Auditing GPO Changes and Event Size Issue

[mark burse]

Using Windows 2003 Active Directory can you using native tools monitor (full auditing is enabled) GPO changes. We need to know who, when and what GPO changes where made?
Looking through the newsgroups Event Id 566 looks like it could do it?
I am currently running a Domain DC Event log grab using EventCompMt.exe (MS tool). So I am awaiting the results.
However I have this issue on Event Logs;
Using our current audit policy most DCs within two hours start to overwrite their security log (today we only have data from 8.04 am). Our log storage policy is set at 128MB, then overwrite.
We have a requirement that one wholes days of security events must be captured and stored for later analysis (i.e. who and when delete that OU - which is a real event that happened a few weeks ago). We have a tool to do this Quest 'Intrust Express'. This takes and stores the events in a repository every night at 21:00.
But as the log is overwriting every two hours so most of data is missing (we cannot tell who did what and when) This leaves us is a very poor situation.
We need to increase the size to say 2GB or reduce our audit policy. MS have a Q article that allows an unrestricted security log size, but a better solution would be to reduce the current audit policy. Which I am looking in to.
Another option would be to have Intrust Express do a capture every one hour (maybe needs testing)
All Event logs in total for all must not exceed 300Mb. They are “memory mapped� files – which are memory resident. The OS only allows 1Gb for all OS memory mapped files – let alone the Event Logs.
So there are the issues.

Please comment

Mark

[kevsully]

This is not a trivial task as you have found. There are not many great solutions that you can find that has this capability.

The solution is in 'off-line' editing/repository, check-in/check-out functionality and differencing and settings reports with role based delegation. There are a few solutions on the market for this.

Most are proprietary and come at a cost. NetIQ, Quest and soon DesktopStandard (my company) have solutions for this. Why I think you may be interested in the solution we are creating is because it will be free (at least in one version), and it is built as extensions to the GPMC so you don't need to change the way you work.

How it and most work, controlled GPOs will have to be checked-out of the repository to edit. When this happens the changes and the 'Who' are captured. When done the GPOs are checked back in and someone with rights can then analyze the changes and deploy the edited GPO into production. This put a few check points into the process and allows you to see who, when, what occured.

The tools that Microsoft provides are great on a one off basis. You will have to combine some tools with auditing of th event logs to get your results which may not work in your situation.

Jeremy's book starting on page 244 has some information on Auditing that is very solid. It walks through all of the necessary steps and works some of the kinks out of the 566 messages.

GL...

[mark burse]

Kev,

Can you give me further details about this book?

When will your software be available?

Rgds

Mark