Group Policy Auditing with Netwrix Auditor

Report and alert on Group Policy changes and generate state-in-time reports

Available Reports

Name Description
All Changes Reports:
All Group Policy Changes Shows all changes made to Group Policy objects, setting values, GPO links, and permissions. Filtered by date range and user name who made changes. Download report sample.
All Group Policy Changes (Chart) Shows all changes made to Group Policy objects, setting values, GPO links, and permissions. Filtered by date range.
Account Lockout Policy:
Account Lockout Policy Changes Shows all changes made to account lockout policy settings. For example, changes to lockout threshold and duration. Unauthorized changes of account lockout settings may indicate attempts to compromise system security.
Lockout Duration Policy Changes Shows modifications of account lockout duration setting. Changes to this setting should be done wisely and always reviewed for accurateness.
Account Policies:
Account Policy Changes Shows all changes to password policies, account lockout policies, and Kerberos policies. All changes in account policies must be reviewed regularly to ensure full compliance with established security policies and regulations.
Administrative Templates:
Administrative Template Changes Administrative templates define policy settings in different categories, including desktops settings, services, and applications. Generally all such changes must be reviewed by IT administrators to ensure that they were intended and authorized.
Public Key Policy Changes Public Key Policies enforce settings of public key infrastructure, such as trusted certificate lists and enterprise certificate authority. This report must be regularly reviewed if PKI is used in the organization.
Windows Components Policy Changes Shows changes in standard system components and applications, such as shell, Windows Installer, Windows Update, Media Player, Internet Explorer, and others. These changes can severely affect user experience and introduce security threats.
Configuration:
Computer Configuration Windows Settings Changes Shows all changes in Windows core operating system settings that can be enforced via Group Policy (Computer Configuration \ Windows Settings node). This report must be reviewed regularly to ensure that all systems are in compliance with security policies.
User Configuration Changes Shows all changes in Windows core operating system settings related to users: logon scripts, security settings, folder redirection, and others (User Configuration \ Windows Settings node). This report must be reviewed regularly to ensure that all systems are in compliance with security policies.
Local Policies:
Audit Policy Changes Audit policy defines what types of actions are logged to audit trails by the system. Every organization should have clearly defined audit policy that changes only after management approval.
Interactive Logon Policy Changes Shows changes to interactive logon rights. Interactive logon is a privileged operation and granting of this right should be always justified and approved by security specialists.
Rename Administrator and Guest Policy Changes Administrator and Guest accounts can be renamed for security purposes. Modification of this policy can indicate potential security incidents (e.g. someone renamed accounts back to simplify network intrusion attempts).
Security Options Policy Changes Shows all changes in password policies. Password policy settings in the Domain Security Policy affect domain users, while other Group Policy Objects can affect local users on managed computers.
User Rights Assignment Policy Changes User rights define what system-level actions can be performed by certain users, such as system backup, access to audit logs, ability to logon to servers, and other security-sensitive operations. User rights override certain object-level permissions and must be audited to ensure that all appropriate policies are enforced.
Password Policy:
All Password Policy Changes Password policy implies password history, expiration date, complexity, and other settings that affect password security as mandated by organization`s policy. No change to a password policy must ever fall under the radar! Download report sample.
Password Age Policy Changes Shows changes to minimum and maximum password age settings. Such changes shall never be done without careful planning and approval by security and compliance managers.
Password Complexity Policy Changes Password complexity policy defines requirements for user passwords and changes to this policy shall never be implemented without management approval.
Password Encryption Policy Changes This policy defines whether passwords are stored using reversible encryption or not. This settings should never be changed.
Password History Policy Changes Password history defines how many previous passwords are remembered to disallow usage of `favorite` passwords and ensure that users make up a new password every time they change it.
Policy:
Changes in GPO Links Shows when GPOs are linked or unlinked to OUs and domains. GPO linking controls what policies are applied to users and computers. This property should be carefully monitored to avoid unauthorised changes. Download report sample.
Internet Explorer Policy Changes Shows all changes in the Internet Explorer settings on managed client workstations. Internet Explorer is a primary web browser supported in many organizations. All changes in IE settings must be reviewed by security teams to avoid security issues and loss of user productivity.
Logon and Logoff Script Policy Changes Logon and logoff scripts are executed when users logon and logoff respectively. Logon scripts usually execute custom actions, such as drive mapping and other user-specific automated operations. Changes in logon scripts can affect user experience and introduce extended support workloads if not managed properly.
Network Policy Changes Shows all changes in network policy settings.
Printer Policy Changes Shows all changes in printer policy settings.
Registry Policy Changes Shows all changes in policy-enforced registry permissions on managed servers. This report must be carefully reviewed to detect changes that can affect system security, such as permissions to registry keys that contain 3rd party application settings.
Remote Installation Policy Changes Remote installation policies control software installation system and changes in these policies shall be reviewed regularly to make sure they are authorized.
Restricted Groups Policy Changes Restricted groups control enforced group membership on managed computers. Example of enforced group membership is addition of Domain Admins group to Administrators group on all domain computers. Such changes shall never be done without prior approval of security personnel.
Software Restriction Policy Changes This report contains information on applications activities allowed or disallowed by Software Restriction Policies. When this type of policy is in use, all changes must be reviewed by system administrators to ensure security policies adherence.
Startup and Shutdown Script Policy Changes Startup and shutdown scripts are executed when computers start and shutdown respectively. These scripts usually execute custom actions, such as maintenance operations and other computers-specific automated operations. Changes in these scripts can affect startup performance and availability.
System Policy Changes Shows all changes in the System section.
System Services Policy Changes Group Policy service control settings can enforce status of certain system services (such as Disabled or Automatic) and centrally define service security settings. Changes in system services can affect security and overall attack surface.
Security Settings:
Security Policy Changes Shows all changes made to security policies (e.g. Local Policy, Account Policy, Password Policy, etc). All such changes must be reviewed on a regular basis to mitigate security risks.
Software Installation:
Software Installation Policy Changes This report shows all changes made to GPO software deployment settings. Organization`s deployment policies should be clearly defined and all changes carefully reviewed as they are made.
Windows Settings:
Windows Settings Changes Shows all changes in the Computer Configuration \ Windows Settings and User Configuration \ Windows Settings sections. This includes logon and startup scripts, security settings, folder redirection, and others. This report must be reviewed regularly to ensure that all systems are in compliance with security policies.
Wireless Network Policy Changes Wireless policies control what wireless networks are available on managed computers and typically used to deploy wireless connection information automatically. Changes in wireless settings are security settings, because attackers can setup rogue wireless access points and allows access to them via policy settings to penetrate the network.