Netwrix Auditor: Group Policy Administrator’s Guide
Page 6 of 84
Copyright © 2013 Netwrix Corporation. All Rights Reserved
Suggestions or comments about this document? www.Netwrix.com/feedback
2. PRODUCT OVERVIEW
Group Policy auditing is a must-have procedure for all organizations relying on Group Policy
infrastructure. Relatively small changes to security policies, desktop configurations, software
deployment and other settings can severely impact enterprise security, compliance, and
performance. An uncontrolled and unaudited change process imposes major security and
compliance risks for an IT infrastructure run by multiple IT professionals.
Built-in Group Policy management tools do not provide any auditing and change reporting
capabilities, and it is just impossible to track the WHO, WHAT, WHERE and WHEN data for
critical modifications by using these tools. For example, auditing with the native Windows
tools can only indicate that a Group Policy Object changed, but it does not say WHAT setting
has been changed; you can get only cryptic GUIDs for cross-referencing as a source of
information.
Windows 2003 and earlier versions do not provide the before and after values for the Group
Policy Object (GPO) link. Windows 2008 provides this data but it is difficult to use it
efficiently. For detailed comparison of the native auditing tools and Netwrix products refer
to Summary: Limitations of Native Active Directory Auditing Tools.
Powered by the Netwrix AuditAssurance™ technology, Netwrix Auditor makes the Group
Policy change auditing an easy and straightforward process, resulting in a complete and
concise picture of all changes taking place in your monitored environment. AuditAssurance™
is a patent-pending technology that consolidates audit data from multiple independent
sources such as event logs, configuration snapshots, change history records, and others. This
allows detecting WHO changed WHAT, WHERE and WHEN, even if one or several sources of
information do not contain all of the required data, for example because it was deleted,
overwritten, and so on.
Netwrix Auditor collects data on every single change made to the Group Policy configuration,
including newly created and deleted GPOs, GPO link changes, changes made to audit policy,
password policy, software deployment, user desktops, and other settings. The data includes
detailed information for all changes with the previous and current values for all modified
settings.
The product records all Group Policy modifications and archives them to enable historical
reporting. You can build a summary of changes made to Group Policy during any period. For
example, you can analyze any policy violations that took place in the past, see who turned
off invalid logon auditing in your domain security policy, who added new software to deploy
on client computers, who changed desktop firewall and lockdown settings, and so on.
Netwrix offers long-term data archiving that uses a two-tiered system:
Audit Archive, a local file-based storage
SQL Server database
Netwrix offers both agent-based and agentless data collection methods. The use of agents is
recommended for distributed deployments or multi-site networks due to their ability to
compress network traffic.
This guide only covers the configuration and usage of the Netwrix Auditor for Group Policy
audit. For information on how to audit the entire Active Directiry infrastructure, refer to
Netwrix Aditor: Active Direcotry Administrator’s Guide and Netwrix Auditor: Exchange Servers
Administrator’s Guide respectively.