Group Policy comes handy when applying specific configurations for Users and Computers. These settings are stored in Group Policy Objects which can be linked to Sites, Domains, and Organizational Units. Sometimes, while working on their system, Users find their desktop to have undergone some unexpected change. Such changes might have been done by a central administrator. In many organizations, there are more than one administrator who manage Computer and User objects centrally through Group Policy Management Console (GPMC). Changes done by one administrator might be unknown to others creating a scenario where accountability becomes an issue. In these situations, it becomes mandatory to audit Group Policy changes to know who did what change, when and from which work station.

Understanding the importance of issue, Microsoft provides a Software Assurance (SA) contract program to its clients. Software license and Software Assurance license are available separately. If you have purchased the Software Assurance license, you get the “Advanced Group Policy Management” (AGPM) which comes with “Desktop Optimization Pack”. The AGPM goes a long way in securing your Group Policy environment as it creates an intermediate stage – “Review Stage” - between editing Group Policy Objects and implementing those changes to the live project environment. Thus all changes made to GPO by all Users can be reviewed and their impacts analyzed before they are rolled out to the live project environment. Even in the absence of AGPM which comes with Software Assurance, a lot can be done using GPO auditing feature. 

Windows auditing option for GPO has existed since Windows 2000. However, that auditing was a bit noisy as you could not determine which objects to audit and which not to audit. Enabling auditing on Windows 2000 means a lot of log through flip-through as you cannot enable auditing granularly. With Windows Server 2008, Microsoft introduced advanced auditing option where users can granularly determine what to audit and what not to, in the process creating a manageable amount of logs. In this article we will see how to enable audit for Windows Server 2008.

Whenever you create a domain, a default domain policy is automatically created. To create a new advanced security audit policy, you need to edit the default domain policy and add advanced security audit policy settings. The approach to apply and validate an advanced audit policy should be:

  • Create an advanced audit policy.

  • Make sure basic audit policy doesn’t override advanced audit policy settings.

  • Update Group Policy Settings.

  • Ensure you have got everything right.

To create an advanced audit policy:

  1. Go to Start -> Administrative Tools -> Group Policy Management. 
  2. In the Console tree, double-click on the domain.
  3. Right-click Default Domain Policy, and then click Edit.
  4. Double-click Computer Configuration, double-click Policies, and double-click Windows Settings.
  5. Double-click Security Settings, double-click Advanced Audit Policy Configurations, and then Double-click System Audit policies.
  6. Double-click the policy which you want to configure.
  7. Select the Configure the following audit events check-box.
  8. Select Success and Failure check-box.
  9. Click OK.

This is the first step of implementing a successful audit policy. As mentioned above, after this you have to update Group Policy settings, ensure basic audit policy doesn’t override this advanced policy and verify if everything has been configured the correct way. Following the above mentioned steps you can configure a number of audit settings to ensure every important change made to GPO is logged. You can then go on and view the logs to determine who did, what, when, where and from which computer. You can also take help of third party tools to audit GPO. Group Policy Auditor ( ) which comes as part of LepideAuditor Suite can also be used to audit GPO.