In this article:

• Objective

• Prerequisites

• Steps to follow

• Validation and confirmation

• Tips

• Related topics and articles

Objective  

This article explains how to configure an alert in ManageEngine ADAudit Plus to notify administrators whenever a Group Policy Object (GPO) is modified. Monitoring GPO changes is essential for ensuring Group Policy integrity, detecting unauthorized or accidental modifications, and maintaining compliance with security and configuration standards.

Prerequisites  

• You must have access to the ADAudit Plus web console.

• Use an administrator account or a technician account with the operator role to create or modify alert profiles.

• All relevant domain controllers must:

• Be added and configured in ADAudit Plus.

• Be actively sending security event logs without errors.

• Have real-time log fetching enabled to detect changes immediately.

• Enable the following Audit Policy setting on all monitored domain controllers:

• Path: Advanced Audit Policy Configuration > DS Access > Audit Directory Service Changes

• Policy: Audit Directory Service Changes

• Setting: Enable Success

• Enable object-level auditing (SACL) on the Group Policy container objects in Active Directory.

• If email alerts are required, configure SMTP settings under:

• Admin > General Settings > Server Settings in ADAudit Plus

Steps to follow

1. Open the ADAudit Plus Web Console.

2. Log in using an account with administrator privileges or a technician account that has permissions to configure alerts.

3. Navigate to Alerts from the top menu.

4. Click New Alert Profile in the top-right corner.

5. Enter a relevant Alert Name and Description (e.g., Alert – GPO Modified).

6. Click the + symbol next to Report Profiles.

7. Under Domain, select the on-premises domain.

8. Choose GPO Modified as the report profile.

9. You can tailor the Alert Message to suit your specific requirements.

10. Additionally, you can use the Advanced Configuration options to customize alerts based on thresholds, business hours, and advanced filtering criteria.

11. In the Alert Actions section, enable E-mail Notification.

12. Enter the recipient email addresses where the alert should be delivered.

13. Provide a clear and relevant subject line for the email notification.

14. Select the preferred format for the alert email, either HTML or Plain Text.

15. Select the details you would like to include in the email, such as:

1. Alert Message

2. Alert Profile Name

3. Event Details

16. Enable the Throttle Notification option to suppress multiple alerts into a single notification based on defined criteria.
    Example: If multiple logon failures are detected from the same user within 15 minutes, consolidate them into one alert after that time window.

17. If SMS provider settings are already configured in ADAudit Plus (Admin > General Settings > Server Settings > SMS), enable SMS Notifications for real-time updates.

18. Enable the Execute Script option to trigger a script automatically when a specific alert is generated.
    Example: Lock a user account temporarily after detecting 10 consecutive logon failures from that account.

19. If a ticketing tool is integrated with ADAudit Plus (Admin > Configuration > Ticketing system Integration), enable Configure Auto Ticketing to automatically generate tickets for alerts.

Note: You can also use Throttle Ticket Generation to avoid creating a ticket for every alert and instead generate one for a group of alerts meeting certain conditions.

20. Click Save to activate the alert profile.

Validation and confirmation  

• Perform a test GPO Modification.

• Go to Alerts > expand the on-premises domain under profile-based alerts.

• Choose the alert profile that was created and select View Alerts in the ADAudit Plus console.

• Verify that the alert appears with the correct event details.

• Ensure the alert email is received at the specified address.

Tips

• Monitor critical GPOs separately.

• Set up a separate alert profile specifically for high-impact GPOs (e.g., Default Domain Policy or Domain Controllers Policy).

• Use filters to narrow alerts to only those GPOs.

• Create a second alert profile that triggers only during non-business hours to catch suspicious or unauthorized off-hours changes.

• Integrate ADAudit Plus with your SIEM or ITSM platform (e.g., ServiceNow) for centralized visibility and automated incident workflows.

Related topics and articles  

• No data available in the GPO Settings Changes report