How easy is it to track Group Policy changes using the event log?

Group Policy Objects contain the settings to control almost everything in Active Directory; including Sites, Domains, Organizational Units, Users, Groups, Computers and other objects. In large enterprises, multiple administrators manage objects centrally through the Group Policy Management Console (GPMC) from different computers in the domain. Often, users complain that their system settings have been changed without their knowledge.

Group Policy Auditing with Windows

Occasionally the IT team is responsible for these changes; however, it is possible that someone with the right to make changes in the Group Policy Management Console has altered settings for which there was no authorization. Changes in Group Policy Objects like these, that can often remain unknown to others, can create accountability issues. It is therefore very important to audit these changes to know who did what change, when and from which location

GPO Auditing is possible with Windows 2000 Server; however, it was always a bit noisy and did not provide granular levels of detail. In the latest versions of Windows Server, Microsoft introduced advanced auditing where users can granularly determine what to audit and what not to audit, thus creating a manageable number of logs.

Group Policy is used to perform numerous tasks; including configuring auditing and deciding what users can or cannot access. It is therefore necessary to monitor Group Policy changes. But how? Here, you will see the steps to enable Group Policy auditing in Active Directory.

How to enable auditing of Group Policy Objects

A Group Policy Object is stored in two parts – Group Policy Templates (defines the GPO template) and Group Policy Containers (an object in Active Directory pointing to GPO template). Group Policy Templates are stored in %sysroot%SYSVOL folder. The auditing of SYSVOL folder, Group Policy Container Objects and DS Objects has to be enabled in order to enable the Group Policy Objects.

How to enable auditing of DS objects

Perform the following steps to enable auditing of Directory Service Objects:

  1. Launch Group Policy Management Console (GPMC) from the “Administrative Tools” in the “Start Menu”.
  2. Go to Forest -> Domains -> Domain Controllers.

  3. Right click “Default Domain Controllers Policy”, and click on “Edit” to access “Group Policy Management Editor” (GPMC Editor).

  4. The GPMC Editor window opens up, in the editor window navigate to “Computer Configuration” -> “Policies” -> “Windows Settings” -> “Security Settings” -> “Advanced Audit Policy Configuration” -> “Audit Policies”.

  5. Select “DS Access” in the Audit Policies. The following policies will be displayed in it.

I. Audit Directory Service Access

II. Audit Directory Service Changes

III. Audit Directory Service Replication

IV. Audit Detailed Directory Service Replication

  1. One by one, double-click these policies, and enable their auditing for both “Success and “Failure”.
  • Do the same steps to enable the auditing of “Object Access” -> “Audit File System” in “Advanced Audit Policy Configuration”.

  • Continue reading “How easy is it to track Group Policy changes using the event log?”

    Automating Exchange 2016 installation with Desired State Configuration

    Hi, folks!

    There is a good example of Exchange installation inside of help files for xExchange module but it’s actually not valid for Exchange 2016:

    • no installation for server roles and features = configuration fails
    • Exchange 2016 does not have separate client access role anymore = wrong installation parameters and setup fails
    • UCMA is required to be installed = errors during prerequisite check up
    • not optimal LCM parameters
    • no certificate management
    • there is no variables passing via command line = not suitable for unattended setup

    So here is the fixed version of one .

    /Has been tested on VM with up-to-date domain joined 2012 R2 guest machine.

    //If you are not yet familiar with PowerShell DSC it’s recommended to review some facts before setting up and then do some additional steps:

    0) Step for lazy persons Улыбка . Download link for  all-in-one zip file

    1) Install the following update (only for PowerShell v3 and v4.0) :

    PackageManagement PowerShell Modules Preview – March 2016

    2) Import or verify that the required modules are available :

    • xExchange . It’s  a custom module for installation and configuration Exchange environment (installation, DAG, settings and more)
    • WindowsFeature . Built-in DSC resource that ensures and installs windows server roles/features
    • Package . Built-in DSC resource to install program packages (msi,exe and etc)
    • xPendingReboot. Custom module that reboots system if it is in the “pending reboot” status.
    • To list installed custom DSC resources:
      Get-DscResource|? {$_.ModuleName -NotMatch "PSDesired"}
      
    • To install custom DSC (internet connectivity is required):
      Install-Module xExchange
      
    • I prefer to save module for the further usage and then install or just copy to one of the PS module’s path
      #save module to pre-created folder
      
      Save-Module xExchange -Path C:\DSC\Modules
      
      #Copy module to the one of the following folders (../Program Files/.. is recommended)
      
      $env:PSModulePath
      
      C:\Users\username\Documents\WindowsPowerShell\Modules;
      C:\Program Files\WindowsPowerShell\Modules;
      C:\Windows\system32\WindowsPowerShell\v1.0\Modules
      

    3) Prepare folders. Script uses the following paths:

    • “C:\Exch”  – Exchange binaries,
    • “C:\ExchInstall\Cert” – required files for import certificate
    • “C:\UCMA” – UCMA installation files

    4) Download Exchange media and copy setup files (C:\Exch in my case)

    5) Extract UCMA package  to another folder (script uses C:\UCMA)

    6) (optional) Prepare certificate for securing MOF files. I use this module  to create one and then export PFX and CER-files to “C:\ExchInstall\Cert”.

    Note: If you don’t want to secure your MOF files you can comment out related strings in the main script (step 6, see comment blocks)

    . .\New-SelfSignedCertificateEx.ps1
    New-SelfsignedCertificateEx `
        -Subject 'CN=localhost' `
        -EKU 'Document Encryption' `
        -KeyUsage 'KeyEncipherment, DataEncipherment' `
        -SAN localhost `
        -FriendlyName 'DSC certificate' `
        -Exportable `
        -StoreLocation 'LocalMachine' `
        -StoreName 'My' `
        -KeyLength 2048 `
        -ProviderName 'Microsoft Enhanced Cryptographic Provider v1.0' `
        -AlgorithmName 'RSA' `
        -SignatureAlgorithm 'SHA256'
    

    6) Create the new script (ps1) which contains the following strings

    Note: RebootNodeIfNeeded has been set to “True” so LCM have rights to reboot your machine automatically.

     <#
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     |w|w|w|.|r|l|e|v|c|h|e|n|k|o|.|c|o|m|
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+                                                                                                    
    
    ::Exchange 2016 Installation (DSC)
    ::Required modules: xExchange and xPendingReboot
    
     #>
    
    #Variables
        param ()
          #Domain and Netbios Names
          $domainname=$args[0] #or get-domain if domain is existed.
          $netbios=$DomainName.split(“.”)[0]
    
    	  #Creds for Exchange install acoount
    	  $pwd = ConvertTo-SecureString "Pass123" -AsPlainText -Force
          $Creds = New-Object System.Management.Automation.PSCredential ("$netbios\Administrator", $pwd)
    
          #Import the certificate for securing MOF (optional. related strings can be just commented out)
          $CertPW=ConvertTo-SecureString “Pass123” -AsPlainText -Force
          Import-PfxCertificate -Password $certpw -CertStoreLocation Cert:\LocalMachine\My -FilePath C:\ExchInstall\cert\publickey.pfx
    
    #DSC starts here
    Configuration InstallExchange
    
    {
            Import-DscResource -Module xExchange
            Import-DscResource -Module xPendingReboot
    
        Node $AllNodes.NodeName
        {
            #Sets certificate for LCM on every node
            LocalConfigurationManager
            {
                CertificateId      = $AllNodes.Thumbprint
                RebootNodeIfNeeded = $true
                ConfigurationMode = 'ApplyOnly'
            }
    
            #Installs Required Components for Exchange (note: there is 1 planned automatic reboot)
            WindowsFeature ASHTTP
            {
                Ensure = 'Present'
                Name = 'AS-HTTP-Activation'
            }
            WindowsFeature DesktopExp
            {
                Ensure = 'Present'
                Name = 'Desktop-Experience'
            }
             WindowsFeature NetFW45
            {
                Ensure = 'Present'
                Name = 'NET-Framework-45-Features'
            }
               WindowsFeature RPCProxy
            {
                Ensure = 'Present'
                Name = 'RPC-over-HTTP-proxy'
            }
                WindowsFeature RSATClus
            {
                Ensure = 'Present'
                Name = 'RSAT-Clustering'
            }
                WindowsFeature RSATClusCmd
            {
                Ensure = 'Present'
                Name = 'RSAT-Clustering-CmdInterface'
            }
                WindowsFeature RSATClusMgmt
            {
                Ensure = 'Present'
                Name = 'RSAT-Clustering-Mgmt'
            }
               WindowsFeature RSATClusPS
            {
                Ensure = 'Present'
                Name = 'RSAT-Clustering-PowerShell'
            }
               WindowsFeature WebConsole
            {
                Ensure = 'Present'
                Name = 'Web-Mgmt-Console'
            }
                WindowsFeature WAS
            {
                Ensure = 'Present'
                Name = 'WAS-Process-Model'
            }
                WindowsFeature WebAsp
            {
                Ensure = 'Present'
                Name = 'Web-Asp-Net45'
            }
               WindowsFeature WBA
            {
                Ensure = 'Present'
                Name = 'Web-Basic-Auth'
            }
               WindowsFeature WCA
            {
                Ensure = 'Present'
                Name = 'Web-Client-Auth'
            }
              WindowsFeature WDA
            {
                Ensure = 'Present'
                Name = 'Web-Digest-Auth'
            }
              WindowsFeature WDB
            {
                Ensure = 'Present'
                Name = 'Web-Dir-Browsing'
            }
               WindowsFeature WDC
            {
                Ensure = 'Present'
                Name = 'Web-Dyn-Compression'
            }
               WindowsFeature WebHttp
            {
                Ensure = 'Present'
                Name = 'Web-Http-Errors'
            }
               WindowsFeature WebHttpLog
            {
                Ensure = 'Present'
                Name = 'Web-Http-Logging'
            }
               WindowsFeature WebHttpRed
            {
                Ensure = 'Present'
                Name = 'Web-Http-Redirect'
            }
              WindowsFeature WebHttpTrac
            {
                Ensure = 'Present'
                Name = 'Web-Http-Tracing'
            }
              WindowsFeature WebISAPI
            {
                Ensure = 'Present'
                Name = 'Web-ISAPI-Ext'
            }
              WindowsFeature WebISAPIFilt
            {
                Ensure = 'Present'
                Name = 'Web-ISAPI-Filter'
            }
                WindowsFeature WebLgcyMgmt
            {
                Ensure = 'Present'
                Name = 'Web-Lgcy-Mgmt-Console'
            }
                WindowsFeature WebMetaDB
            {
                Ensure = 'Present'
                Name = 'Web-Metabase'
            }
                WindowsFeature WebMgmtSvc
            {
                Ensure = 'Present'
                Name = 'Web-Mgmt-Service'
            }
               WindowsFeature WebNet45
            {
                Ensure = 'Present'
                Name = 'Web-Net-Ext45'
            }
                WindowsFeature WebReq
            {
                Ensure = 'Present'
                Name = 'Web-Request-Monitor'
            }
                 WindowsFeature WebSrv
            {
                Ensure = 'Present'
                Name = 'Web-Server'
            }
                  WindowsFeature WebStat
            {
                Ensure = 'Present'
                Name = 'Web-Stat-Compression'
            }
                   WindowsFeature WebStatCont
            {
                Ensure = 'Present'
                Name = 'Web-Static-Content'
            }
                   WindowsFeature WebWindAuth
            {
                Ensure = 'Present'
                Name = 'Web-Windows-Auth'
            }
                  WindowsFeature WebWMI
            {
                Ensure = 'Present'
                Name = 'Web-WMI'
            }
                  WindowsFeature WebIF
            {
                Ensure = 'Present'
                Name = 'Windows-Identity-Foundation'
            }
                  WindowsFeature RSATADDS
            {
                Ensure = 'Present'
                Name = 'RSAT-ADDS'
            }
            #Installs UCMA. Don't forget to change path it if it is required
            Package UCMA
            {
                Ensure= 'Present'
                Name = 'Microsoft Unified Communications Managed API 4.0, Core
                        Runtime 64-bit'
                Path= 'c:\UCMA\UcmaRuntimeSetup\ironmansetup.exe'
                ProductID= 'ED98ABF5-B6BF-47ED-92AB-1CDCAB964447'
                Arguments= '/q'
    
             }
    
            #Checks Exchange Setup Directory (can be changed it's necessary). No recurse.
            File ExchangeBinaries
            {
                Ensure          = 'Present'
                Type            = 'Directory'
                Recurse         = $false
                SourcePath = 'C:\Exch'
                DestinationPath = 'C:\Exch'
            }
    
            #Checks if a reboot is needed before installing Exchange
            xPendingReboot BeforeExchangeInstall
            {
                Name      = "BeforeExchangeInstall"
    
                DependsOn  = '[File]ExchangeBinaries'
            }
    
            #Does the Exchange install. Verify directory with exchange binaries
            xExchInstall InstallExchange
            {
                Path       = "C:\Exch\Setup.exe"
                Arguments  = "/mode:Install /role:Mailbox /OrganizationName:""$netbios"" /Iacceptexchangeserverlicenseterms"
                Credential = $Creds
    
                DependsOn  = '[xPendingReboot]BeforeExchangeInstall'
            }
    
            #Sees if a reboot is required after installing Exchange
            xPendingReboot AfterExchangeInstall
            {
                Name      = "AfterExchangeInstall"
    
                DependsOn = '[xExchInstall]InstallExchange'
            }
       }
    }
    
    #DSC Configuration data
    $ConfigData=@{
        AllNodes = @(
    
            @{
                NodeName = "*"
    				  #Replace thumbprint with yours or use precreated cert
                      CertificateFile = "C:\ExchInstall\cert\publickey.cer"
                      Thumbprint = "FF0693E72BD283298323DF34B2A848F0F1B48E67"
                      PSDscAllowPlainTextPassword = $true
            }
    
            @{
                NodeName = "localhost"
            }
        );
    }
    
    if ($Creds -eq $null)
    {
       #if creds are empty -> write to log Application/mozno udalit')
       New-EventLog –LogName Application –Source “Exchange Installation”
       Write-EventLog –LogName Application –Source “Exchange Installation” –EntryType Error –EventID 1 –Message “Credentials are empty”
    
    }
    
    #Compiles the example
    InstallExchange -ConfigurationData $ConfigData -Creds $Creds
    
    #Sets up LCM on target computers to decrypt credentials, and to allow reboot during resource execution
    Set-DscLocalConfigurationManager -Path .\InstallExchange -Verbose
    
    #Pushes configuration and waits for execution
    Start-DscConfiguration -Path .\InstallExchange -Verbose -Wait
    

    7) Run the script with the mandatory <domainname> parameter

    Example: 
    
    .\InstallExchange.ps1 contoso.com
    

    8) Wait while LCM applies DSC configuration.

    To retrieve the the current status use:

    Get-DSCLocalConfigurationManager
    

    and

    • read logs (Applications and Services Logs – Microsoft – Windows – Desired State Configuration)
    • Exchange creates it’s own setup logs on your system drive . check them in case of unexpected errors.

    Until then,

    have a nice weekend!

    P.S. I have updated this script with DAG configuration and etc.. I’ll publish a new post later. Be in touch.