----- Original Message -----
Sent: Thursday, March 24, 2005 5:32
PM
Subject: RE: [ActiveDir] Logging changes
made to GPOs
Right, the challenge that native auditing presents is
that no details about what GPO setting is changed are logged. You can find out
that something changed on the GPC, but that's about it. As
Hunter mentioned, there are at least three commercial products that I know of
that do provide detailed GPO logging:
NetIQ GP Guardian
Netpro Change Auditor
Quest Change Manager for AD
Darren
You can employ a 3rd party tool like the offerings from
NetPro, NetIQ, Quest etc
Natively, if you enable Audit directory service
access you can detect changes to GPOs by finding event ID 565s that have the
Object Type value groupPolicyContainer, the Accesses value Write Property, and
a Write Property that includes versionNumber
Is it possible to log changes made
to Group Policy
Objects?