Group Policy is a valuable feature in Windows that gives administrators strict control over Windows desktops and servers. . Therefore, IT shops must keep up-to-date on all changes that are made to Group Policy Objects (GPOs). There are two aspects of control that provide complete visibility and ownership of GPOs and their changes throughout their lifecycle. These two aspects include:
- Change auditing of GPO and related changes
- Attestation of key GPOs to ensure that all policies in place make sense and have ownership
Let’s cover each of these quickly.
Group Policy Change Auditing
You want to know every time another user makes a change to a GPO. These changes can compromise the security of thousands of workstations or servers in your environment if they aren’t monitored closely. Unfortunately, Microsoft provides no in-the-box way of tracking settings that have changed within a given GPO. Monitoring changes to GPO permissions, GPO links and other metadata can be even more difficult..— That is why you need a GPO change auditing capability that uses a centralized reporting feature to prevent any unauthorized changes to your Group Policy environment. This is the only way you can monitor activity within Group Policy.
Group Policy Attestation
Attestation is a familiar concept to those in IT that might be subject to regulatory or compliance controls. It is the process of attesting to a particular resource—essentially of saying that you are the responsible “owner” of that resource and that you attest that it is required and used properly. This attestation process is a key part of managing the Group Policy lifecycle, because GPOs can be created and left in an environment for many years, without anyone being aware of its function or necessity. Implementing Group Policy attestation guarantees that all critical GPOs have owners, and that those owners periodically attest to the fact that the GPOs are still valid and necessary within the environment.
Managing the Group Policy Lifecycle
Both Group Policy Change Auditing and Group Policy Attestation can provide the tools needed to ensure that your GPOs remain under your control and compliant within your environment. These capabilities can also help ensure that someone is assigned responsibility for any GPOs within your environment.