Shawn- You can use AD auditing to see changes to a GPO, since any GPO that is modified touches both the Group Policy Container object in AD as well as SYSVOL. Using the AD auditing event is a quick and dirty way of finding out who changed the GPO, although, as Gil mentioned, you can't really tell what was changed. If you audit SYSVOL as well, then you can at least pinpoint what policy area was modified by seeing which file within SYSVOL was affected.
Darren -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, October 28, 2003 5:16 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] File and Object auditing on the Sysvol and Policies directory explicitly should do the trick???...At least this would show who was making changes. At that point I can confront that person.. Sound correct? Thanks Gil Shawn -----Original Message----- From: Gil Kirkpatrick [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 28, 2003 5:12 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] You can set up auditing in AD on the GPOs themselves by setting the SACLs... The accesses will show up in the security audit log. You can likewise set up auditing on the SYSVOL to track changes on the files. Use your favorite event log collector (e.g., Microsoft's MACS, which is in Beta). But translating the resulting mess of event log entries into something meaningful will be a challenge. And you won't be able to tell specifically what was changed.... Just that it was changed. -gil -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, October 28, 2003 3:00 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Great, but anything built in to the OS? Anyway I can point a finger at a DBA that is poking is hands where they do not belong. Please don't ask why they have rights....aarrgghhh Shawn -----Original Message----- From: Gil Kirkpatrick [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 28, 2003 4:46 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] FullArmor FAZAM GPO Auditor... www.fullarmor.com -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, October 28, 2003 2:26 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] I believe a GPO was modified by someone with the appropriate 'rights', but that person did not communicate changes were to be made and now we see some strange issues.... Issues are not the point of this question. Does anyone know of a way to determine who modified the GPO? Thanks in advance, Shawn List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/