How easy is it to track Group Policy changes using the event log?

Group Policy Objects contain the settings to control almost everything in Active Directory; including Sites, Domains, Organizational Units, Users, Groups, Computers and other objects. In large enterprises, multiple administrators manage objects centrally through the Group Policy Management Console (GPMC) from different computers in the domain. Often, users complain that their system settings have been changed without their knowledge.

Group Policy Auditing with Windows

Occasionally the IT team is responsible for these changes; however, it is possible that someone with the right to make changes in the Group Policy Management Console has altered settings for which there was no authorization. Changes in Group Policy Objects like these, that can often remain unknown to others, can create accountability issues. It is therefore very important to audit these changes to know who did what change, when and from which location

GPO Auditing is possible with Windows 2000 Server; however, it was always a bit noisy and did not provide granular levels of detail. In the latest versions of Windows Server, Microsoft introduced advanced auditing where users can granularly determine what to audit and what not to audit, thus creating a manageable number of logs.

Group Policy is used to perform numerous tasks; including configuring auditing and deciding what users can or cannot access. It is therefore necessary to monitor Group Policy changes. But how? Here, you will see the steps to enable Group Policy auditing in Active Directory.

How to enable auditing of Group Policy Objects

A Group Policy Object is stored in two parts – Group Policy Templates (defines the GPO template) and Group Policy Containers (an object in Active Directory pointing to GPO template). Group Policy Templates are stored in %sysroot%SYSVOL folder. The auditing of SYSVOL folder, Group Policy Container Objects and DS Objects has to be enabled in order to enable the Group Policy Objects.

How to enable auditing of DS objects

Perform the following steps to enable auditing of Directory Service Objects:

  1. Launch Group Policy Management Console (GPMC) from the “Administrative Tools” in the “Start Menu”.
  2. Go to Forest -> Domains -> Domain Controllers.

  3. Right click “Default Domain Controllers Policy”, and click on “Edit” to access “Group Policy Management Editor” (GPMC Editor).

  4. The GPMC Editor window opens up, in the editor window navigate to “Computer Configuration” -> “Policies” -> “Windows Settings” -> “Security Settings” -> “Advanced Audit Policy Configuration” -> “Audit Policies”.

  5. Select “DS Access” in the Audit Policies. The following policies will be displayed in it.

I. Audit Directory Service Access

II. Audit Directory Service Changes

III. Audit Directory Service Replication

IV. Audit Detailed Directory Service Replication

  1. One by one, double-click these policies, and enable their auditing for both “Success and “Failure”.
  • Do the same steps to enable the auditing of “Object Access” -> “Audit File System” in “Advanced Audit Policy Configuration”.

  • Continue reading “How easy is it to track Group Policy changes using the event log?”