Group Policy Objects contain the settings to control almost everything in Active Directory; including Sites, Domains, Organizational Units, Users, Groups, Computers and other objects. In large enterprises, multiple administrators manage objects centrally through the Group Policy Management Console (GPMC) from different computers in the domain. Often, users complain that their system settings have been changed without their knowledge. Show
Group Policy Auditing with WindowsOccasionally the IT team is responsible for these changes; however, it is possible that someone with the right to make changes in the Group Policy Management Console has altered settings for which there was no authorization. Changes in Group Policy Objects like these, that can often remain unknown to others, can create accountability issues. It is therefore very important to audit these changes to know who did what change, when and from which location GPO Auditing is possible with Windows 2000 Server; however, it was always a bit noisy and did not provide granular levels of detail. In the latest versions of Windows Server, Microsoft introduced advanced auditing where users can granularly determine what to audit and what not to audit, thus creating a manageable number of logs. Group Policy is used to perform numerous tasks; including configuring auditing and deciding what users can or cannot access. It is therefore necessary to monitor Group Policy changes. But how? Here, you will see the steps to enable Group Policy auditing in Active Directory. How to enable auditing of Group Policy ObjectsA Group Policy Object is stored in two parts – Group Policy Templates (defines the GPO template) and Group Policy Containers (an object in Active Directory pointing to GPO template). Group Policy Templates are stored in %sysroot%SYSVOL folder. The auditing of SYSVOL folder, Group Policy Container Objects and DS Objects has to be enabled in order to enable the Group Policy Objects. How to enable auditing of DS objectsPerform the following steps to enable auditing of Directory Service Objects:
I. Audit Directory Service Access II. Audit Directory Service Changes III. Audit Directory Service Replication IV. Audit Detailed Directory Service Replication
Perform the following steps to enable auditing of Group Policy Container Objects:
Figure 1: Advanced Security Settings for Policies
Figure 2: Select User, Computer, Service Account, or Group
Figure 3: Auditing Entry for Policies
Perform the following steps for auditing SYSVOL folder where the Group Policy Templates are stored:
Native Auditing of Group Policy ChangesAfter you have enabled GPO auditing by following the above steps, every change in the GPO will be captured and displayed in the Event Viewer. Go to “Start Menu” –> “Control Panel” –> “Administrative Tools” and double-click “Event Viewer” to access it. Here, search for a particular event IDs for Group Policy Changes. For novice users, it is difficult to know which event IDs are relevant to Group Policy changes. In these situations, Microsoft Technet comes to the rescue. For example, the following link gives you the list of events pertaining to changes in Group Policies: https://technet.microsoft.com/en-us/library/cc749336(v=ws.10).aspx. Given below are a few examples:
The following image is an example of an event that shows a certain Group Policy Change. However, it is not clear which Group Policy was modified, when, by whom, and what the before and after values were. Figure 4: Event captured after modifying a Group Policy Drawbacks of Native Auditing of Group Policy ObjectsUnclear DataIn the above image, the event has been shown in the Windows Event Viewer, but it is not clear which Group Policy was modified, when it was modified, by whom and what the before and after values were. If the record of all event IDs for Group Policy Changes is un-usable, it will be difficult to search for a particular required change in a large event pool. Multiple LogsThe Event viewer displays multiple events for an action that can throw up an unmanageable number of logs. Additionally, the Event Viewer will display the captured events in a complex format and occasionally with less detail. Space ConsumptionEvent logs are memory-mapped files. If you set the maximum log size to 1 GB, it means (1 GB x 4 =) 4 GB space will be captured by the Event Viewer. If you set the log size to lower numbers, only a few events will be monitored, because the events generated after reaching the log size will be either overwritten or archived. If you have configured logs to be archived for long-term storage, all event logs will then be archived to “%system32%/winevt/logs”, and will continue to take space on primary drive. There are no automatic ways available to transfer these archived logs to a secondary or external drive. No Predefined ReportsThere are no inbuilt pre-defined audit reports. The workaround is to create huge Windows PowerShell scripts or use an existing template. This translates to creating multiple, complex scripts if you want to investigate something as simple as an account deletion event. If administrators want to check the event logs of all network computers in the primary domain controller, they need to configure subscriptions on the server and configure each computer separately in the network, which can be a complex and time consuming process. How to solve these limitations?LepideAuditor for Group Policy is an ideal solution for tracking Group Policy changes. You simply need to install the solution, add the domain that has to be audited and the solution can audit all computers in the network from that central console. It provides real-time audit reports to find out the who, what, when and where details of Group Policy changes and displays these changes on very visual 3-dimensional graphs. The “before” and “after” values of each Group Policy change is also shown to make Group policy auditing easier than ever. What is the use of Group Policy?Group Policy is primarily a security tool, and can be used to apply security settings to users and computers. Group Policy allows administrators to define security policies for users and for computers.
When looking at Group Policy what commands can you use on the client that can help you troubleshoot what policies the computer is getting?The rsop and gpresult commands are both used to troubleshoot group policy but which one should you use and why? RSop – Use this command to report on the current state of the group policy settings. In other words, this will generate a report of what GPO policy settings are applied to a user or computer.
Which of the following can be used to view and edit Group Policy settings?The Registry Editor can be used to view and edit Group Policy settings.
What GPO policy will take precedence over all other GPO policies when they are being applied?GPOs linked to organizational units have the highest precedence, followed by those linked to domains. GPOs linked to sites always take the least precedence. To understand which GPOs are linked to a domain or OU, click the domain or OU in GPMC and select the Linked Group Policy Objects tab.
|