Failed Group Policy Container Access (Change Auditor Protection)

Change Auditor for Active Directory 7.1.1

I recently implemented Protection on several GPOs. I only allow Domain Admins and Group Policy Creator Owners excluded from Protection.

When I run the query 'All Group policy Events', I have hundreds of entries Failed Group Policy Container Access (Change Auditor Protection) from my PDC.

It states:

What: Access to Group Policy Default Domain Policy was denied by Change Auditor Protection on <Domain>\PDC.

Action: Modify Attribute

I tried adding the PDC computer account to the Exclusion from Protection, but it did not help.

I have 2 questions:

Why does the PDC computer role try to constantly acces my Protected GPOs?
Is there a way to correct this?
What is it trying to modify???

Any help would greatly be appreciated.

If I run a report on all GPOs changes, this fills up the report with nonsense.

Dave

Parents

0 joe.white 20 hours ago

Encountered the similar issue.

Here is a synopsis of what was done, seen, and steps take to resolve

USERA: Authorized Domain Admin, whom was configured in CA-Protection as an Override Account (by AD group membership)
Logged into Domain Controller (DC1)
GPMC was opened on DC1, but connected to DC-2 (assume the Domain Admn had configured GPMC to connect DC2 sometime in the past)

The Default Domain Policy was modified by USERA
Change Auditor shows Events of Group Policy change was successful by USERA

Started getting repeated alerts that Protected GP was triggering "“Access to Group Policy Default Domain Policy was denied” for User (DC2)

Had USERA change the GPMC connection to DC1, and not DC2
Protected Events continued repeating every 3-6 minutes

Added DC-2 to as an “Override account” in CA-Protection,
Protected Events continued repeating every 3-6 minutes

Restarted DC-2
The Protected Events Stopped

Note, the Group Policy itself was consistent with the change made throughout all Domain Controllers in the Enterprise (DFS-R of the SYSVOL)
The GP on DC-2 (Sysvol) was confirmed to have the changes, even while the Protection events were occurring

Unsure why Domain Controllers are not by Default consider Override Accounts for all AD objects
And unsure what DC-2 was trying to do exactly

The going theory is that GPMC somehow kept the GP Container open in a State Protection could not access. How\Why , unknown
Cancel
Up 0 Down

Reply

Verify Answer

Cancel

Reply

0 joe.white 20 hours ago

Encountered the similar issue.

Here is a synopsis of what was done, seen, and steps take to resolve

USERA: Authorized Domain Admin, whom was configured in CA-Protection as an Override Account (by AD group membership)
Logged into Domain Controller (DC1)
GPMC was opened on DC1, but connected to DC-2 (assume the Domain Admn had configured GPMC to connect DC2 sometime in the past)

The Default Domain Policy was modified by USERA
Change Auditor shows Events of Group Policy change was successful by USERA

Started getting repeated alerts that Protected GP was triggering "“Access to Group Policy Default Domain Policy was denied” for User (DC2)

Had USERA change the GPMC connection to DC1, and not DC2
Protected Events continued repeating every 3-6 minutes

Added DC-2 to as an “Override account” in CA-Protection,
Protected Events continued repeating every 3-6 minutes

Restarted DC-2
The Protected Events Stopped

Note, the Group Policy itself was consistent with the change made throughout all Domain Controllers in the Enterprise (DFS-R of the SYSVOL)
The GP on DC-2 (Sysvol) was confirmed to have the changes, even while the Protection events were occurring

Unsure why Domain Controllers are not by Default consider Override Accounts for all AD objects
And unsure what DC-2 was trying to do exactly

The going theory is that GPMC somehow kept the GP Container open in a State Protection could not access. How\Why , unknown
Cancel
Up 0 Down

Reply

Verify Answer

Cancel

Children

No Data