comes handy when applying specific configurations for Users and
Computers. These settings are stored in Group Policy Objects which
can be linked to Sites, Domains, and Organizational Units. Sometimes,
while working on their system, Users find their desktop to have
undergone some unexpected change. Such changes might have been done
by a central administrator. In many organizations, there are more
than one administrator who manage Computer and User objects centrally
through Group Policy Management Console (GPMC). Changes done by one
administrator might be unknown to others creating a scenario where
accountability becomes an issue. In these situations, it becomes
mandatory to audit Group Policy changes to know who did what change,
when and from which work station.
the importance of issue, Microsoft provides a Software Assurance (SA)
contract program to its clients. Software license and Software
Assurance license are available separately. If you have purchased the
Software Assurance license, you get the “Advanced Group Policy
Management” (AGPM) which comes with “Desktop Optimization Pack”.
The AGPM goes a long way in securing your Group Policy environment as
it creates an intermediate stage – “Review Stage” - between
editing Group Policy Objects and implementing those changes to the
live project environment. Thus all changes made to GPO by all Users
can be reviewed and their impacts analyzed before they are rolled out
to the live project environment. Even in the absence of AGPM which
comes with Software Assurance, a lot can be done using GPO auditing
auditing option for GPO has existed since Windows 2000. However, that
auditing was a bit noisy as you could not determine which objects to
audit and which not to audit. Enabling auditing on Windows 2000 means
a lot of log through flip-through as you cannot enable auditing
granularly. With Windows Server 2008, Microsoft introduced advanced
auditing option where users can granularly determine what to audit
and what not to, in the process creating a manageable amount of logs.
In this article we will see how to enable audit for Windows Server
create a domain, a default domain policy is automatically created. To
create a new advanced security audit policy, you need to edit the
default domain policy and add advanced security audit policy
settings. The approach to apply and validate an advanced audit policy
create an advanced audit policy:
an advanced audit policy.
Make sure basic audit policy doesn’t override advanced audit policy settings.
Update Group Policy Settings.
Ensure you have got everything right.
- Go to Start -> Administrative Tools -> Group Policy Management.
- In the Console tree, double-click on the domain.
- Right-click Default Domain Policy, and then click Edit.
- Double-click Computer Configuration, double-click Policies, and double-click Windows Settings.
- Double-click Security Settings, double-click Advanced Audit Policy Configurations, and then Double-click System Audit policies.
- Double-click the policy which you want to configure.
- Select the Configure the following audit events check-box.
- Select Success and Failure check-box.
- Click OK.
This is the
first step of implementing a successful audit policy. As mentioned
above, after this you have to update Group Policy settings, ensure
basic audit policy doesn’t override this advanced policy and verify
if everything has been configured the correct way. Following the
above mentioned steps you can configure a number of audit settings to
ensure every important change made to GPO is logged. You can then go
on and view the logs to determine who did, what, when, where and from
which computer. You can also take help of third party tools to audit
GPO. Group Policy Auditor ( http://www.lepide.com/lepideauditor/group-policy.html ) which comes as part of LepideAuditor Suite
can also be used to audit GPO.