• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 263
  • Last Modified:

Group Policy Change reporting

Hi,
 
I am looking for a way to monitor the Group Policy changes in the environment. I am presently not looking for any paid tool for the same because I have checked some of the tools from ManageEngine, Netpro, Netwrix but all the tools are very costly. I am looking for some free or low cost tool. Also If I can get a way to find the Group Policies created and modified in last one month that will help to some extent.
 
I have got a tool named GPMonitor in Resource Kit but I am not able to find as to how it works. Does it take the policy setting from desktops or from DC's.
 
Please suggest.
0
Neo_78
Asked:
Neo_78
2 Solutions
 
Neil RussellTechnical Development LeadCommented:
How big is your environment? Number of DC's/servers/Workstations?
0
 
hirenvmajithiyaManager (System Administration)Commented:
Try auditing the changes.
Here is a basic article about it:
http://blogs.msdn.com/b/ericfitz/archive/2005/08/04/447951.aspx

Hiren
0
 
Neo_78Author Commented:
We have Single Domain with 65 DC's and 12000 users
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

 
Neil RussellTechnical Development LeadCommented:
Then I would seriously suguest that you go for a PAID solution! How much is your AD infrastructure worth to your company?

For instance, Managengine AuditPlus would cost you about $9995 for an 80 DC licence.  Thats roughly 154USD per DC for your 65, and 15 left over free for expansion.  As a product for AD Auditing its about as good as it gets, personal opinion.  You can download a free triak that will audit 5 DC's and look at the wealth of reporting you can get! Its worth every penny/Cent!

http://www.manageengine.com/products/active-directory-audit/pricing-details.html#pricingchart
0
 
Mike KlineCommented:
If you have access to MDOP you can use AGPM  

http://technet.microsoft.com/en-us/library/cc749396(v=ws.10).aspx

Auditing out of the box for group policy is not great

Darren MarElia (GP MVP) had a good blurb on this too

*************Darren's quote **************
 If you're tracking for Group Policy changes you want to look for an AD change on the PDC emulator to a GroupPolicyContainer object. Specifically it will be a Directory Service Access event # 566 showing a modification to a number of attributes on the GPC object.
 
The only foolproof method to find out who made a change to a GPO and exactly what setting was changed is to buy a 3rdparty auditing product. Even products like APGM (nee GPOVault) require that you go through their interface to capture any change, and don’t catch “out-of-band” changes that might get made. The 3rd party auditing products actually resolve who made the change, what the changed setting was, and what its before and after values were/are.
 
However, you can audit that *some* change was made to a given GPO simply by using native AD access auditing in the security logs of DCs. Most GP changes default to being made on the PDCe DC so you can reliably monitor its security log for changes to any groupPolicyContainer objects and that will generally catch any GP changes. Again, it will only tell you that *something* changed, not what that changed was.
****************************

Thanks

Mike
0
 
Neo_78Author Commented:
These solutions were not full proof but showed me a way to proceed further
0

Featured Post

Get expert help—faster!

Need expert help—fast? Use the Help Bell for personalized assistance getting answers to your important questions.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now