Share via

GPO Audit Default

czql5v 146 Reputation points
2021-07-20T08:40:56.507+00:00

Hi All,

We have a number of different Admins scattered around various countries who administer GPO's in our AD. Last week we had a GPO that was pertinent to our organization changed and it was not changed by any of our Admins.

I know that the organization Audits all events from the top level but it is only linked to their OU's.

I would like to create an Audit that gives me information on when someone attempts to change any AD object especially any GPO. Could someone let me know the easiest way to complete this task. What should I be auditing etc.

Thanks for any information.

Windows for business | Windows Server | User experience | Other

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Anonymous
    2021-07-20T09:34:39.467+00:00

    Hello @czql5v ,

    Thank you so much for posting here.

    We could follow the below steps to track and audit changes made to Group Policy Objects:

    Step 1: Enable Audit

    1. Launch “Group Policy Management Console”, create a new GPO and link to Domain Controllers OU.
    2. From the context menu, click on “Edit” to open the “Group Policy Management Editor” window.
      Navigate to “Computer Configuration” -> “Policies” -> “Windows Settings” -> “Security Settings” -> “Advanced Audit Policy Configuration” -> “Audit Policies” -> “DS Access”.
    3. Click “Audit Directory Service changes”, click “Configure the following audit events” and choose “Success”.

    116291-image.png

    1. To force Group Policy Update, we could run “gpupdate /force” on the domain controllers.

    Step 2: Configuring Group Policy Container Objects auditing

    1. Launch the ADSIEdit.msc and Connect to the Default naming context.
    2. Navigate to CN=Policies,CN=System,DC=domain -> Open the “Properties of Policies” object -> Go to the Security tab -> Click the Advanced button.
    3. Go to the Auditing tab -> Add the Principal Everyone -> Choose the Type Success -> For Applies to, click This object and Descendant objects -> Under Permissions, select following checkboxes: “Create groupPolicyContainer objects”, “Delete”, “Modify Permissions” -> Click OK.

    116237-image.png

    Step 3: Review changes in the security Event Log

    1. When a Group Policy object is created. Event ID 5137 is logged containing details of who created the Group Policy object and the fact an object was created.

    116225-image.png

    1. When a GPO is deleted, an Event ID 5141 is logged with the Unique ID of the GPO that was deleted and the user who performed the deletion.

    116173-image.png

    1. When a GPO is modified, an Event ID 5136 is logged.

    116301-image.png

    Best regards,
    Hannah Xiong

    3 people found this answer helpful.
    0 comments
  2. czql5v 146 Reputation points
    2021-07-20T12:40:11.723+00:00

    Hi Hannah x,

    Thanks for taking the time to post.

    This is exactly what I wanted, however, I don't necessarily understand the ADSI bit of it but will have another look at that.

    In the meantime thanks for posting it has helped a lot.

    Regards.

    1 person found this answer helpful.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.