Navigation: Web Reports > Compliance Tracking >
Policy Change Tracking
|
Navigation: Web Reports > Compliance Tracking > Policy Change Tracking |
|
|
If you configured Policy Change Tracking then you can run queries to search for various policy-related activity on one of the following pages in the Compliance -> Policy Changes section:
Common fields for all Policy Change Tracking pages
# (Event Number) The event number of the windows event that was logged by the OS to indicate the account change. You can click on the event number to display this event, assuming that a corresponding filter has been setup to capture these events.
Computer This is the computer where the policy, user right etc. was changed. This computer is always a domain controller for domain and Kerberos policy changes.
Source Computer The source computer from which the change was initiated, though this is usually empty for pages in this category. This information is only available when "Retrieve Source IP Address and Computer Name" is checked, and when a related logon event was previously monitored by EventSentry.
Audit Policy
Policy, Subcategory, Subcategory GUID, Success, Failure The type of audit policy that was changed. The Success & Failure Columns always list the effective (new) configuration for the listed policy.
Windows 2003 and earlier Lists all the 9 available policy categories and their effective values for both success and failure.
Vista, Windows 2008 and later Since Vista and later contain significantly more auditing categories than earlier versions of Windows, policy changes are logged differently. Instead of listing all categories, only the categories whose values have changed are listed. As such, the Subcategory and Subcategory GUID fields contain detailed information about the changed policy.
Domain Policy
Change Type The type of domain policy that was changed. Possible values in include "Password Policy" and "Lockout Policy".
Details Contains details about the changes that were made to the domain policy. This field may be empty if no details are available, which can be the case on some versions of Windows, including Windows XP.
Kerberos Changes
Kerberos Changes Details about the Kerberos change.
Trust Relationship Changes
Target Domain The domain with which the trust was established or removed from.
Target Domain ID The SID of the target domain.
Operation Type The trust relationship change that was performed, such as a new trust being created or an existing trust being removed.
Trust Type, Trust Direction, Trust Attributes The type of the trust (e.g. Uplevel), the direction of the trust (e.g. Outbound) and the trust attributes.
SID Filtering Indicates whether SID Filtering is enabled or not for the trust. Disabling SID filtering may have security implications.
User / Logon Right Changes
Policy Indicates whether a user or a logon right was changed.
Operation Indicates whether a user/logon right was added or removed.
User / Logon Right The short name of the user or logon right that is affected, for example SeUndockPrivilege.
User / Logon Right Description The long name (description) of the user or logon right that is affected, for example Remove computer from docking station.
Target User The username for which the user or logon right was changed.
Caller User The user who performed the user / logon right change. If the username ends with the $ sign, then the change was performed by the OS.
|