Last month we at SDM Software shipped the 2.0 version of our Group Policy Auditing & Attestation product. GPAA is our flagship product for helping you perform real-time compliance auditing, alerting, rollback and attestation of Group Policy Objects (GPOs). The product provides in-depth auditing of GPO changes on everything from new GPO creation to modification of individual GPO settings across all policy areas (e.g. security, Administrative Templates, GP Preferences, etc.) to changing of links or security filters on GPOs. It also provides built-in rollback capabilities so that errant GPO changes can be reversed.
In 1.0, we also provided a GPO “attestation” or re-certification feature, that allows administrators to assign owners to critical GPOs. Owners are then required to attest or certify on a periodic basis, the validity of their GPOs. This is especially useful for two reasons:
1. If you’re using GPOs to secure or configure critical servers, such as those that store PCI or other confidential data, you and your auditors will probably want to know who is responsible for those GPOs and that their settings are being reviewed periodically.
2. If you have struggled with “GPO Sprawl” in the past–the phenomenon where GPOs just spring up over time until you somehow have 100s of them–then being able to assign owners and have those owners periodically attest that they’re still valid and useful in the environment is incredibly helpful!
Now with GPAA 2.0, we’ve added to ability to perform attestation/re-certification of AD groups as well (both security and distribution groups).
AD Group Attestation/Certification
The AD group attestation feature works very similar to it’s GPO counterpart. You can assign owners to AD groups, and those are periodically asked to attest/certify the groups’ membership. Both direct and indirect membership is reported to the owner so that they understand any nested members that may be part of the groups. In addition, the AD group attestation feature adds an additional capability–if an owner rejects group attestation, they can optionally ask that the group be deleted. The GPAA administrator will be notified of the rejected attestation and the delete request, and can then view the deletion queue and optionally choose to delete the group from directly within the product, or un-mark it for deletion if desired.
For a quick tour of the new features in GPAA 2.0, including group attestation and the new auditing agent keep-alive feature that ensures that your GPO auditing agents running on your DCs are all communicating changes properly, I’ve recorded this quick video, attached to this post. Check it out!