Banks, credit unions, insurance companies,
Group Policy Fake Changes
|Symptoms||You received Group Policy Change Report showing some changes you do not believe you made.|
|Cause||By default the product uses a domain controller for the data collection which is most available. On some of the domain controllers Group Policy replication may not occur correctly. The product may connect to the domain controller that has a replication issue with regards to Group Policies, hence the outdated information, and gather GPOs which contain outdated policy settings. The outdated information in gathered GPOs will be considered as a change when comparing to the previous snapshot.|
|Resolution||To prevent this from happening we recommend using a single domain controller for collecting Group Policy changes.
In order to check which domain controller is currently used for Group Policy changes collection, see this file:
C:\ProgramData\Netwrix Auditor\AD Change Reporter\Omitlists\%domain.name%\dclist.txt
If there is more than one DC listed in that file, it means that the first DC in the list didn't respond at some point and Netwrix had to pick a new one. This could be the reason for fake changes.
If you know a DC which is highly available and stable, feel free to put its FQDN into that file instead of the current ones.