Monitoring Group Policy in Windows Server

Lot of people at MMS asked about this functionality. There are a couple of companies offering solutions that enable complex auditing of Group policy: Quest, Desktop Standard, NETIQ (see the links for details about each product). Unfortunately the built-in capabilities of Windows Server to do auditing of group policy is somewhat limited. You can still do a subset of the things done in the above products with only the built-in auditing mechanism. Here you will find more information:

http://blogs.msdn.com/ericfitz/archive/2005/08/04/447951.aspx

http://www.windowsitpro.com/Articles/Index.cfm?ArticleID=20052&pg=2

Both methods rely on windows auditing of AD and file system objects. Rory specifically asked me about monitoring block inheritance attribute. This is an attribute of an OU, not a GPO. This implies using DS auditing and enabling audit for attribute changes. However I did not have time to test and see whether the event in security log would contain enough information to deduce the fact of the change in the block inheritance setting on that OU. Besides enabling auditing on all changes on a domain controller can render the security log unreadable. There is some hope in future products: new event logging in Vista (Crimson) or ACS in MOM2007.

Advertisements

~ by alipka on May 9, 2006.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: