Yes, that's the first thing I made sure. I'll fire up my test domain shortly and try it on a brand-new install.
Second thing why is it automatically focused on the PDC role? I was under certain that the PDC role holder was only related to password changes... Thanks, Francis -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: 11 mars 2005 11:11 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Speaking of DAs...GP link Date Francis- I just tested this on Server 2003 and it worked as Mika described. Keep in mind that when you create a GPO, you're by default, focused on the PDC role holder DC, and of course, events are held per-DC. So make sure you're looking at the logs on the correct DC. Darren -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Francis Ouellet Sent: Friday, March 11, 2005 7:51 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Speaking of DAs...GP link Date Hi Mika, I just created a test GPO with the GPMC and then connected to the event viewer (security log) and waited for the 566 events to show up but nothing! Are you sure not other steps are required? Thanks! Francis -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mika Seitsonen Sent: 10 mars 2005 16:54 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Speaking of DAs...GP link Date In addition to Joe's and Darren's suggestions, you could just check security logs. By default (in WS03, I don't have a W2k environment running at the moment), there are two ACEs (inheritable to OUs) in the SACL for the domain object: Ace[0] Ace Type: 0x7 - SYSTEM_AUDIT_OBJECT_ACE_TYPE Ace Size: 56 bytes Ace Flags: 0x42 CONTAINER_INHERIT_ACE Object Ace Mask: 0x00000020 ACTRL_DS_WRITE_PROP Object Ace Flags: 0x3 ACE_OBJECT_TYPE_PRESENT ACE_INHERITED_OBJECT_TYPE_PRESENT Object Ace Type: Attr - gPLink Inherited object type: Class - organizationalUnit Object Ace Sid: Everyone S-1-1-0 Ace[1] Ace Type: 0x7 - SYSTEM_AUDIT_OBJECT_ACE_TYPE Ace Size: 56 bytes Ace Flags: 0x42 CONTAINER_INHERIT_ACE Object Ace Mask: 0x00000020 ACTRL_DS_WRITE_PROP Object Ace Flags: 0x3 ACE_OBJECT_TYPE_PRESENT ACE_INHERITED_OBJECT_TYPE_PRESENT Object Ace Type: Attr - gPOptions Inherited object type: Class - organizationalUnit Object Ace Sid: Everyone S-1-1-0 Thus, you don't have to configure anything in order to start auditing. Just look the security log for event ID 566. Unfortunately, as Darren pointed out, GPO names aren't written to the events but rather the GUID for the GPO :( In addition, when a GPO is linked to a container, only an event is written indicating that a change on gPLink attribute occurred. Below is a sample event from the security log for linking a GPO to an OU: 2/25/2005 8:02:31 AM Security Success Audit Directory Service Access 566 SANAO\OU02Admin DC01 "Object Operation: Object Type: organizationalUnit Object Name: OU=OU02,DC=DC=sanao,DC=com Accesses: Write Property Properties: Write Property Default property set gPLink If a GPO is created and linked to an OU with e.g. GPMC command Create and link a GPO here...), five events with event ID 566 are created in the security log; three of them with the GUID of the GPO. Go and figure... :) My point: security log will have an answer to your question when the linking occurred. Rgds Mika -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: 9. maaliskuuta 2005 23:29 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Speaking of DAs...GP link Date Yep. The other thing you could do is look at the metadata for the gplink attribute. This will tell you the last time it was udpated and where the change was mastered but that is about it. joe -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Wednesday, March 09, 2005 3:53 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Speaking of DAs...GP link Date Not easily. The way this works is that the DN of the GPC object is stored on the gpLink attribute on the container object in question. So you could audit on that container object (OU) for changes to gpLink but then you have to figure out which GPO was added/removed by its DN. So it's a container-centric thing rather than a GPO-centric thing. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Wednesday, March 09, 2005 12:11 PM To: activedir@mail.activedir.org Subject: [ActiveDir] Speaking of DAs...GP link Date Speaking of domain admins. Anyone know of a way to find out when a GP was linked to an OU? (or alternatively when the links on the GP were last updated)? --Brian Desmond [EMAIL PROTECTED] Payton on the web! www.wpcp.org v - 773.534.0034 x135 f - 773.534.8101 c - 312.731.3132 List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
