Free enterprise licenses to all members of this list? ;> > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Gil > Kirkpatrick > Sent: Thursday, July 08, 2004 11:32 > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] Question on Auditing GPO Changes > > <shameless product plug> > NetPro's Change Auditor for AD also tracks GPO changes, along > with _all_ other aspects of AD configuration, and provides > who, what, when, where, and why something was changed, as > well as before and after values for each changed > configuration items. See > http://www.netpro.com/products/changeauditor/index.cfm. > </shameless product plug> > > -gil > > Gil Kirkpatrick > CTO, NetPro > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Rachui, Scott > Sent: Wednesday, July 07, 2004 11:24 PM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] Question on Auditing GPO Changes > > Full Armor's GPO Repository would be a good choice. > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of > Darren Mar-Elia > Sent: Wednesday, July 07, 2004 12:33 PM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] Question on Auditing GPO Changes > > > David- > It depends upon what you are really interested in seeing. > There is no good way, out-of-the-box, to audit what change > was actually made to a particular GPO setting in either Win2K > or Win2k3. If you just want to see that "somebody" made > "some" change to a GPO, then you can use DS auditing to look > for changes to the Group Policy Container (GPC) object > representing a given GPO, which is what you've already > discovered. If you set up file auditing on the SYSVOL part of > the GPO (the GPT), then you will only get that a particular > file in a particular GPO was changed--you won't get any more > detail than that. That can give you some inkling as to what > policy area was changed, since each policy area stores its > settings in different folders in the GPT. > > The alternative is to go to some 3rd party solution--there > are several vendors now that offer more detailed change > tracking of GPO. > > Darren > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of David Adner > Sent: Wednesday, July 07, 2004 10:17 AM > To: [EMAIL PROTECTED] > Subject: [ActiveDir] Question on Auditing GPO Changes > > What's the best way to audit for GPO changes? I enabled > "Audit directory service access", which causes an audit event > to occur, but it also does the same for other kinds of DS > changes, which make it a bit more cumbersome. > This is for Windows 2000, btw. Is it easier to do with W2K3? > > I thought perhaps auditing for the actual file level changes, > but I'm not sure if that's a much cleaner solution... > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
