In addition to Joe's and Darren's suggestions, you could just check
security logs. By default (in WS03, I don't have a W2k environment
running at the moment), there are two ACEs (inheritable to OUs) in the
SACL for the domain object:
Ace[0]
Ace Type: 0x7 - SYSTEM_AUDIT_OBJECT_ACE_TYPE
Ace Size: 56 bytes
Ace Flags: 0x42
CONTAINER_INHERIT_ACE
Object Ace Mask: 0x00000020
ACTRL_DS_WRITE_PROP
Object Ace Flags: 0x3
ACE_OBJECT_TYPE_PRESENT
ACE_INHERITED_OBJECT_TYPE_PRESENT
Object Ace Type: Attr - gPLink
Inherited object type: Class - organizationalUnit
Object Ace Sid: Everyone S-1-1-0
Ace[1]
Ace Type: 0x7 - SYSTEM_AUDIT_OBJECT_ACE_TYPE
Ace Size: 56 bytes
Ace Flags: 0x42
CONTAINER_INHERIT_ACE
Object Ace Mask: 0x00000020
ACTRL_DS_WRITE_PROP
Object Ace Flags: 0x3
ACE_OBJECT_TYPE_PRESENT
ACE_INHERITED_OBJECT_TYPE_PRESENT
Object Ace Type: Attr - gPOptions
Inherited object type: Class - organizationalUnit
Object Ace Sid: Everyone S-1-1-0
Thus, you don't have to configure anything in order to start auditing.
Just look the security log for event ID 566. Unfortunately, as Darren
pointed out, GPO names aren't written to the events but rather the GUID
for the GPO :( In addition, when a GPO is linked to a container, only an
event is written indicating that a change on gPLink attribute occurred.
Below is a sample event from the security log for linking a GPO to an
OU:
2/25/2005 8:02:31 AM Security Success Audit
Directory Service Access 566 SANAO\OU02Admin DC01 "Object
Operation:
Object Type: organizationalUnit
Object Name: OU=OU02,DC=DC=sanao,DC=com
Accesses: Write Property
Properties:
Write Property
Default property set
gPLink
If a GPO is created and linked to an OU with e.g. GPMC command Create
and link a GPO here...), five events with event ID 566 are created in
the security log; three of them with the GUID of the GPO. Go and
figure... :)
My point: security log will have an answer to your question when the
linking occurred.
Rgds
Mika
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: 9. maaliskuuta 2005 23:29
To: [email protected]
Subject: RE: [ActiveDir] Speaking of DAs...GP link Date
Yep. The other thing you could do is look at the metadata for the gplink
attribute. This will tell you the last time it was udpated and where the
change was mastered but that is about it.
joe
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia
Sent: Wednesday, March 09, 2005 3:53 PM
To: [email protected]
Subject: RE: [ActiveDir] Speaking of DAs...GP link Date
Not easily. The way this works is that the DN of the GPC object is
stored on
the gpLink attribute on the container object in question. So you could
audit
on that container object (OU) for changes to gpLink but then you have to
figure out which GPO was added/removed by its DN. So it's a
container-centric thing rather than a GPO-centric thing.
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond
Sent: Wednesday, March 09, 2005 12:11 PM
To: [email protected]
Subject: [ActiveDir] Speaking of DAs...GP link Date
Speaking of domain admins. Anyone know of a way to find out when a GP
was
linked to an OU? (or alternatively when the links on the GP were last
updated)?
--Brian Desmond
[EMAIL PROTECTED]
Payton on the web! www.wpcp.org
v - 773.534.0034 x135
f - 773.534.8101
c - 312.731.3132
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
