Steps to enable auditing using the Group Policy Management Console:
Perform the following actions on the domain controller (DC):
- Press Start, search for, and open the Group Policy Management Console (GPMC), or run the command gpmc.msc.
- Right-click the domain or organizational unit (OU) you want to audit, and click Create a GPO in this domain, and Link it here.
Note: If you have already created a Group Policy Object (GPO), click Link an Existing GPO.
- Name the GPO as appropriate.
- Right-click the GPO, and choose Edit.
- In the Group Policy Management Editor, in the left pane, navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies > DS Access.
- In the right pane, you will see a list of policies that are under DS Access. Double-click Active Directory Service Changes, and check the boxes labeled Configure the following audit events, Success, and Failure.
- Click Apply, then OK.
- Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies > Object Access.
- In the right pane, you will see a list of policies that are under Object Access. Double-click Audit File System, and check the boxes labeled Configure the following audit events, Success, and Failure.
- Go back to the Group Policy Management Console, and in the left pane, right-click the desired OU in which the GPO was linked, and click Group Policy Update. This step makes sure the new Group Policy settings are applied instantly instead of waiting for the next scheduled refresh.
Once this policy is enabled, events are logged on the DC's security log whenever a Group Policy Object is modified.
Steps to configure groupPolicyContainer objects auditing using ADSI Edit
Perform the following actions on the domain controller:
- Click Start, search for ADSI Edit, right-click it, and select Run as administrator.
- In the left pane, right-click ADSI Edit, and select Connect to.
- In the new window, ensure that Name is set to Default naming context, and the domain name mentioned in the Path is the domain you want to audit.
- Click OK.
- Double-click Default naming context, and navigate to DC=domain,DC=com > CN=System > CN=Policies.
- Right click CN=Policies and select Properties.
- Go to the Security Tab and click the Advanced button.
- Go to the Auditing Tab and click the Add button.
- Click Select Principal and search for Everyone, then click OK.
- Click the Type drop-down and select Success. Click the Applies to drop-down, then select This object and all descendant objects.
- Scroll down and check the boxes labeled Create groupPolicyContainer objects and Delete groupPolicyContainer objects, and click OK to close the Auditing Entry window. Click OK to close the Advanced Security Settings window. Click OK to close the properties window.
You have now enabled auditing of creation and deletion of groupPolicyContainer objects.
Steps to audit the SYSVOL folder
All the Group Policy files are stored in the SYSVOL folder of the domain controller, so in order to audit changes to the GPO, you need to audit this folder. Perform the following actions on the domain controller:
Note: If you do not have access to a DC, access the SYSVOL folder via the network share.
- Open Windows Explorer and navigate to C: > Windows > SYSVOL > domain.
- Right-click the Policies folder and select Properties.
- Go to the Security tab and click the Advanced button.
- Select the Auditing tab and click the Add button.
- Click Select Principal, search for Everyone, and click OK.
- Click the Type drop-down and select All. Click the Applies to drop-down and select This folder, subfolders and files.
- Click Show advanced permissions and check the box labeled Full control.
- Click OK.
Steps to view Group Policy change events using Event Viewer
Once the above steps are complete, changes made to any GPO will be logged as events. This can be viewed in the Event Viewer by following the steps below:
- Press Start, search for Event Viewer, and click to open it.
- In the Event Viewer window, in the left pane, navigate to Windows Logs > Security.
- Here, you will find a list of all the security events that are logged in the system.
- In the right pane, under security, click Filter Current Log.
- In the pop-up window, enter the desired Event ID* in the field labeled (All Event IDs).
The following Event IDs are generated for the given events:
Event ID |
Event Type |
Description |
5136 |
Success |
A directory service object was modified. |
5137 |
Success |
A directory service object was created. |
5138 |
Success |
A directory service object was undeleted. |
5139 |
Success |
A directory service object was moved. |
5141 |
Success |
A directory service object was deleted. |
- Click OK. This will provide you a list of occurrences of the Event ID entered.
- Double-click an Event ID to view its properties (description).
Event 5137 is logged when a Group Policy object is created. The following details are logged in the event properties, among others:
- The distinguished name of the object that was modified.
- The SID and name of the account that requested the operation.
- The object attribute that was modified.
- The type of operation performed on the GPO, i.e., if a value was added or removed from the GPO.
Limitations of native auditing:
- To keep track of critical events, an administrator would have to search for each Event ID and view its properties. This is highly impractical even for a small organization.
- The insight provided by native auditing is insufficient. Even if the administrator keeps track of the events, they would still not be able to know if a change is a sign of atypical user behavior.
- The events mentioned above only show the name of the GPO, and don't show the old and new values of the GPO that was modified.
- A Group Policy change could be performed from any DC in the domain. An administrator would have to monitor events on each DC, which is an excessive amount of work. A centralized tool to monitor events from all the DCs would reduce the work immensely.
Steps to audit Group Policy changes using ManageEngine ADAudit Plus
- Open the ADAudit Plus console and log in as an administrator.
- Navigate to Reports > Active Directory > GPO Management > Recently Modified GPOs.
Monitor GPO creation, deletion, and modification in real time with in-depth reports.
Monitor all links added or removed to Group Policy objects in order to perform necessary remedial actions.
View the values of GPO settings that were changed, and analyze unwanted GPO changes, if any, with old and new values.
Receive email or SMS alerts for critical GPO changes, and automate scripts to be run in such instances.
Advantages of using ADAudit Plus over native auditing:
- ADAudit Plus provides detailed insight into the Group Policy changes made on each DC in your domain. Get comprehensive reports regarding the who, when, and what of GPO changes, updated in real time.
- The reports grouped under GPO setting changes allow you to view more detailed, distinct reports for each subcategory of GPOs. For example, password policy, account lockout policy, administrative templates, user rights assignment, etc.
- View changes made to the access control list (ACL) of Group Policies, and view the old and new ACL values under Group Policy Permission Changes.