Run GPMC.msc (url2open.com/gpmc) > open Default Domain Controllers Policy > Computer Configuration > Policies > Windows Settings > Security Settings: Advanced Audit Policy Configuration > Audit Policies > Object Access > Audit File System > Define > Success and Failures Advanced Audit Policy Configuration > Audit Policies > Object Access > Audit Handle Manipulation > Define > Success and Failures Local Policies > Audit Policy > Audit directory service access > Event ID Define > Success and Failures Reference Object-level GP Auditing (2008-2012) Open ADSI Edit (url2open.com/adsi) > Connect to Default naming context > DC=domain name > CN=System > right click CN=Policies > Properties > Security (Tab) > Advanced > Auditing (Tab) > Click Add 4662 - An operation was > Choose the following settings: performed on an object Principal: Everyone; Type: Success; Applies to: This object and all descendant objects; Permissions: Create groupPolicyContainer (Object Type: objects, Delete groupPolicyContainer objects > Click OK groupPolicyContainer) Sysvol-level GP Auditing 4663 - Object access attempt Navigate to the \\domainname\sysvol\domainfqdn > right-click Policies folder and select Properties (Task Category: File System) Select the Security tab > Advanced button > Auditing tab > Click Add Select Principal: Everyone; Select Type: All; Select Applies to: This folder, subfolders and files; Select the following Advanced Permissions: Create files / write data; Create folders / append data; Write attributes; Write extended attributes; Delete; Delete subfolders and files Click OK three times To define what group policy setting was modified filter Event Viewer for Event ID 4663 and search for Object Name: string, where you can find the path to policy setting that was changed
Security Event Log Settings
Run GPMC.msc > open Default Domain Controllers Policy > Computer Configuration > Policies > Windows Settings > Security Settings > Event Log > Define: Maximum security log size to 1gb Retention method for security log to Overwrite events as needed Open Event viewer on any domain controller and search Security log for event ids listed in the Event ID Reference box
Gain #completevisibility into all activity going on in your AD and GP
for free with Netwrix Auditor for Active Directory: netwrix.com/go/trial-ad