Why Native Auditing Fails When It Comes to Group Policy Auditing

by Danny Murphy
05.09.2018   Auditing

Organizations all over the world rely on Group Policy to control the working environment of both user and computer accounts in Active Directory (AD). However, due complex, scalable nature of Active Directory and the hundreds of available settings within Group Policy, it can be very easy to get it wrong – thus potentially leaving security vulnerabilities or leading to downtime.

Due to this combination of complexity and importance, it stands to reason that Group Policy should be continuously audited and monitored and that reports and alerts should be produced regularly documenting any changes.

As it happens, Microsoft does provide native auditing, monitoring alerting features within the application itself, however (as we will soon see) these methods do not hold up to the stringent compliance and security requirements associated with Group Policy.

Native Auditing and Group Policy

Firstly, Microsoft’s Group Policy auditing capabilities are not activated by default, as the space required to deal with the multitude of logs that are produced may place a certain strain on domain controllers.

Don’t just take our word for it, if you want to find out how to configure Group Policy auditing in Microsoft so that you can track and alert on changes for yourself, we have written a handy guide explaining how.

Problems will begin to arise when want to generate reports from the information the Event Viewer. Users can use the Event Viewer to view information regarding the changes being made to Group Policy Objects in the security log. But if you can’t report on this information, then you’re going to find it difficult to satisfy the requirements of an auditor. You could potentially filter the security log or use the Custom View to get more of a deep dive into the context of the raw data but, still, neither of these options produce a report.

In terms of alerting capabilities, the Event Viewer is able to generate alerts based on Group Policy changes, however it is not able to provide any information about changes as email notifications. The default email notifications you receive from Event Viewer will not contain the details of the change.

The Alternative to Native Auditing – LepideAuditor

I’m not saying that LepideAuditor is the only alternative to native auditing, there are many powerful and scalable solutions on the market today at affordable prices. However, LepideAuditor is certainly one of the best solution for Group Policy auditing.

In simple terms, LepideAuditor allows you to see who made changes, what those changes were, when they were made and where they were made – all from a single console. It proactively and continuously audits, monitors and alerts on GPO changes and feeds this information back in real time via detailed email notifications, the LiveFeed or as push notifications to the LepideAuditor mobile app.

The solution also contains number pre-defined reports that are tailored specifically for security, IT operations and compliance requirements. For example, you may be required to prove that you track all modifications made to GPOs in order to satisfy GDPR compliance. With LepideAuditor, this can be done in a matter of clicks.

Next Steps

If you want to learn more about how LepideAuditor can help you audit, monitor and alert on Group Policy changes, take a look at our website or contact one of our sales team today.


Lepide® is a Registered Trademarks of Lepide Software Private Limited. © Copyright 2018 Lepide Software Private Limited. All Trademarks Acknowledged.