Solved

Monitor Changes to Group Policy Settings

Posted on 2009-06-30
5
659 Views
Last Modified: 2012-05-07
Right now I have a Windows 2000 AD domain. How can I find out WHO / which network account made a change to a default domain policy? How can I be notifyed WHEN ANY of our GP get modified????
0
Comment
Question by:compdigit44
  • 3
  • 2
5 Comments
 
LVL 57

Expert Comment

by:Mike Kline
ID: 24748889
Out of the box you will be able to find out who made a change. It won't tell you what was changed
Audit directory service access is enabled by default in the default domain controllers policy (you can check yours and make sure that is still on)
Then Auditing is turned on for the policies container within AD.
So look for event 566 in your logs. (check PDC emulator first)

So here is the rub with that; so as you can see you are just auditing when a change to a GPO happens. It does not tell you what was changed in the GPO. For that, you will need a 3rd party product.  
Good blog on the subject here:
http://blogs.msdn.com/ericfitz/archive/2005/08/04/447951.aspx
 
Thanks
Mike
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 24749019
Quick follow up - screen shot of what the event looks like.
 
Thanks
 
Mike
 
 

groupPolicy-Audit-Event.jpg
0
 
LVL 19

Author Comment

by:compdigit44
ID: 24753513
Here the problem someone made a change to our default domain policy and it didn't have auditing enabled... Is there anyway for me to track who changed a GP last with out audting enabled???
0
 
LVL 57

Accepted Solution

by:
Mike Kline earned 500 total points
ID: 24754899
Unfortunately no way that I know of if auditing is turned off or not enabled.  The closes thing is to see the modified date/time and that may narrow it down to those that were working that day.
Thanks
Mike
0
 
LVL 19

Author Comment

by:compdigit44
ID: 24754993
IS there anyway to track were a user account logged in from?
0

Featured Post

Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Synchronize a new Active Directory domain with an existing Office 365 tenant
This script can help you clean up your user profile database by comparing profiles to Active Directory users in a particular OU, and removing the profiles that don't match.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

26 Experts available now in Live!

Get 1:1 Help Now