Auditing Changes to ​Group Policy Settings

The complexities of managing a Microsoft Windows Server infrastructure are critically dependent on the numerous Group Policies, each of which is a collection of settings that IT administrators or users use to centrally enforce security settings and other functional settings to users or computers across the network. ​The downside of a just single setting error will cause inevitable chain of events involving accesses or permissions, which should not have been authorized in the first place, and ultimately compromise IT security and irreversibly damage the organization’s data and reputation.

The solution to monitoring the numerous GPO changes is through change auditing software. First, let ‘s take a look at the monumental challenges associated with GPO settings, which could either work wonders for an organization’s security or end up crippling its resources.

The Big Challenge: Keeping Track of GPO Changes

​The figure below shows an event log. Imagine having to manually go through countless events log to know who did what, from where, and when!

A single GPO can contain over 6,000 settings, and you could have fewer GPOs with numerous settings or numerous GPOs with focused settings. The Group Policy best practice would be to have one GPO for a set of settings, for example, Audit Policy or Security Options.

Let’s walk through two GPO settings- Password Policy and Account Lockout Policy under the Group Policy Security settings. These GPOs are the first shield that protects your IT against hacker attacks!

A weak Password Policy setting can allow a malicious user to use ​brute-force, dictionary, denial of service (DoS), cryptanalysis, or other password guess attacks to gain network access. Next comes the Account Lockout Policy setting, which determines the number of failed logon attempts after which a user account will be locked out. These two settings go hand in hand to ward off password attacks.

​Ideal Password Policy Setting

Enforce password history – 3

Maximum password age – 42

Minimum password age – 30

Minimum password length – 8

Password must meet complexity requirements – Enabled

Store passwords using reversible encryption – Not Defined

Ideal Account Lockout Policy Setting

Account lockout duration – 30

Account lockout threshold – 5 invalid logon attempts

Reset account lockout counter after –  30

There are numerous GPO settings that can be changed, even the seemingly tiniest setting should be set correctly. When incorrect, the damage to IT security can be permanent. Let’s now prepare to see the much awaited solution.

The Solution: Know the Before & After GPO Values

ManageEngine ADAudit Plus, web-based, Windows Server environment auditing software, provides the ​before and after GPO value of every policy setting change for every GPO. In case of a erroneous setting, this knowledge will help you immediately roll back to the previous, correct setting.

The GPO audit reports shown below let’s you monitor every Group Policy setting change within a Domain and OU. You can automate the process to have the reports sent to your inbox and set instant e-mail alerts for critical changes.

Group Policy Settings Changes Report Computer Configuration Changes Report User Configuration Changes Report
Password Policy Changes Report Account Lockout Policy Changes Report Security Settings Changes Report
Administrative Template Changes Report User Rights Assignment Changes Report Windows Settings Changes Report
Group Policy Permission Changes Report Group Policy Preferences Changes Report Group Policy Settings History Report
Extended Attribute Changes Report

GPO Settings change monitoring with ADAudit Plus

  • Get detailed reports on who made what change, when and from where.
  • Recieve instant e-mail alerts, which are sent upon critical GPO changes.
  • View the before and after values of GPO settings. In case of an incorrect setting, quickly find the error and roll back to the previous setting.
  • Run ready-to-use audit reports for SOX, PCI, GLBA, FISMA, and HIPAA.

About ManageEngine ADAudit Plus

ManageEngine ADAudit Plus is a web based Windows Active Directory, Workstations & Servers auditing & reporting solution. Ensure critical resources in the network like the AD, Servers, system, configuration & file modifications are audited with the entire information on changes in 200+ detailed event specific GUI reports & email alerts. For forensic analysis & Compliance requirements export the results to xls, html, pdf and csv formats & ​print the listed data for a thorough view on the IT security.

You Can Learn More About the ManageEngine Product Line By Going to

The original article/video can be found at Auditing Changes to ​Group Policy Settings

About the Author: Shannon Lewis

Leave a Reply Cancel reply