Change Guardian monitors the following in Group Policy:
Group policies objects
Preferences
Settings
Starter group policy objects
SYSVOL
This section provides the following information:
Complete the following tasks to start monitoring Group Policy events:
Task |
See |
---|---|
Complete the prerequisites |
|
Add the license key |
|
Configure Change Guardian |
|
Triage events |
Ensure that you have completed the following:
Complete the following tasks to configure Change Guardian server to monitor GPO events.
NOTE:Change Guardian documentation provides the third-party configuration steps for ease of use. For more information about the third-party products or for any issues with the configuration, see their documentation.
NOTE:Ensure that you have the required permission to complete these tasks. Check with your network or system administrator for assistance.
Configure SACL to generate events for operations that can result in, or are related to, changes in GPO data stored in Active Directory.
To configuration SACL:
Log in as an administrator to the computer in the domain you want to configure.
To open ADSI Edit configuration tool, run adsiedit.msc at the command prompt.
Right-click ADSI Edit, and then select Connect to.
In the Connection Settings window, specify the following:
Name as Default naming context.
Path to the domain to configure.
If you are performing this step for the first time, select Default naming context.
If you are performing for the second time, select Schema.
If you are performing for the third time, select Configuration.
In Connection Point, set Select a well known Naming Context to Default naming context.
In the ADSI Edit window, expand Default naming context.
Right-click the node under the connection point (begins with DC=), and select Properties.
On the Security tab, click Advanced > Auditing > Add.
Configure auditing to monitor every user:
Click Select a principal and type everyone in Enter the object name to select.
Specify the following options:
Type as All
Select Permissions as:
Delete
Create Organizational Unit objects
Select Properties as:
Write gPLink
Write gPOptions
Deselect the option Apply these auditing entries to objects and/or containers within this container only.
In Connection Point, select Select a well known Naming Context, and Configuration.
Expand Configuration.
Right-click the node under the connection point (begins with CN=), and select Properties.
On the Security tab, click Advanced > Auditing > Add.
Configure auditing to monitor every user:
Click Select a principal and type everyone in Enter the object name to select.
Specify the following options:
Type as All
Select Permissions as:
Delete
Create Sites Container objects
Select Properties as:
Write gPLink
Write gPOptions
Deselect Apply these auditing entries to objects and/or containers within this container only.
In Applies to or Apply onto, select This object and all descendant objects.
Group Policy Objects: Policies about deleting and modifying group policies and domain policies
Group Policy Preferences: Policies about changes to local user and group preferences to GPO
Group Policy Settings: Policies about modifying software settings
Starter Group Policy Objects: Policies about creating, deleting, and modifying starter group policies
SYSVOL: Policies about changing Central Store and SYSVOL folder
For information about creating policies, see Creating Policies.
After creating policies, you can assign them to assets. For information about assigning policies, see Working with Policies.