Key Points
- Enable Native GPO Auditing: Configure built-in Windows auditing to capture GPO and OU modifications.
- Track Critical Event IDs: Prioritize essential event IDs (5136, 5137, 5138, 5139, 5141) to efficiently identify impactful GPO, OU, and permission changes.
- Centralize Logs with WEF: Use Windows Event Forwarding (WEF) and Windows Event Collector (WEC) to consolidate policy change logs.
- Version Control and Backups: Regularly back up and version GPOs through the Group Policy Management Console (GPMC) to simplify rollback.
- Alert on High-Risk Changes: Set alerts for high-priority events and define thresholds for anomalies (e.g., after-hours changes).
Group Policy Objects (GPOs) provide ways to effectively apply policies at scale, but this also means that small errors can have far-reaching consequences. Knowing how to audit GPO changes protects your infrastructure. And with the right tools, you can easily enforce version control and set alerts for continuous monitoring.
This article explains how to check GPO changes with built-in solutions, and highlights third-party Remote Monitoring and Management (RMM) tools that adapt to all your clients’ needs.
How to audit GPO changes for better traceability
While native tools can offer cost-effective solutions, consider expanding your toolkit for efficiency, and factor in your technical constraints before establishing audit workflows for clients.
📌 Prerequisites:
- Administrative privileges
- Domain and forest functional levels that support Advanced Audit Policy
- GPMC access for policy review and backup
- SIEM or Windows Event Collector infrastructure for log centralization
- A designated file share or repo for versioned GPO backups
- A change register template and owners for reviews and approvals
Step 1: Enable native auditing for policy changes
IT experts can track changes to GPOs and Organizational Units (OUs) using built-in Directory Service auditing on Domain Controllers. Here’s how:
📌 Use Cases: Use this to capture detailed logs of every GPO and OU change.
📌 Prerequisites: Windows server domain controllers, Education, or Pro; Local and domain administrative privileges.
💡 Note: These permissions correspond to audit categories that generate Event ID 5136 (Directory Service Object Modified) and similar events.
- On a domain controller, press Win + R, type gpmc.msc, and press Enter to open the Group Policy Management Console (GPMC).
- Create or edit a GPO linked to the Domain Controllers OU.
- Navigate to:Computer Configuration > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies > DS Access
- Enable the following policies:
- Audit Directory Service Changes → Success and/or Failure
- Audit Policy Change → Success and/or Failure
- Audit Account Management → Success and/or Failure
- Apply the GPO. The settings will replicate to all Domain Controllers.
- Use ADSIEDIT.msc to configure object-level auditing:
- Connect to the Default Naming Context.
- Locate your target container (e.g., OUs containing user policies).
- Right-click → Properties > Security tab > Advanced > Auditing tab.
- Add a Principal (e.g., Domain Admins, Authenticated Users).
- Select Success/Failure and check permissions such as:
- Create groupPolicyContainer objects
- Delete
- Modify Permissions
- Write versionNumber
- Click OK to save.
💡Note:.On Windows 11, adsiedit.msc is only available if RSAT (Active Directory Domain Services Tools) has been installed through Optional Features or via Add-WindowsCapability.
Integrating endpoint solutions like NinjaOne boosts policy protection beyond native tools with premium features like real-time alerts and device health checks to help you audit GPO changes.
Step 2: Know the events that matter
Some events are more important than others when you audit GPO changes. As such, you’ll need to prioritize impactful signals to reduce alert fatigue.
Use these key Event IDs to filter out critical events and form a matrix that simplifies your Group Policy audit:
- GPO Changes:
- 4739 – Domain Policy changed
- 5136 – Directory Service object modified (includes GPO edits)
- OU Changes:
- 5137 – Directory Service object created (OU created)
- 5141 – Directory Service object deleted (OU deleted)
- 5139 – Directory Service object moved (OU moved)
- Security Filter & Delegation:
- 4670 – Permissions on an object changed
- 4732/4733 – Security group membership changes (affecting GPO filtering and delegation)
Step 3: Centralize and protect the logs
Centralizing your logs across different Domain Controllers (DCs) with Windows Event Forwarding (WEF) can make evidence easier to query, improve visibility, and bolster compliance efforts as you audit GPO changes.
📌 Use Cases: To streamline log audits and support forensic investigations.
📌 Prerequisites: Administrative privileges, domain-joined systems, Windows Remote Management (WinRM) enabled.
- Press Win + R, type cmd, and press Ctrl + Shift + Enter.
- Run wecutil qc to set up the Windows Event Collector (WEC) service.
- Press Win + R, type eventvwr.msc, and press Enter.
- Expand Subscriptions.
- Right-click and choose Create Subscription.
- Name your subscription.
- Set Destination Log to Forwarded Events.
- Choose a subscription mode.
- In most domain environments, Source-Initiated is recommended unless you specifically need Collector-Initiated behavior.
- Select events to collect (use XML tab for advanced filters).
- On your Domain Controllers, run the following in the Command Prompt:
winrm qc
wecutil qc
- Press Win + R, type gpedit.msc, and press Ctrl + Shift + Enter.
- Navigate to:
Computer Configuration > Administrative Templates > Windows Components > Event Forwarding
- Double-click Configure target Subscription Manager.
- Set to Enabled, click Show, and add:
Server=http://<CollectorFQDN>:5985/wsman/SubscriptionManager/WEC,Refresh=60
Replace <CollectorFQDN> with your collector’s fully qualified domain name.
- Run
gpupdate /forceto apply the policy. - Define Subscriptions.
- Baseline Subscription: Includes all devices for general monitoring.
- Suspect Subscription: Targets high-risk or anomalous devices for deeper logging.
- Use PowerShell or your SIEM’s parsing tools to standardize fields such as:
- Editor Account
- Target Object Distinguished Name (DN)
- Change Type
- Originating DC
- Retain logs for:
- Monthly reviews
- Quarterly reviews
- Incident investigations
Step 4: Back up, version, and diff GPOs
Prepare contingencies to enable safe rollbacks and technician-friendly version reviews as your teams audit GPO changes.
📌 Use Cases: Simplifying GPO change reviews for technicians for faster client reports.
- Press Win + R, type gpmc.msc, and hit Enter.
- Right-click Group Policy Objects and select Back Up All.
- Choose a secure location (e.g., access-controlled share).
- Form a GPO change register for auditability
- Track GPO name, version, editor, reason, and ticket ID.
- Compare current settings to previous versions using the Group Policy Management Console (GPMC) for quick analysis.
Step 5: Alert on high-risk changes
Timely action is required when you audit GPO changes. Follow these best practices to optimize your process:
| Practice | Value | Example scenario |
| Monitor Event ID 5136 for GPO modifications | Notifies technicians when GPO changes occur. | A SOC analyst monitors Event Viewer for unauthorized changes to password policies. |
| Use PowerShell or SIEM tools to correlate GUIDs to GPO names | Translates raw event data into readable GPO names for important reports. | An MSP uses PowerShell to match GPO Globally Unique Identifiers (GUIDs) from logs to their friendly names in reports. |
| Set thresholds for unusual activity using an RMM | Checks for anomalies like after-hours GPO modifications; can limit changes per GPO. | A technician sets alerts for GPO edits occurring outside business hours using NinjaOne. |
| Automate ticket creation with event details and GPO backup references | Links actionable alerts to your client’s remediation workflows while you audit GPO changes. | A helpdesk system auto-generates a ticket when a GPO is modified, including backup info. |
Auditing GPOs also plays a key role in optimizing identity infrastructure. According to a recent Forbes survey, 94% of organizations agree on the importance of Active Directory modernization, which involves continuous monitoring of GPO changes.
Step 6: Extend auditing to OUs and delegation
Organizational Units (or OUs) determine the scope of your policy and how it’s inherited. As you audit GPO changes, integrate OU creation, transfer, and removal events in your Group Policy audit for more comprehensive reports.
Doing so can also improve transparency and help uncover permission sprawl. Establish a regular cadence for GPO and OU reviews to ensure least-privilege practices are being applied.
NinjaOne integration simplifies OU change auditing
NinjaOne’s best-in-class RMM provides streamlined solutions for tracking fleet health and detecting policy drift. Here’s how NinjaOne helps you audit GPO changes:
| Step | Without NinjaOne | With NinjaOne |
| Enable native auditing for policy changes. | Manual configuration via gpedit.msc and adsiedit.msc; involves setting up audit policies on individual DCs. | NinjaOne enhances visibility across endpoints and AD controllers with real-time logging and alerts. |
| Know the events that matter when you audit GPO changes. | Technicians have to manually filter key Event IDs from a SIEM or built-in tools. | NinjaOne allows you to define your own conditions for critical event IDs that automatically trigger ticketing workflows. |
| Centralize and protect the logs. | Requires WEF reconfiguration and manual retention of policy change logs. | NinjaOne centralizes log accumulation via SIEM integration (webhooks and API). |
| Back up, version, and diff GPOs. | Manual GPO backup workflows and spreadsheet edits can increase error and resolution times. | NinjaOne automates endpoint and policy backup with version control, encryption, and deduplication. |
| Alert on high-risk changes. | Requires time-consuming script tests for GPO link edit detection, off-hours changes, and more. | NinjaOne’s ticketing system creates straightforward workflows (enhanced by its script library) based on your policy conditions. |
| Extend auditing to OUs and delegation. | Manual audits via Active Directory Users and Computers (ADUC) or PowerShell | NinjaOne logs delegation changes and OU modifications in its records and simplifies search with filterable views. |
Simplify GPO checks with endpoint solutions
Monitoring GPO modifications ensures compliance, operational resilience, and traceability. To audit GPO changes, use native directory and event logging, establish alerts through your SIEM or monitoring tools, review GPO link and scope changes using Group Policy Management, include OU activity for additional context, and report key metrics regularly to demonstrate control.
Related topics:
