Failed Group Policy Container Access (Change Auditor Protection)

Change Auditor for Active Directory 7.1.1

I recently implemented Protection on several GPOs. I only allow Domain Admins and Group Policy Creator Owners excluded from Protection.

When I run the query 'All Group policy Events', I have hundreds of entries Failed Group Policy Container Access (Change Auditor Protection) from my PDC.

It states:

What: Access to Group Policy Default Domain Policy was denied by Change Auditor Protection on <Domain>\PDC.

Action:  Modify Attribute

I tried adding the PDC computer account to the Exclusion from Protection, but it did not help.

I have 2 questions:

  1. Why does the PDC computer role try to constantly acces my Protected GPOs?
  2. Is there a way to correct this?
  3. What is it trying to modify???

Any help would greatly be appreciated.

If I run a report on all GPOs changes, this fills up the report with nonsense.


  • Hello David,

    I am seeing a similar behavior in my environment and we are unable to isolate the issue.

    In my case it is a specific GPO a set of client machines generating this alert every time a user logs into the machine.

    Were you able to resolve it from your end? What was the fix?

  • The error message "Failed Group Policy Container Access (Change Auditor Protection)" suggests that there might be an issue related to accessing Group Policy Containers (GPC) within the context of Change Auditor Protection. Change Auditor blog is an enterprise solution provided by Quest Software for auditing and monitoring changes in Active Directory, Group Policy, Exchange, and other Microsoft infrastructure components.