Windows Server 2008 and Windows Vista : Advanced Group Policy Management - Change Management

1. When the Changes Were Made

The first requirement of Group Policy change management is the tracking of when a GPO was changed. Troubleshooting issues with Group Policy can be difficult, but if isolating a specific change to a GPO can help narrow the overall issue, a list of when GPOs were altered is very useful.

AGPM tracks the day and time when a GPO was altered. This is done per GPO, as it should be. An archive point is established for every time a GPO in AGPM is edited. Tracking the day and time of every edit establishes a timeline for the GPO. Figure 1 shows a GPO that has been altered many times. Note that each time the GPO is edited, an entry is made for the day and time.

Figure 1. Every time a GPO is edited within AGPM, an entry is made to the archive, establishing the day and time of the change.

Who Made the Changes

Tracking the user who made the changes can be helpful for several reasons. First, the user might have had a specific reason for making the change but did not document it. Contacting the user who made the change is an easy way to determine why settings were updated in a GPO.

Second, it is always important to know who is making changes to critical areas of the network. Group Policy is extremely powerful and can do damage if left in the wrong hands. The fact that each user’s changes are tracked helps monitor who has the ability to make the changes.

Finally, malicious activity does occur on a network. Knowing which users made specific settings in a GPO is very useful if you are trying to track down a rogue administrator. It is never pleasant to consider someone doing something negative to the network, but it does happen.

What Changes Were Made

The ability to track when changes were made to the GPO and who made them is nice for auditing and identifying the guilty individual in case of an errant setting. However, the real benefit of change management is the ability to track what settings were modified, added, or deleted in the GPO. This objective is very difficult to achieve, because the changes that occur in the GPO must be compared to the previous version of the GPO, or an even older version.

AGPM allows you to look at the settings that are in the GPO and also compare the GPO to any historical GPO in the archive. This provides a clear view of the GPO changes in comparison to any version of the GPO. Figure 2 illustrates how the change management aspect of AGPM tracks changes that were made in the GPO.

Figure 2. Every change made in a GPO is recorded and can then be compared to a different version of the GPO in the archive, providing a difference report.