Review: NetWrix Group Policy Change Reporter

Have you ever had the following conversation with your boss? “The Group Policy accident last week cost us quite a few hours of production. We need to know who pulled the trigger, and when.” Fortunately for you, Windows Server, like most modern network OSs, has robust logging built in. Unfortunately for you, your window into this logging comes via the Event Log tool. Using this tool to track down events that happened today, let alone last week, is nearly impossible. If this scenario sounds familiar, you need a tool like NetWrix’s Group Policy Change Reporter.

Group Policy Change Reporter is one program in a family of useful tools. NetWrix offers many administrative and reporting tools, such as Exchange Change Reporter, File Server Change Reporter, Disk Space Monitor, and many others.

I’ve installed several NetWrix applications in the past year, and I’ve been quite impressed. The process is always simple and intuitive. To install Group Policy Change Reporter, I had to first install the .NET Framework 2.0 and Group Policy Management Console (GPMC). After I completed these steps, the actual software installation took only a few minutes. You can install the application directly on the domain controller for smaller domains; for large domains, you might want to use a dedicated utility server (e.g., a server that hosts your antivirus and Windows Server Update Services—WSUS—updates, etc.). When the installation is finished, a configuration page displays options such as the domain you want to monitor, a location for the data, the amount of time you want to keep the logs, and an email account the reports should be sent to.

To test the tool, I created a simple organizational unit (OU) structure and proceeded to implement some new Group Policy Objects (GPOs). First, I created a GPO called PC – XP – Wait for Network (which is an important Group Policy setting if you want to deploy software to computers via GPO). After this Group Policy setting was implemented, I unlinked the Group Policy setting from the OU to simulate a junior administrator making a change to a production network.

To view a report of my changes, I could have waited until the daily 3:00 a.m. report ran. But to speed things up, I decided to run the report manually via Scheduled Tasks. (On the Start menu, select All Programs, Accessories, System Tools, Scheduled Tasks.) I then used the NetWrix Enterprise Management Console to run an ad-hoc report. After a few seconds, the report in Figure 1 opened in Internet Explorer. As you can see, the report clearly shows that I modified the Group Policy setting, changing the Link Status from Enabled to Disabled. It also shows that the user who performed the change is “Administrator,” which brings up a great point about accountability: Never let your administrators log on as “Administrator”—if you do, you’ll never really know who performed a specific task. You can have your reports emailed to you every morning, which will give you a nice 24-hour snapshot of what your administrators have been up to.

Group Policy Change Reporter

PROS: Extremely easy setup for simple reporting; easy-to-navigate interface via an MMC snap-in
CONS: None found
RATING: 5 out of 5
PRICE: $2.50 to $4.00 per enabled user, depending on number of users; discounts available
RECOMMENDATION: If you’re tired of always wondering who changed a Group Policy setting and you need an extensive reporting tool, then Group Policy Change Reporter is the solution to use.
CONTACT: NetWrix • 888-638-9749 •

Setting up Group Policy Change Reporter’s reporting structure is extremely simple. If you require the product’s Advanced Reports, you’ll need to configure a SQL Server machine with SQL Server Reporting Services (SSRS). Fortunately, a configuration page walks you through the entire process. You can select from 13 built-in reports, such as Account Lockout Policy Changes and Security Policy Changes.

Support for NetWrix products is available through a free support forum, a robust and searchable Support Knowledge Base, a ticketing system for online support, or by toll-free phone (United States only). If you need help setting up a large implementation, NetWrix offers contract services that can ease deployment, offer customization, and provide training.

Group Policy Change Reporter is a great little program, with sister applications that augment its functionality (e.g., Active Directory Change Reporter, Exchange Change Reporter). The product is inexpensive and simple to set up. If you need easy, hassle-free reporting to keep track of what’s happening on your network, give Group Policy Change Reporter a try.