Monitoring Group Policy in Windows Server
Lot of people at MMS asked about this functionality. There are a couple of companies offering solutions that enable complex auditing of Group policy: Quest, Desktop Standard, NETIQ (see the links for details about each product). Unfortunately the built-in capabilities of Windows Server to do auditing of group policy is somewhat limited. You can still do a subset of the things done in the above products with only the built-in auditing mechanism. Here you will find more information:
https://blogs.msdn.com/ericfitz/archive/2005/08/04/447951.aspx
https://www.windowsitpro.com/Articles/Index.cfm?ArticleID=20052&pg=2
Both methods rely on windows auditing of AD and file system objects. Rory specifically asked me about monitoring block inheritance attribute. This is an attribute of an OU, not a GPO. This implies using DS auditing and enabling audit for attribute changes. However I did not have time to test and see whether the event in security log would contain enough information to deduce the fact of the change in the block inheritance setting on that OU. Besides enabling auditing on all changes on a domain controller can render the security log unreadable. There is some hope in future products: new event logging in Vista (Crimson) or ACS in MOM2007.
Comments
- Anonymous
May 10, 2006
"ACS in MOM2007" -- is there any chance for real security events procesing and (more important) storing in resonable form? - Anonymous
May 10, 2006
Audit collection system will be included in MOM 2007. Its still beta, but an overview you can see at:
http://download.microsoft.com/documents/australia/WINDOWS/MACSOverview.doc.
The events will be stored in SQL (much more reasonable then event viewer:))