5.2 Configuring Group Policy Monitoring

Change Guardian monitors the following in Group Policy:

This section provides the following information:

5.2.1 Implementation Checklist

Complete the following tasks to start monitoring Group Policy events:

Task	See
Complete the prerequisites	Prerequisites
Add the license key	Adding a License Key
Configure Change Guardian for monitoring	Configuring the Security Event Log Configuring AD Auditing Configuring SACLs for GPO Categories of GPO Policies
Triage events	Section 7.0, Managing Events Section 8.0, Configuring Alerts

Ensure that you have completed the following:

Complete the following tasks to configure Change Guardian server to monitor GPO events:

NOTE:Ensure that you have the required permission to complete these tasks. Check with your network or system administrator for assistance.

Configure SACL to generate events for operations that can result in, or are related to, changes in GPO data stored in Active Directory.

To configuration SACL:

Log in as an administrator to the computer in the domain you want to configure.
To open ADSI Edit configuration tool, run adsiedit.msc at the command prompt.
Right-click ADSI Edit, and then select Connect to.
In the Connection Settings window, specify the following:
- Name as Default naming context.
- Path to the domain to configure.
In Connection Point, set Select a well known Naming Context to Default naming context.
In the ADSI Edit window, expand Default naming context.
Right-click the node under the connection point (begins with DC=), and select Properties.
On the Security tab, click Advanced > Auditing > Add.
Deselect the option Apply these auditing entries to objects and/or containers within this container only.

Configure auditing to monitor every user:

Condition	Task
If you are using Windows Server 2012 or later	Click Select a principal and type everyone in Enter the object name to select. Specify the following options: Type as All Select Permissions as: Delete Create Organizational Unit objects Select Properties as: Write gPLink Write gPOptions
For Windows versions lower than 2012	Type everyone in the Enter the object name to select field. Select Permissions as: Delete Create Sites Container objects Select Properties as: Write gPLink Write gPOptions

In Connection Point, select Select a well known Naming Context, and Configuration.
Expand Configuration.
Right-click the node under the connection point (begins with CN=), and select Properties.
On the Security tab, click Advanced > Auditing > Add.

Configure auditing to monitor every user:

Condition	Task
If you are using Windows Server 2012 or later	Click Select a principal and type everyone in Enter the object name to select. Specify the following options: Type as All Select Permissions as: Delete Create Organizational Unit objects Select Properties as: Write gPLink Write gPOptions
For Windows versions lower than 2012	Type everyone in the Enter the object name to select field. Select Permissions as: Delete Create Sites Container objects Select Properties as: Write gPLink Write gPOptions

Deselect Apply these auditing entries to objects and/or containers within this container only.
In Applies to or Apply onto, select This object and all descendant objects.

Group Policy Objects: Policies about deleting and modifying group policies and domain policies

Group Policy Preferences: Policies about changes to local user and group preferences to GPO

Group Policy Settings: Policies about modifying software settings

Starter Group Policy Objects: Policies about creating, deleting, and modifying starter group policies

SYSVOL: Policies about changing Central Store and SYSVOL folder

For information about creating policies, see Creating Change Guardian Policies.

After creating policies, you can assign them to assets. For information about assigning policies, see Working with Policies.