Options
Audit group policy changes
Folks, is it possible in 2008 R2 or Windows Server in general to audit the state of a group policy object before and after a change is made to it. Anyone done this in prod/lab?
Help's appreciated!
Help's appreciated!
Comments
-
Optionsundomiel Member Posts: 2,818I haven't had a need to do it before but I did some searching around and ran across this tool: Group Policy Change Reporter (Freeware and Commercial)Jumping on the IT blogging band wagon -- http://www.jefferyland.com/
-
OptionsEssendon Member Posts: 4,546 ■■■■■■■■■■Thanks for the reply undomiel. Can this be done using Windows only?
-
OptionsClaymoore Member Posts: 1,637Thanks for the reply undomiel. Can this be done using Windows only?
Not that I know of. Advanced Group Policy Management can audit and even roll back changes, but that is part of the MDOP suite. -
OptionsEveryone Member Posts: 1,661This article is for 2003, but works on 2008 as well...
Monitoring Group Policy Changes with Windows Auditing - Windows Security Logging and Other Esoterica - Site Home - MSDN Blogs
Basically you turn on auditing of the GPO folders on your domain controllers. Then whenever someone makes a change, you have an audit trail. -
OptionsITguy509 Registered Users Posts: 1 ■□□□□□□□□□Yes, there are several tools you can download that will tell you any time a change has been made to a GPO. We use NetWrix Group Policy Change Reporter, which I find very easy to use and it’s free, but I also know that Quest Software and ScriptLogic offer GP auditing tools. Worth looking into of you need reporting on (before and after) changes made to GPOs