Environment
NetIQ Group Policy Guardian
Situation
GPG is not generating alerts.
Group Policy Guardian is not issuing an alert when a Group Policy Object changes.
After a Group Policy Object changes, Group Policy Guardian does not issue an alert.
Group Policy Guardian is not issuing an alert when a Group Policy Object changes.
After a Group Policy Object changes, Group Policy Guardian does not issue an alert.
Resolution
To resolve this issue, check the following items:
- Ensure that events with the ID 9999 are being recorded in the Application Log on the GPG server.
- If 9999 events exist, check the Report functionality (see step 2).
- If 9999 events do NOT exist, check the Windows auditing configuration (see step 3).
- Verify if GPG reporting can produce reports.
- If reports can be produced, the problem is likely in the GPG Connector module?check the GPG Connector functionality (see step 4).
- If reports do not work, the problem may be in the Reporting functionality.
- Ensure that Windows auditing is configured properly.
- Check for Event ID(s) 56x in the Security Log on the domain controller where GPO changes are being performed (specifically 560, 565, 566)
- If there are no 56x events, check the Windows auditing settings by running the Domain Controller Configuration report from the GPG Console for the domain/domain controller in question.
To run the report and check the settings:- In the GPG console, navigate to Domains |<domain> | Configuration | Domain Configuration Check and select Summary Report. The Report Option dialog box is displayed.
- Select the domain or domain controllers to check. If you select the Current Domain, all domain controllers in that domain are checked. Otherwise, you can check a specific domain controller.
- Click OK. GPG will query the specified domain controllers to validate the following items:
- The Default Domain Controllers Policy has been enabled for Auditing
- The SACLs are correctly configured on the ..\SYSVOL\Policies folder.
- The SACLs are correctly configured on the Policies and IPSec nodes in Active Directory.
When a report finishes, GPG creates a subnode under the Domain Configuration Check node with the results of the configuration check.
- If the report shows correct configuration, verify that the GPG service account (under which the GPG Collector runs) has correct permissions: to remotely read the Security Logs on the domain controllers. This requires Domain Admin privileges.
- If 56x events do appear, check GPG Configuration (see step 5).
- Ensure that events with the ID 8888 are being recorded in the GPG Log on the GPG Server machine.
- If the 8888 events exist, then the problem is within the GPG Connector module.
- If the 8888 events do not exist, it may take a minute or two due to operating system delay/buffering?try initiating a second change to see if the first 8888 event appears. If problems persist, contact NetIQ Technical Support.
- If the all of the above items have been checked and alerts are not being generated, perform the following before calling Technical Support:
- Ensure that all domain controllers are assigned to a GPG Collector.
- Ensure that the GPG Collectors and GPG Server services are all running.
- Restart the GPG Control service on the GPG Server machine to ensure that any domain controller assignments are assigned to a GPG Collector.
- Ensure that Audit Object Access is enabled for Success and Failure under Computer Configuration/Windows Settings/Security Settings/Local Policies/Audit Policies on all monitored domain controllers.
Cause
Group Policy Guardian or the operating system may be misconfigured.
Additional Information
Formerly known as NETIQKB33397