Objects:

  1. Launch Group Policy Management Console (GPMC) from the “Administrative Tools” in the “Start Menu”.
  2. Go to Forest -> Domains -> Domain Controllers.

  3. Right click “Default Domain Controllers Policy”, and click on “Edit” to access “Group Policy Management Editor” (GPMC Editor).

  4. The GPMC Editor window opens up, in the editor window navigate to “Computer Configuration” -> “Policies” -> “Windows Settings” -> “Security Settings” -> “Advanced Audit Policy Configuration” -> “Audit Policies”.

  5. Select “DS Access” in the Audit Policies. The following policies will be displayed in it.

I. Audit Directory Service Access

II. Audit Directory Service Changes

III. Audit Directory Service Replication

IV. Audit Detailed Directory Service Replication

  1. One by one, double-click these policies, and enable their auditing for both “Success and “Failure”.
  • Do the same steps to enable the auditing of “Object Access” -> “Audit File System” in “Advanced Audit Policy Configuration”.

  • Continue reading “How easy is it to track Group Policy changes using the event log?”

    TOTD: Error applying RemoteFX 3D Adapter changes

    Hi, guys!

    In this Tip Of The Day we are going to discuss strange issue in WS2012/2012R2 *

    When you add RemoteFX Adapter to VM error pops up:

    Error applying RemoteFX 3D Adapter changes

    remotefx adapter error applying changes

    You’ve checked requirements and figured out that your environment is completely applicable to RemoteFX:

    • Up-to-date graphical adapter driver’s version and GPU is also listed in Windows Server catalog
    • Host is up-to-date
    • SLAT-compatible CPU (systeminfo.exe, extended page tables or nested page tables are enabled in BIOS)
    • DirectX 11 and driver model WDDM 1.2 at least (dxdiag.exe shows the required versions)
    • Hyper-V is installed and RemoteFX adapter is enabled

    image

    You don’t have to rack your brain! It’s a bug of GUI that was originated in Windows Server 2012 RC (Release Candidate) and we don’t have any official patches or KBs yet. Just for reference, WS 2016 is coming and 2015 year now Улыбка

    72e106dd8414c27d96c6ce1c273b2045

    To solution use PowerShell instead of GUI

    Add-VMRemoteFx3dVideoAdapter -VMName vmname
    Set-VMRemoteFx3dVideoAdapter -VMName vmname -MonitorCount 1 -MaximumResolution 1920x1200
    Get-VMRemoteFx3dVideoAdapter -VMName vmname
    
    MaximumScreenResolution : 1920x1200
    MaximumMonitors : 1
    ComputerName : RDVH01
    Name : RemoteFX 3D Adapter
    Id : Microsoft:1C7D9096-ED62-4039-9285-FB88DB183C93\113560EA-48CD-4BD1-8828-FCEC44E2B5D5
    IsDeleted : False
    VMId : 1c7d9096-ed62-4039-9285-fb88db183c93
    VMName : vmname
    VMSnapshotId : 00000000-0000-0000-0000-000000000000
    VMSnapshotName :
    Key :
    

    *pics are in Russian but they are easy to understand 🙂

    TIP: after adding RemoteFX 3D Adapter to VM you can set it up (change monitor count or resolution)  in GUI without any issues.