Failed Group Policy Container Access (Change Auditor Protection)

Change Auditor for Active Directory 7.1.1

I recently implemented Protection on several GPOs. I only allow Domain Admins and Group Policy Creator Owners excluded from Protection.

When I run the query 'All Group policy Events', I have hundreds of entries Failed Group Policy Container Access (Change Auditor Protection) from my PDC.

It states:

What: Access to Group Policy Default Domain Policy was denied by Change Auditor Protection on <Domain>\PDC.

Action:  Modify Attribute

I tried adding the PDC computer account to the Exclusion from Protection, but it did not help.

I have 2 questions:

  1. Why does the PDC computer role try to constantly acces my Protected GPOs?
  2. Is there a way to correct this?
  3. What is it trying to modify???

Any help would greatly be appreciated.

If I run a report on all GPOs changes, this fills up the report with nonsense.

Dave

  • Hello David,

    I am seeing a similar behavior in my environment and we are unable to isolate the issue.

    In my case it is a specific GPO a set of client machines generating this alert every time a user logs into the machine.

    Were you able to resolve it from your end? What was the fix?

  • The error message "Failed Group Policy Container Access (Change Auditor Protection)" suggests that there might be an issue related to accessing Group Policy Containers (GPC) within the context of Change Auditor Protection. Change Auditor blog is an enterprise solution provided by Quest Software for auditing and monitoring changes in Active Directory, Group Policy, Exchange, and other Microsoft infrastructure components.

  • Encountered the similar issue.

    Here is a synopsis of what was done, seen, and steps take to resolve


    USERA: Authorized Domain Admin, whom was configured in CA-Protection as an Override Account (by AD group membership)
    Logged into Domain Controller (DC1)
    GPMC was opened on DC1, but connected to DC-2 (assume the Domain Admn had configured GPMC to connect DC2 sometime in the past)

    The Default Domain Policy was modified by USERA
    Change Auditor shows Events of Group Policy change was successful by USERA

    Started getting repeated alerts that Protected GP was triggering "“Access to Group Policy Default Domain Policy was denied” for User (DC2)


    Had USERA change the GPMC connection to DC1, and not DC2
    Protected Events continued repeating every 3-6 minutes

    Added DC-2 to as an “Override account” in CA-Protection,
    Protected Events continued repeating every 3-6 minutes

    Restarted DC-2
    The Protected Events Stopped

    Note, the Group Policy itself was consistent with the change made throughout all Domain Controllers in the Enterprise (DFS-R of the SYSVOL)
    The GP on DC-2 (Sysvol) was confirmed to have the changes, even while the Protection events were occurring

    Unsure why Domain Controllers are not by Default consider Override Accounts for all AD objects
    And unsure what DC-2 was trying to do exactly

    The going theory is that GPMC somehow kept the GP Container open in a State Protection could not access. How\Why , unknown

  • very serious issue .every one try to solve it.here the menu :https://amber-menu.com.ph/