Group Policy: How to Detect Modifications Using Security Log Events

Why It is Important

Group Policy-related log events are recorded in the security log on your domain controller. By reviewing Group Policy-related logs with the help of native tools, IT administrators can determine who made changes to Group Policy and when and where each change happened. However, native auditing tools don’t show critical details such as the name of the Group Policy that was changed and the type of action that was performed. To ensure that no aberrant activity slips past your radar, you need additional software that provides more insight into Group Policy modifications.  

Native Auditing

1. Run gpedit.msc → Create a new GPO → Edit it → Go to "Computer Configuration" → Policies → Windows Settings → Advanced Audit Policy Configuration→ Audit Policies/DS Access: Click “Audit Directory Service Changes”→ Define → Success.
2.  Link the new GPO to Domain Controller → Go to "Group Policy Management" → Right-click the defined OU → Choose "Link an Existing GPO" → Choose the GPO that you’ve created.
3.  Force the Group Policy update by going to "Group Policy Management" → Right-click the defined OU → Click on "Group Policy Update".
4.  Open ADSI Edit → Connect to Default naming context → Navigate to CN=Policies,CN=System,DC=domain → Open Properties of Policies object → Security (Tab) → Advanced (Button) → Auditing (Tab) → Add Principal "Everyone" → Type "Success" → Applies to "This object and Descendant objects" → Permissions → Select following checkboxes: 
   • Create groupPolicyContainer objects
   • Delete 
   • Modify Permissions
   • Write versionNumber 

Click "OK".

Event viewer

 Open Event Viewer and search Security log for event ID’s 5136 (Directory Service Changes category). 

https://img.netwrix.com/howtos/group_policy_using_security_log_events_02.png

Credits

Originally posted - https://www.netwrix.com/group_policy_modification_using_logs.html