Auditing GPO Changes, Event Logs Issue

[mark burse]

Using Windows 2003 Active Directory can you using native tools monitor (full auditing is enabled) GPO changes. We need to know who, when and what GPO changes where made?
Looking through the newsgroups Event Id 566 looks like it could do it?
I am currently running a Domain DC Event log grap using EventCompMt.exe (MS tool). So I am awaiting the results.
However I have this issue on Event Logs;
Using our current audit policy most DCs within two hours start to overwrite their security log (today we only have data from 8.04 am). Our log storage policy is set at 128MB, then overwrite.
We have a requirement that one wholes days of security events must be captured and stored for later analysis (i.e. who and when delete that OU - which is a real event that happened a few weeks ago). We have a tool to do this Quest 'Intrust Express'. This takes and stores the events in a repository every night at 21:00.
But as the log is overwriting every two hours so most of data is missing (we cannot tell who did what and when) This leaves us is a very poor situation.
We need to increase the size to say 2GB or reduce our audit policy. MS have a Q article that allows an unrestricted security log size, but a better solution would be to reduce the current audit policy. Which I am looking in to.
Another option would be to have Intrust Express do a capture every one hour (maybe needs testing)
All Event logs in total for all must not exceed 300Mb. They are “memory mapped� files – which are memory resident. The OS only allows 1Gb for all OS memory mapped files – let alone the Event Logs.
So there are the issues.

Please comment

Mark

[kevsully]

see Group Policy General list, a response is in there.