Ask Learn
Preview
Ask Learn is an AI assistant that can answer questions, clarify concepts, and define terms using trusted Microsoft documentation.
Please sign in to use Ask Learn.
Sign inThis browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
I spent some time a while back analyzing logs, figuring out what you can do with group policy auditing on Windows Server 2003. I did not test Windows 2000; I suspect that much of this applies but YMMV.
GP editing does leave an auditable trail of directory accesses and file accesses. Here is how to enable auditing for Group Policy, and how to interpret the results.
Here are the Audit records that are generated if you do this. The fields to pay special attention to are underlined. My comments are in red.
Type: Audit Success
Event ID: 566
Time: 4/3/2005 7:39:13 PM
Source: Security
Computer: ACSDEMO-COLL
Category: Directory Service Access
User: CONTOSO\Administrator
Description:
Object Operation:
Object Server: DS
Operation Type: Object Access
Object Type: %{f30e3bc2-9ff0-11d1-b603-0000f80367c1} (this GUID means that the object is of type groupPolicyObject)
Object Name: CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=contoso,DC=com
(policy objects are always have GUIDs for common names- use GPMC to find the friendly name)
(the Default Domain policy and Default Domain Controllers policy have well-known GUIDs; all others are random)
Handle ID: -
Primary User Name: ACSDEMO-COLL$ (primary user is always the machine, since DS runs as localsystem)
Primary Domain: CONTOSO
Primary Logon ID: (0x0,0x3E7)
Client User Name: Administrator (client user is the user who made the change, being impersonated by DS)
Client Domain: CONTOSO
Client Logon ID: (0x0,0x2F6C8)
Accesses: Write Property
Properties: Write Property
%{771727b1-31b8-4cdf-ae62-4fe39fadf89e}
%{bf967a76-0de6-11d0-a285-00aa003049e2}
%{f30e3bc2-9ff0-11d1-b603-0000f80367c1}
Additional Info:
Additional Info2:
Access Mask: 0x20
Type: Audit Success
Event ID: 560
Time: 4/3/2005 7:39:14 PM
Source: Security
Computer: ACSDEMO-COLL
Category: Object Access
User: CONTOSO\Administrator
Description:
Object Open:
Object Server: Security
Object Type: File
Object Name: C:\WINDOWS\SYSVOL\domain\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\GPT.INIWhat file name you see here depends on which settings were edited. Note that for security policy GPEdit works on a temp file and then writes the original:
C:\WINDOWS\SYSVOL\domain\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Microsoft\Windows NT\SecEdit\GptTmpl.tmp
C:\WINDOWS\SYSVOL\domain\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Microsoft\Windows NT\SecEdit\GptTmpl.inf
I've described most of the file names you're likely to see, further down in this post.Handle ID: 2600
Operation ID: {0,1741006}
Process ID: 4
Image File Name:
Primary User Name: ACSDEMO-COLL$
Primary Domain: CONTOSO
Primary Logon ID: (0x0,0x3E7)
Client User Name: Administrator
Client Domain: CONTOSO
Client Logon ID: (0x0,0x1A8F5C)
Accesses: READ_CONTROL
SYNCHRONIZE
ReadData (or ListDirectory)
WriteData (or AddFile)
AppendData (or AddSubdirectory or CreatePipeInstance)
ReadEA
WriteEA
ReadAttributes
WriteAttributes
Privileges: -
Restricted Sid Count: 0
Access Mask: 0x12019F
We cannot audit exactly which setting changed. I have bugged the group policy team any number of times about this but I think due to resource issues this won't improve much in the forseeable future. The bottom line is that GPEDIT.MSC edits the policy file directly; there's no intervening trusted service to instrument for audit. In a future release of Windows I hope to fix this.
However, you can narrow changes down to settings groups [security vs. non-security] depending on the file that was touched on sysvol. If security policy is touched, then GptTmpl.inf will change. If the list of adms used to construct the policy changes, admfiles.ini will change. If the registry-based settings outside security policy change, then registry.pol will change.
Here's my brief key of which directory\file names refer to which settings group. Given the directory structure for a single policy (\\domain\sysvol\domain.fqdn\policies\{policyguid}\):
The User and Machine folders are created at install time, and the other folders are created as needed when policy is set.
Here is some additional information on the structure of group policy: https://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/TechRef/eb0042e3-699b-4c49-abcc-e3526dbecc0e.mspx
I can't solve all your group policy monitoring woes, I just wanted to document what you'll see in the logs. There are at least three products on the market that can monitor which specific settings changed that you can buy if you need more functionality than what I've described here.
Best regards,
Eric
Anonymous
August 08, 2005
I didn't realize it had been so long ;-)
Anonymous
May 08, 2006
Lot of people at MMS asked about this functionality. There are a couple of companies offering solutions...
Anonymous
January 05, 2011
I´ve tried the option "To get the audit trail from AD, you must do the following" , but I can´t !
The only 566 event was:
Event Type: Success Audit
Event Source: Security
Event Category: Directory Service Access
Event ID: 566
Date: 1/5/2011
Time: 2:01:14 PM
User: PETROBRASeanrh4
Computer: SEP00DC03
Description:
Object Operation:
Object Server: DS
Operation Type: Object Access
Object Type: organizationalUnit
Object Name: OU=Grupos para Scripts,OU=TIRJ_MARACANA,OU=Clientes,OU=TI-RIO,OU=Unidades,DC=ep,DC=petrobras,DC=biz
Handle ID: -
Primary User Name: SEP00DC03$
Primary Domain: EP
Primary Logon ID: (0x0,0x3E7)
Client User Name: eanrh4
Client Domain: PETROBRAS
Client Logon ID: (0x0,0x1DD8B855)
Accesses: Write Property
Properties:
Write Property
Default property set
gPLink
gPOptions
organizationalUnit
Additional Info:
Additional Info2:
Access Mask: 0x20
For more information, see Help and Support Center at go.microsoft.com/.../events.asp.
Can anyone help me ?
Anonymous
January 18, 2011
What failure is occurring? Are you a domain admin?
?
Anonymous
June 08, 2011
Microsoft does offer a solution for GP auditing, called "Advanced Group Policy Management", part of the Microsoft Desktop Optmization Pack (MDOP): www.microsoft.com/.../agpm.aspx
You might already have a license for this depending on how you purchase licenses.
Ask Learn is an AI assistant that can answer questions, clarify concepts, and define terms using trusted Microsoft documentation.
Please sign in to use Ask Learn.
Sign in