[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Group Policy Change reporting

Posted on 2012-03-12
6
Medium Priority
?
260 Views
Last Modified: 2012-08-13
Hi,
 
I am looking for a way to monitor the Group Policy changes in the environment. I am presently not looking for any paid tool for the same because I have checked some of the tools from ManageEngine, Netpro, Netwrix but all the tools are very costly. I am looking for some free or low cost tool. Also If I can get a way to find the Group Policies created and modified in last one month that will help to some extent.
 
I have got a tool named GPMonitor in Resource Kit but I am not able to find as to how it works. Does it take the policy setting from desktops or from DC's.
 
Please suggest.
0
Comment
Question by:Neo_78
6 Comments
 
LVL 37

Expert Comment

by:Neil Russell
ID: 37713478
How big is your environment? Number of DC's/servers/Workstations?
0
 
LVL 7

Expert Comment

by:hirenvmajithiya
ID: 37713618
Try auditing the changes.
Here is a basic article about it:
http://blogs.msdn.com/b/ericfitz/archive/2005/08/04/447951.aspx

Hiren
0
 

Author Comment

by:Neo_78
ID: 37713636
We have Single Domain with 65 DC's and 12000 users
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
LVL 37

Accepted Solution

by:
Neil Russell earned 750 total points
ID: 37713773
Then I would seriously suguest that you go for a PAID solution! How much is your AD infrastructure worth to your company?

For instance, Managengine AuditPlus would cost you about $9995 for an 80 DC licence.  Thats roughly 154USD per DC for your 65, and 15 left over free for expansion.  As a product for AD Auditing its about as good as it gets, personal opinion.  You can download a free triak that will audit 5 DC's and look at the wealth of reporting you can get! Its worth every penny/Cent!

http://www.manageengine.com/products/active-directory-audit/pricing-details.html#pricingchart
0
 
LVL 57

Assisted Solution

by:Mike Kline
Mike Kline earned 750 total points
ID: 37714121
If you have access to MDOP you can use AGPM  

http://technet.microsoft.com/en-us/library/cc749396(v=ws.10).aspx

Auditing out of the box for group policy is not great

Darren MarElia (GP MVP) had a good blurb on this too

*************Darren's quote **************
 If you're tracking for Group Policy changes you want to look for an AD change on the PDC emulator to a GroupPolicyContainer object. Specifically it will be a Directory Service Access event # 566 showing a modification to a number of attributes on the GPC object.
 
The only foolproof method to find out who made a change to a GPO and exactly what setting was changed is to buy a 3rdparty auditing product. Even products like APGM (nee GPOVault) require that you go through their interface to capture any change, and don’t catch “out-of-band” changes that might get made. The 3rd party auditing products actually resolve who made the change, what the changed setting was, and what its before and after values were/are.
 
However, you can audit that *some* change was made to a given GPO simply by using native AD access auditing in the security logs of DCs. Most GP changes default to being made on the PDCe DC so you can reliably monitor its security log for changes to any groupPolicyContainer objects and that will generally catch any GP changes. Again, it will only tell you that *something* changed, not what that changed was.
****************************

Thanks

Mike
0
 

Author Closing Comment

by:Neo_78
ID: 37922839
These solutions were not full proof but showed me a way to proceed further
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Group policies can be applied selectively to specific devices with the help of groups. Utilising this, it is possible to phase-in group policies, over a period of time, by randomly adding non-members user or computers at a set interval, to a group f…
In the absence of a fully-fledged GPO Management product like AGPM, the script in this article will provide you with a simple way to watch the domain (or a select OU) for GPOs changes and automatically take backups when policies are added, removed o…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question