Change Guardian monitors the following in Group Policy:
Group policies objects
Preferences
Settings
Starter group policy objects
SYSVOL
This section provides the following information:
Complete the following tasks to start monitoring Group Policy events:
Task |
See |
---|---|
Complete the prerequisites |
|
Add the license key |
|
Configure Change Guardian for monitoring |
|
Triage events |
Ensure that you have completed the following:
Complete the following tasks to configure Change Guardian server to monitor GPO events:
NOTE:Ensure that you have the required permission to complete these tasks. Check with your network or system administrator for assistance.
Configure SACL to generate events for operations that can result in, or are related to, changes in GPO data stored in Active Directory.
To configuration SACL:
Log in as an administrator to the computer in the domain you want to configure.
To open ADSI Edit configuration tool, run adsiedit.msc at the command prompt.
Right-click ADSI Edit, and then select Connect to.
In the Connection Settings window, specify the following:
Name as Default naming context.
Path to the domain to configure.
In Connection Point, set Select a well known Naming Context to Default naming context.
In the ADSI Edit window, expand Default naming context.
Right-click the node under the connection point (begins with DC=), and select Properties.
On the Security tab, click Advanced > Auditing > Add.
Deselect the option Apply these auditing entries to objects and/or containers within this container only.
Configure auditing to monitor every user:
Condition |
Task |
---|---|
If you are using Windows Server 2012 or later |
|
For Windows versions lower than 2012 |
|
In Connection Point, select Select a well known Naming Context, and Configuration.
Expand Configuration.
Right-click the node under the connection point (begins with CN=), and select Properties.
On the Security tab, click Advanced > Auditing > Add.
Configure auditing to monitor every user:
Condition |
Task |
---|---|
If you are using Windows Server 2012 or later |
|
For Windows versions lower than 2012 |
|
Deselect Apply these auditing entries to objects and/or containers within this container only.
In Applies to or Apply onto, select This object and all descendant objects.
Group Policy Objects: Policies about deleting and modifying group policies and domain policies
Group Policy Preferences: Policies about changes to local user and group preferences to GPO
Group Policy Settings: Policies about modifying software settings
Starter Group Policy Objects: Policies about creating, deleting, and modifying starter group policies
SYSVOL: Policies about changing Central Store and SYSVOL folder
For information about creating policies, see Creating Change Guardian Policies.
After creating policies, you can assign them to assets. For information about assigning policies, see Working with Policies.