Jump to content


Photo

Reporting on old changes?


  • Please log in to reply
3 replies to this topic

#1 Dan

Dan

    Newbie

  • Members
  • Pip
  • 7 posts

Posted 06 January 2015 - 07:07 PM

My Active Directory and Group Policy Change Notifier has a scheduled task of daily at 3am.

I have a very small environment, and only I can make AD or GP changes, so this is really watching for outside attacks. I have yet to have it tell me something I didn't know I did the day before.

Last Friday (1/2/2015), while I was on vacation, I get an email listing all of my group policies as modified, under General/Delegation, and no other information, see attached image of email. What is General/Delegation? There is no such category inside each policy.

Attached File  2015-01-06_10-54-45.png   35.17KB   3 downloads

Also, there were two polices that showed 1 category each as changed. Changes that I had made back in the summer. I looked at the actual policies on the server manager, and sure enough, they all showed modified dates as recent as last month, and as old as July 21st, but nothing in the last 4 days. The real question is, why did I get a report at all, if none of the policies have actually changed in several days or more.

I do have a report for the change I made on 12/30, and it did arrive the next morning, as it was supposed to do.

#2 jeffb

jeffb

    Advanced Member

  • Administrators
  • PipPipPip
  • 377 posts
  • Gender:Male

Posted 07 January 2015 - 02:35 PM

Dan,

Group Policy changes are determined by doing a comparison of two different states of group policy. The state on 1 day versus the state on the next day. The "snapshot" of the GPOs is done on 1 domain controller. If the domain controller that is used the next day shows a change it will be reported. I have seen this in instances where the state of GPOs was not consistent across all domain controllers.

So for example, lets say I make a change on domain controller A to a GPO a week ago and for whatever reason that change doesn't replicate to the gpo on domain controller B. If I use domain controller B for my snapshots all week and then all of a sudden domain controller A is used now the change will show up from a week ago.

In regards to General / Delegation I cannot view the screenshot because of some forum issues. Let me work with my webteam and get back with you once I am able to view it.

-Jeff

#3 Dan

Dan

    Newbie

  • Members
  • Pip
  • 7 posts

Posted 07 January 2015 - 04:23 PM

And since I can't specify which DC to use for comparisons, I can't control this behavior. Still for a normal replication to take 15 seconds per Microsoft, with 2 domain controllers that literally sit next to each other, I still have to ask why it's reporting changes from 6 months ago. See attached image with policy modified dates.

Attached Files



#4 jeffb

jeffb

    Advanced Member

  • Administrators
  • PipPipPip
  • 377 posts
  • Gender:Male

Posted 07 January 2015 - 04:42 PM

Dan,

In the Enterprise version there is a file called dclist.txt that can be modified to list only one domain controller to be used for snapshots. I am not 100% sure this file exists or is used in the free version. When I have time I can test it but if you want to see if it exists it can be found at C:\ProgramData\NetWrix\AD Change Reporter\Omitlists\%domain name% - Your path may have slightly different naming used since it is the freeware version. Edit the dclist.txt file and remove all domain controllers except for one. After a full day, see if the issue reproduces itself.

-Jeff




0 user(s) are reading this topic

0 members, guests, anonymous users