Solved

Group Policy Change reporting

Posted on 2012-03-12
6
234 Views
Last Modified: 2012-08-13
Hi,
 
I am looking for a way to monitor the Group Policy changes in the environment. I am presently not looking for any paid tool for the same because I have checked some of the tools from ManageEngine, Netpro, Netwrix but all the tools are very costly. I am looking for some free or low cost tool. Also If I can get a way to find the Group Policies created and modified in last one month that will help to some extent.
 
I have got a tool named GPMonitor in Resource Kit but I am not able to find as to how it works. Does it take the policy setting from desktops or from DC's.
 
Please suggest.
0
Comment
Question by:Neo_78
6 Comments
 
LVL 37

Expert Comment

by:Neil Russell
ID: 37713478
How big is your environment? Number of DC's/servers/Workstations?
0
 
LVL 7

Expert Comment

by:hirenvmajithiya
ID: 37713618
Try auditing the changes.
Here is a basic article about it:
http://blogs.msdn.com/b/ericfitz/archive/2005/08/04/447951.aspx

Hiren
0
 

Author Comment

by:Neo_78
ID: 37713636
We have Single Domain with 65 DC's and 12000 users
0
Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 
LVL 37

Accepted Solution

by:
Neil Russell earned 250 total points
ID: 37713773
Then I would seriously suguest that you go for a PAID solution! How much is your AD infrastructure worth to your company?

For instance, Managengine AuditPlus would cost you about $9995 for an 80 DC licence.  Thats roughly 154USD per DC for your 65, and 15 left over free for expansion.  As a product for AD Auditing its about as good as it gets, personal opinion.  You can download a free triak that will audit 5 DC's and look at the wealth of reporting you can get! Its worth every penny/Cent!

http://www.manageengine.com/products/active-directory-audit/pricing-details.html#pricingchart
0
 
LVL 57

Assisted Solution

by:Mike Kline
Mike Kline earned 250 total points
ID: 37714121
If you have access to MDOP you can use AGPM  

http://technet.microsoft.com/en-us/library/cc749396(v=ws.10).aspx

Auditing out of the box for group policy is not great

Darren MarElia (GP MVP) had a good blurb on this too

*************Darren's quote **************
 If you're tracking for Group Policy changes you want to look for an AD change on the PDC emulator to a GroupPolicyContainer object. Specifically it will be a Directory Service Access event # 566 showing a modification to a number of attributes on the GPC object.
 
The only foolproof method to find out who made a change to a GPO and exactly what setting was changed is to buy a 3rdparty auditing product. Even products like APGM (nee GPOVault) require that you go through their interface to capture any change, and don’t catch “out-of-band” changes that might get made. The 3rd party auditing products actually resolve who made the change, what the changed setting was, and what its before and after values were/are.
 
However, you can audit that *some* change was made to a given GPO simply by using native AD access auditing in the security logs of DCs. Most GP changes default to being made on the PDCe DC so you can reliably monitor its security log for changes to any groupPolicyContainer objects and that will generally catch any GP changes. Again, it will only tell you that *something* changed, not what that changed was.
****************************

Thanks

Mike
0
 

Author Closing Comment

by:Neo_78
ID: 37922839
These solutions were not full proof but showed me a way to proceed further
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This script can help you clean up your user profile database by comparing profiles to Active Directory users in a particular OU, and removing the profiles that don't match.
This article outlines the process to identify and resolve account lockout in an Active Directory environment.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

828 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question