When it comes to auditing changes made to a GPO settings, there is, nothing available in the box. That is, there is no native way of determining what that change was in any meaningful way. You’ll be able to tell that "something" has changed, but not what the changed setting was, nor its before or after values. However, a product like Group Policy Audition and Attestation (GPAA) comes into play in this situation. GPAA can show you, not only who made the change and when, but also what the actual setting change was.
Windows Auditing Options
- Legacy Auditing
- Advanced Auditing
Legacy auditing has existed since Windows 2000, and contains a set of coarse-grained audit categories that you can enable, as shown in this figure of audit configuration within a Group Policy Object:
The downside to using these audit categories, is that they are pretty darn noisy. That is, if enabled even a few of them on AD domain controllers, you are likely to get your security logs rolling over pretty quickly in a reasonably large environment because there are a number of sub-category event types that are audited. So unless you have a really good event log collection system, you may end up missing events as the logs roll over.
Fortunately, Microsoft introduced “Advanced Audit Configuration” that gives the ability to turn on and off, all of those sub-categories within the legacy audit categories.
For each major category on the left, in the screenshot above, there are sub-categories that can be enabled or disabled for auditing.
The one thing to note about enabling these advanced audit configuration categories, is to also tell AD to ignore the legacy auditing categories, if you plan to keep them enabled as well. You can do that by enabling the policy on your DCs, within a GPO under Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings. Once that policy is enabled, then all legacy events categories will be ignored and only advanced audit categories will be logged to the DC’s security event logs.
Configuring AD for Group Policy Change Auditing
- Enable auditing for AD changes
- Enable auditing for System Access Control Lists (SACLs) on AD objects that you're interested in auditing changes against.
Once the Directory Service Changes auditing sub-category is enabled on your DCs, and SACLs are configured, then you can start to look at all of the changes that occur in AD related to Group Policy management. AD change events generated by this sub-category generally fall into one of three event IDs:
- 5136- Changes to AD objects
- 5137- Creation of new AD objects
- 5141- Deletion of existing AD objects
And since GPOs are just a special kind of AD object, it follows that creation, deletion and modification of GPOs also generate events of these event IDs. There’s a few things to keep in mind about GPO change events. First, all changes related to GPOs (e.g. creation, deletion, modification) happen within the CN=Policies, CN=System container under a given AD domain.
So when it comes to auditing changes to GPOs, it all happens within this container. The container holds a set of GUID-named GPO containers (of AD object class groupPolicyContainer) that represent each GPO in the domain. Now, creating, deleting or changing GPOs is not the only GP management operation you will be interested in auditing.
You will also want to know when GPOs are linked or unlinked from a site, domain or OU. Those actions require auditing of changes (i.e. writes) to the GPLink attribute on those container objects (which is also a default SACL in newer versions of Windows) . In addition, you may want to know when WMI filters are created, modified or deleted. Those occur as creation modification or deletion events against objects under the CN=SOM, CN=WMI Policy,CN=System container within a given AD domain, which is where WMI filters are stored
Auditing Group Policy Changes
| Event | Event ID | Sample Event |
| Create GPO | 5137 | A directory service object was created.Subject: Security ID: CPANDL\darren Account Name: darren Account Domain: CPANDL Logon ID: 0x33cf14Directory Service: Name: cpandl.com Type: Active Directory Domain ServicesObject: DN: CN={F5FEDDD2},CN=Policies,CN=System,DC=cpandl,DC=com GUID: CN={F5FEDD2},CN=Policies,CN=System,DC=cpandl,DC=com Class: groupPolicyContainer
Operation:
Correlation ID: {ac790c0f-49df-4e58-86d8-79ee040ae082} Application Correlation ID: – |
| Change GPO | 5136 | A directory service object was modified.Subject: Security ID: CPANDL\darren Account Name: darren Account Domain: CPANDL Logon ID: 0x33cf14Directory Service: Name: cpandl.com Type: Active Directory Domain ServicesObject: DN: CN={3C-8F3-47-9-2},CN=POLICIES,CN=SYSTEM,DC=CPANDL,DC=COM GUID: CN={33B8},CN=Policies,CN=System,DC=cpandl,DC=com Class: groupPolicyContainer
Attribute:
LDAP Display Name: versionNumber Syntax (OID): 2.5.5.9 Value: 65538
Operation:
Type: Value Added Correlation ID: {167f4140-a0d9-4ec7-b938-46447b8c932c} Application Correlation ID: – |
| Delete GPO | 5141 | A directory service object was deleted.Subject: Security ID: CPANDL\darren Account Name: darren Account Domain: CPANDL Logon ID: 0x33cf14Directory Service: Name: cpandl.com Type: Active Directory Domain ServicesObject: DN: CN=Machine,CN={79f3f},CN=Policies,CN=System,DC=cpandl,DC=com GUID: CN=Machine\0ADEL:f79f3f,CN=Deleted Objects,DC=cpandl,DC=com Class: container
Operation:
Tree Delete: No Correlation ID: {1cc87a40-58c0-42f6-8f85-167bb6e42f8f} Application Correlation ID: – |
| Change GPO Permission | 5136 | A directory service object was modified.Subject: Security ID: CPANDL\darren Account Name: darren Account Domain: CPANDL Logon ID: 0x33cf14Directory Service: Name: cpandl.com Type: Active Directory Domain ServicesObject: DN: cn={33B82},cn=policies,cn=system,DC=cpandl,DC=com GUID: CN={33B2},CN=Policies,CN=System,DC=cpandl,DC=com Class: groupPolicyContainer
Attribute:
LDAP Display Name: nTSecurityDescriptor Syntax (OID): 2.5.5.15 Value: O:DAG:DAD:PAI(OA;CI;CR;edacfd8f-ffb3-11d1-b41d-00a0c968f939;;AU)
Operation:
Type: Value Added Correlation ID: {5d0497d2-8c7e-4543-861f-cac543cde7eb} Application Correlation ID: – |
| Change GPO Status | 5136 | A directory service object was modified.Subject: Security ID: CPANDL\darren Account Name: darren Account Domain: CPANDL Logon ID: 0x33cf14Directory Service: Name: cpandl.com Type: Active Directory Domain ServicesObject: DN: cn={33BB2},cn=policies,cn=system,DC=cpandl,DC=com GUID: CN={33B2},CN=Policies,CN=System,DC=cpandl,DC=com Class: groupPolicyContainer
Attribute:
LDAP Display Name: flags Syntax (OID): 2.5.5.9 Value: 2
Operation:
Type: Value Added Correlation ID: {ade7ee5a-64a5-4c43-b0ae-d9697ca427e4} Application Correlation ID: – |
| Change GPO WMI Filter | 5136 | A directory service object was modified.Subject: Security ID: CPANDL\darren Account Name: darren Account Domain: CPANDL Logon ID: 0x33cf14Directory Service: Name: cpandl.com Type: Active Directory Domain ServicesObject: DN: cn={33B82},cn=policies,cn=system,DC=cpandl,DC=com GUID: CN={33B2},CN=Policies,CN=System,DC=cpandl,DC=com Class: groupPolicyContainer
Attribute:
LDAP Display Name: gPCWQLFilter Syntax (OID): 2.5.5.12 Value: [cpandl.com;{65E2FC2F-55C4-4810-92E3-64BF1000F7DD};0]
Operation:
Type: Value Added Correlation ID: {90b34980-ee07-4a69-a8b4-768482a015bb} Application Correlation ID: – |
| Create WMI Filter | 5137 | A directory service object was created.Subject: Security ID: CPANDL\darren Account Name: darren Account Domain: CPANDL Logon ID: 0x33cf14Directory Service: Name: cpandl.com Type: Active Directory Domain ServicesObject: DN: CN={9CC840D2},CN=SOM,CN=WMIPolicy,CN=System,DC=cpandl,DC=com GUID: CN={9CC0D2},CN=SOM,CN=WMIPolicy,CN=System,DC=cpandl,DC=com Class: msWMI-Som
Operation:
Correlation ID: {e3fbe963-c2b7-4209-a73c-5d4529abd43d} Application Correlation ID: – |
| Delete WMI Filter | 5141 | A directory service object was deleted.Subject: Security ID: CPANDL\darren Account Name: darren Account Domain: CPANDL Logon ID: 0x33cf14Directory Service: Name: cpandl.com Type: Active Directory Domain ServicesObject: DN: CN={9D8D},CN=SOM,CN=WMIPolicy,CN=System,DC=cpandl,DC=com GUID: CN={8D}\01,CN=Deleted Objects,DC=cpandl,DC=com Class: msWMI-Som
Operation:
Tree Delete: No Correlation ID: {ffac999b-f1f9-4c1e-967a-5e82fed2285b} Application Correlation ID: – |
| Change Link Enforced Flag | 5136 | A directory service object was modified.Subject: Security ID: CPANDL\darren Account Name: darren Account Domain: CPANDL Logon ID: 0x33cf14Directory Service: Name: cpandl.com Type: Active Directory Domain ServicesObject: DN: OU=DPM,DC=cpandl,DC=com GUID: OU=DPM,DC=cpandl,DC=com Class: organizationalUnit
Attribute:
LDAP Display Name: gPLink Syntax (OID): 2.5.5.12 Value: [LDAP://cn={97F8},cn=policies,cn=system,DC=cpandl,DC=com;0] [LDAP://cn={4388FA},cn=policies,cn=system,DC=cpandl,DC=com;0]
Operation:
Type: Value Deleted Correlation ID: {91cc8727-3ed7-4254-8baa-0534a6155809} Application Correlation ID: – |
| Change SOM Block Inheritance Flag | 5136 | A directory service object was modified.Subject: Security ID: CPANDL\darren Account Name: darren Account Domain: CPANDL Logon ID: 0x33cf14Directory Service: Name: cpandl.com Type: Active Directory Domain ServicesObject: DN: OU=DPM,DC=cpandl,DC=com GUID: OU=DPM,DC=cpandl,DC=com Class: organizationalUnit
Attribute:
LDAP Display Name: gPOptions Syntax (OID): 2.5.5.9 Value: 1
Operation:
Type: Value Added Correlation ID: {09b0e4e8-a95c-4475-aa74-aaea2fb128b6} Application Correlation ID: – |
| Unlink GPO | 5136 | A directory service object was modified.Subject: Security ID: CPANDL\darren Account Name: darren Account Domain: CPANDL Logon ID: 0x33cf14Directory Service: Name: cpandl.com Type: Active Directory Domain ServicesObject: DN: OU=Test,OU=Office Deploy,OU=EastCoast,DC=cpandl,DC=com GUID: OU=Test,OU=Office Deploy,OU=EastCoast,DC=cpandl,DC=com Class: organizationalUnit
Attribute:
LDAP Display Name: gPLink Syntax (OID): 2.5.5.12 Value:
Operation:
Type: Value Added Correlation ID: {696218a2-80e9-4757-8066-7b270b4d1e93} Application Correlation ID: – |
| Link GPO | 5136 | A directory service object was modified.Subject: Security ID: CPANDL\darren Account Name: darren Account Domain: CPANDL Logon ID: 0x33cf14Directory Service: Name: cpandl.com Type: Active Directory Domain ServicesObject: DN: OU=Test,OU=Office Deploy,OU=EastCoast,DC=cpandl,DC=com GUID: OU=Test,OU=Office Deploy,OU=EastCoast,DC=cpandl,DC=com Class: organizationalUnit
Attribute:
LDAP Display Name: gPLink Syntax (OID): 2.5.5.12 Value: [LDAP://cn={33B8CE9C-87F3-4712-94CDDEB2}, cn=policies,cn=system,DC=cpandl,DC=com;0]
Operation:
Type: Value Added Correlation ID: {47e0444f-82d3-4065-8b5f-b502eee366f7} Application Correlation ID: – |
Source: Understanding Group Policy Change Auditing by
No comments:
Post a Comment