How to Detect Who Deleted a Group Policy Object

Native Auditing vs. Netwrix Auditor for Active Directory
{{ firstError }}
We care about security of your data. Privacy Policy
Native Auditing Netwrix Auditor for Active Directory
Native Auditing
Netwrix Auditor for Active Directory
Steps
  1. Run gpedit.msc → Create a new GPO → Edit it by going to "Computer Configuration" → Policies → Windows Settings → Security Settings :
    • Advanced Audit Policy Configuration → Audit Policies → Object Access → Audit File System > Define → Success and Failures
    • Advanced Audit Policy Configuration → Audit Policies → Object Access → Audit Handle Manipulation → Define → Success and Failures
    • Local Policies → Audit Policy → Audit directory service access → Define → Success and Failures.Event Log → Define → Maximum security log size to 4gb and Retention method for security log to "Overwrite events as needed".
  2. Link the new GPO to OU by going to "Group Policy Management" → Right-click the defined OU → Choose "Link an Existing GPO" → Choose the GPO that you’ve created.
  3. Force the group policy update in "Group Policy Management" by right-clicking the defined OU → Click "Group Policy Update".
  4. Open ADSI Edit → Connect to Default naming context → Expand “DC=domain name”→ Expand “CN=System” → Right-click "CN=Policies" → Choose Properties → Security (Tab) → Advanced → Auditing (Tab) → Click "Add" → Choose the following settings:Principal: «Everyone»; Type: «Success»; Applies to: «This object and all descendant objects»; Permissions: «Delete groupPolicyContainer objects» → Click "OK".
  5. Navigate to the \\domainname\sysvol\domainfqdn → right-click "Policies" folder and select "Properties".
  6. Select the "Security" tab → "Advanced" button → "Auditing" tab → Click "Add" and set the following parameters: Principals: "Everyone";Type: “All”; Applies to: “This folder, subfolders and files”; Advanced Permissions: “Write attributes; Write extended attributes; Delete; Delete subfolders and files”; Click "OK" three times.
  7. To define what Group Policy was deleted, filter Security Event Log for Event ID 4663 (Task Category – "File System" or "Removable Storage") and search for "Object Name:" string, where you can find the path and GUID of deleted policy. 
    "Account name" field shows who deleted a Group Policy object.

Report sample:

Sample Report - How to Detect Who Deleted a Group Policy Object
  1. Run Netwrix Auditor → Click “Reports” → Navigate to Active Directory → Choose “Group Policy Changes” → Select "All Group Policy Changes" report → Click “View”.
  2. To save the file, click the "Export" button → Select Excel format → Save as → Choose a location to save it.

Report sample:

How to Detect Who Deleted a Group Policy Object
Learn more about Netwrix Auditor for Active Directory

Investigate Group Policy Object Deletions and Facilitate the Recovery Process

Group Policy Objects (GPOs) can provide configurations for access to shared resources and devices, enable critical functionalities or establish secure environments. If some of the GPOs are deleted, users may not be able to access the Internet, modify their data, use peripherals or even log in to their systems. Deleting GPOs that deal with access control, authentication and other security policies may increase systems’ vulnerability and allow unauthorized access. 

Related How-tos
How to Monitor User Logоns in a Domain How to Detect Who Created a User Account in Active Directory How to Export Members of a Particular AD Group How to Restore Active Directory Users How to Export Group Policy Settings in Minutes How to Export a Computer List from Active Directory