We help IT Professionals succeed at work.

Group Policy Change reporting

Hi,
 
I am looking for a way to monitor the Group Policy changes in the environment. I am presently not looking for any paid tool for the same because I have checked some of the tools from ManageEngine, Netpro, Netwrix but all the tools are very costly. I am looking for some free or low cost tool. Also If I can get a way to find the Group Policies created and modified in last one month that will help to some extent.
 
I have got a tool named GPMonitor in Resource Kit but I am not able to find as to how it works. Does it take the policy setting from desktops or from DC's.
 
Please suggest.
Comment
Watch Question

Neil RussellTechnical Development Lead
CERTIFIED EXPERT

Commented:
How big is your environment? Number of DC's/servers/Workstations?
hirenvmajithiyaManager (System Administration)

Commented:
Try auditing the changes.
Here is a basic article about it:
http://blogs.msdn.com/b/ericfitz/archive/2005/08/04/447951.aspx

Hiren

Author

Commented:
We have Single Domain with 65 DC's and 12000 users
Technical Development Lead
CERTIFIED EXPERT
Commented:
Then I would seriously suguest that you go for a PAID solution! How much is your AD infrastructure worth to your company?

For instance, Managengine AuditPlus would cost you about $9995 for an 80 DC licence.  Thats roughly 154USD per DC for your 65, and 15 left over free for expansion.  As a product for AD Auditing its about as good as it gets, personal opinion.  You can download a free triak that will audit 5 DC's and look at the wealth of reporting you can get! Its worth every penny/Cent!

http://www.manageengine.com/products/active-directory-audit/pricing-details.html#pricingchart
CERTIFIED EXPERT
Top Expert 2013
Commented:
If you have access to MDOP you can use AGPM  

http://technet.microsoft.com/en-us/library/cc749396(v=ws.10).aspx

Auditing out of the box for group policy is not great

Darren MarElia (GP MVP) had a good blurb on this too

*************Darren's quote **************
 If you're tracking for Group Policy changes you want to look for an AD change on the PDC emulator to a GroupPolicyContainer object. Specifically it will be a Directory Service Access event # 566 showing a modification to a number of attributes on the GPC object.
 
The only foolproof method to find out who made a change to a GPO and exactly what setting was changed is to buy a 3rdparty auditing product. Even products like APGM (nee GPOVault) require that you go through their interface to capture any change, and don’t catch “out-of-band” changes that might get made. The 3rd party auditing products actually resolve who made the change, what the changed setting was, and what its before and after values were/are.
 
However, you can audit that *some* change was made to a given GPO simply by using native AD access auditing in the security logs of DCs. Most GP changes default to being made on the PDCe DC so you can reliably monitor its security log for changes to any groupPolicyContainer objects and that will generally catch any GP changes. Again, it will only tell you that *something* changed, not what that changed was.
****************************

Thanks

Mike

Author

Commented:
These solutions were not full proof but showed me a way to proceed further

Explore More ContentExplore courses, solutions, and other research materials related to this topic.