Solved

Group Policy Change reporting

Posted on 2012-03-12
6
243 Views
Last Modified: 2012-08-13
Hi,
 
I am looking for a way to monitor the Group Policy changes in the environment. I am presently not looking for any paid tool for the same because I have checked some of the tools from ManageEngine, Netpro, Netwrix but all the tools are very costly. I am looking for some free or low cost tool. Also If I can get a way to find the Group Policies created and modified in last one month that will help to some extent.
 
I have got a tool named GPMonitor in Resource Kit but I am not able to find as to how it works. Does it take the policy setting from desktops or from DC's.
 
Please suggest.
0
Comment
Question by:Neo_78
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 37

Expert Comment

by:Neil Russell
ID: 37713478
How big is your environment? Number of DC's/servers/Workstations?
0
 
LVL 7

Expert Comment

by:hirenvmajithiya
ID: 37713618
Try auditing the changes.
Here is a basic article about it:
http://blogs.msdn.com/b/ericfitz/archive/2005/08/04/447951.aspx

Hiren
0
 

Author Comment

by:Neo_78
ID: 37713636
We have Single Domain with 65 DC's and 12000 users
0
Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.

 
LVL 37

Accepted Solution

by:
Neil Russell earned 250 total points
ID: 37713773
Then I would seriously suguest that you go for a PAID solution! How much is your AD infrastructure worth to your company?

For instance, Managengine AuditPlus would cost you about $9995 for an 80 DC licence.  Thats roughly 154USD per DC for your 65, and 15 left over free for expansion.  As a product for AD Auditing its about as good as it gets, personal opinion.  You can download a free triak that will audit 5 DC's and look at the wealth of reporting you can get! Its worth every penny/Cent!

http://www.manageengine.com/products/active-directory-audit/pricing-details.html#pricingchart
0
 
LVL 57

Assisted Solution

by:Mike Kline
Mike Kline earned 250 total points
ID: 37714121
If you have access to MDOP you can use AGPM  

http://technet.microsoft.com/en-us/library/cc749396(v=ws.10).aspx

Auditing out of the box for group policy is not great

Darren MarElia (GP MVP) had a good blurb on this too

*************Darren's quote **************
 If you're tracking for Group Policy changes you want to look for an AD change on the PDC emulator to a GroupPolicyContainer object. Specifically it will be a Directory Service Access event # 566 showing a modification to a number of attributes on the GPC object.
 
The only foolproof method to find out who made a change to a GPO and exactly what setting was changed is to buy a 3rdparty auditing product. Even products like APGM (nee GPOVault) require that you go through their interface to capture any change, and don’t catch “out-of-band” changes that might get made. The 3rd party auditing products actually resolve who made the change, what the changed setting was, and what its before and after values were/are.
 
However, you can audit that *some* change was made to a given GPO simply by using native AD access auditing in the security logs of DCs. Most GP changes default to being made on the PDCe DC so you can reliably monitor its security log for changes to any groupPolicyContainer objects and that will generally catch any GP changes. Again, it will only tell you that *something* changed, not what that changed was.
****************************

Thanks

Mike
0
 

Author Closing Comment

by:Neo_78
ID: 37922839
These solutions were not full proof but showed me a way to proceed further
0

Featured Post

Edgartown IT Case Study

Learn about Edgartown's quest to ensure the safety and security of the entire town's employee and citizen data. Read the case study!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article shows the method of using the Resultant Set of Policy Tool to locate Group Policy that applies a particular setting.
This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

690 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question