Reporting on old changes?
Posted 06 January 2015 - 07:07 PM
I have a very small environment, and only I can make AD or GP changes, so this is really watching for outside attacks. I have yet to have it tell me something I didn't know I did the day before.
Last Friday (1/2/2015), while I was on vacation, I get an email listing all of my group policies as modified, under General/Delegation, and no other information, see attached image of email. What is General/Delegation? There is no such category inside each policy.
2015-01-06_10-54-45.png 35.17KB 3 downloads
Also, there were two polices that showed 1 category each as changed. Changes that I had made back in the summer. I looked at the actual policies on the server manager, and sure enough, they all showed modified dates as recent as last month, and as old as July 21st, but nothing in the last 4 days. The real question is, why did I get a report at all, if none of the policies have actually changed in several days or more.
I do have a report for the change I made on 12/30, and it did arrive the next morning, as it was supposed to do.
Posted 07 January 2015 - 02:35 PM
Group Policy changes are determined by doing a comparison of two different states of group policy. The state on 1 day versus the state on the next day. The "snapshot" of the GPOs is done on 1 domain controller. If the domain controller that is used the next day shows a change it will be reported. I have seen this in instances where the state of GPOs was not consistent across all domain controllers.
So for example, lets say I make a change on domain controller A to a GPO a week ago and for whatever reason that change doesn't replicate to the gpo on domain controller B. If I use domain controller B for my snapshots all week and then all of a sudden domain controller A is used now the change will show up from a week ago.
In regards to General / Delegation I cannot view the screenshot because of some forum issues. Let me work with my webteam and get back with you once I am able to view it.
Posted 07 January 2015 - 04:23 PM
Posted 07 January 2015 - 04:42 PM
In the Enterprise version there is a file called dclist.txt that can be modified to list only one domain controller to be used for snapshots. I am not 100% sure this file exists or is used in the free version. When I have time I can test it but if you want to see if it exists it can be found at C:\ProgramData\NetWrix\AD Change Reporter\Omitlists\%domain name% - Your path may have slightly different naming used since it is the freeware version. Edit the dclist.txt file and remove all domain controllers except for one. After a full day, see if the issue reproduces itself.