How to Detect Who Deleted a Group Policy Object
Mar 23, 2016
Deleting Group Policy Objects can disrupt logins, resource access, and critical security configurations, leaving systems vulnerable. Native auditing helps track deletions by enabling advanced audit policies, configuring auditing on the CN=Policies container and SYSVOL folders, and reviewing Security Event Logs for Event ID 4663. These logs reveal the deleted GPO’s GUID and the account responsible, giving administrators visibility to investigate changes and restore proper policy enforcement.
Group Policy Objects (GPOs) can provide configurations for access to shared resources and devices, enable critical functionalities or establish secure environments. If some of the GPOs are deleted, users may not be able to access the Internet, modify their data, use peripherals or even log in to their systems. Deleting GPOs that deal with access control, authentication and other security policies may increase systems’ vulnerability and allow unauthorized access.
How to detect who deleted a GPO using native auditing tools?
1. Run GPMC.msc > open “Default Domain Policy” > Computer Configuration > Policies > Windows Settings > Security Settings:
- Advanced Audit Policy Configuration > Audit Policies > Object Access > Audit File System > Define > Success and Failures
- Advanced Audit Policy Configuration > Audit Policies > Object Access > Audit Handle Manipulation > Define > Success and Failures
- Local Policies > Audit Policy > Audit directory service access > Define > Success and Failures
- Event Log > Define > Maximum security log size to 1gb and Retention method for security log to Overwrite events as needed.
2. Open ADSI Edit > Connect to Default naming context > DC=domain name > CN=System > right click “CN=Policies” > Properties > Security (Tab) > Advanced > Auditing (Tab) > Click “Add” > Choose the following settings:
- Principal: Everyone; Type: Success; Applies to: This object and all descendant objects; Permissions: Delete group Policy Container objects > Click “OK”.
3. Navigate to the \domainnamesysvoldomainfqdn > right-click “Policies” folder and select “Properties”.
4. Select the “Security” tab > “Advanced” button > “Auditing” tab > Click “Add”.
5. Select Principal: “Everyone”; Select “Type: All”; Select “Applies to: This folder, subfolders and files”; Select the following “Advanced Permissions”: Write attributes; Write extended attributes; Delete; Delete subfolders and files; Click “OK” three times.
6. To define what group policy was deleted filter Security Event Log for Event ID 4663 (Task Category – “File System” or “Removable Storage”) and search for “Object Name:” string, where you can find the path and GUID of deleted policy and “account name” field contains information about who deleted it.
Now learn how to find out who deleted a Group Policy object in 2 steps >>
Share on
Learn More
About the author
Jeff Melnick
Director of Systems Engineering
Jeff is a former Director of Global Solutions Engineering at Netwrix. He is a long-time Netwrix blogger, speaker, and presenter. In the Netwrix blog, Jeff shares lifehacks, tips and tricks that can dramatically improve your system administration experience.