David- It depends upon what you are really interested in seeing. There is no good way, out-of-the-box, to audit what change was actually made to a particular GPO setting in either Win2K or Win2k3. If you just want to see that "somebody" made "some" change to a GPO, then you can use DS auditing to look for changes to the Group Policy Container (GPC) object representing a given GPO, which is what you've already discovered. If you set up file auditing on the SYSVOL part of the GPO (the GPT), then you will only get that a particular file in a particular GPO was changed--you won't get any more detail than that. That can give you some inkling as to what policy area was changed, since each policy area stores its settings in different folders in the GPT.
The alternative is to go to some 3rd party solution--there are several vendors now that offer more detailed change tracking of GPO. Darren -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Adner Sent: Wednesday, July 07, 2004 10:17 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Question on Auditing GPO Changes What's the best way to audit for GPO changes? I enabled "Audit directory service access", which causes an audit event to occur, but it also does the same for other kinds of DS changes, which make it a bit more cumbersome. This is for Windows 2000, btw. Is it easier to do with W2K3? I thought perhaps auditing for the actual file level changes, but I'm not sure if that's a much cleaner solution... List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
