How to Detect Modifications to Group Policy Using Security Log Events


Native Auditing vs. Netwrix Auditor for Active Directory

Native Auditing Netwrix Auditor for Active Directory
Steps
  1. Run gpedit.msc → Create a new GPO → Edit it → Go to "Computer Configuration" → Policies → Windows Settings → Advanced Audit Policy Configuration→ Audit Policies/DS Access: Click “Audit Directory Service Changes”→ Define → Success.
  2. Link the new GPO to Domain Controller → Go to "Group Policy Management" → Right-click the defined OU → Choose "Link an Existing GPO" → Choose the GPO that you’ve created.
  3. Force the Group Policy update by going to "Group Policy Management" → Right-click the defined OU → Click on "Group Policy Update".
  4. Open ADSI Edit → Connect to Default naming context → Navigate to CN=Policies,CN=System,DC=domain → Open Properties of Policies object → Security (Tab) → Advanced (Button) → Auditing (Tab) → Add Principal "Everyone" → Type "Success" → Applies to "This object and Descendant objects" → Permissions → Select following checkboxes: 
    • Create groupPolicyContainer objects
    • Delete 
    • Modify Permissions
    • Write versionNumber
    Click "OK".
  5. Open Event Viewer and search Security log for event ID’s 5136 (Directory Service Changes category). 

Report example: 

  1. Run Netwrix Auditor → Go to "Reports" → Active Directory → Group Policy Changes → Select "All Group Policy Changes" and select "Subscribe". 
  2. Define recipients and save subscription. 

Report example:

Group Policy-related Logging Information Helps Track Aberrant Activity

Group Policy-related log events are recorded to the security log on your domain controller. By reviewing Group Policy-related logs with the help of native tools, IT administrators can determine who made changes to Group Policy and when and where each change happened. However, native auditing tools don’t show critical details such as the name of the Group Policy that was changed and the type of action that was performed. To ensure that no aberrant activity slips past your radar, you need additional software that provides more insight into Group Policy modifications.  

Netwrix Auditor for Active Directory delivers complete visibility into what’s going on in your Active Directory, including the detailed information you need about changes to Group Policy. By analyzing Group Policy-related logging information, the application provides not only the basic information available using native auditing tools, but also key details such as the name of the Group Policy that was changed, the type of change performed, and the before and after values. Getting this information from Group Policy logs enables IT admins to fully understand Group Policy modifications and thereby mitigate the risk of misuse of sensitive data.  

Join the discussion