GPG is not generating alerts. (NETIQKB33397)

  • 7733397
  • 02-Feb-2007
  • 15-Mar-2013


NetIQ Group Policy Guardian


GPG is not generating alerts.

Group Policy Guardian is not issuing an alert when a Group Policy Object changes.

After a Group Policy Object changes, Group Policy Guardian does not issue an alert.


To resolve this issue, check the following items:

  • Ensure that events with the ID 9999 are being recorded in the Application Log on the GPG server.
    • If 9999 events exist, check the Report functionality (see step 2).
    • If 9999 events do NOT exist, check the Windows auditing configuration (see step 3).
  • Verify if GPG reporting can produce reports.
    • If reports can be produced, the problem is likely in the GPG Connector module?check the GPG Connector functionality (see step 4).
    • If reports do not work, the problem may be in the Reporting functionality.
  • Ensure that Windows auditing is configured properly.
    1. Check for Event ID(s) 56x in the Security Log on the domain controller where GPO changes are being performed (specifically 560, 565, 566)
    2. If there are no 56x events, check the Windows auditing settings by running the Domain Controller Configuration report from the GPG Console for the domain/domain controller in question. 

      To run the report and check the settings:

      1. In the GPG console, navigate to Domains |<domain> | Configuration | Domain Configuration Check and select Summary Report. The Report Option dialog box is displayed.
      2. Select the domain or domain controllers to check. If you select the Current Domain, all domain controllers in that domain are checked. Otherwise, you can check a specific domain controller.
      3. Click OK.  GPG will query the specified domain controllers to validate the following items:

        • The Default Domain Controllers Policy has been enabled for Auditing

        • The SACLs are correctly configured on the ..\SYSVOL\Policies folder.

        • The SACLs are correctly configured on the Policies and IPSec nodes in Active Directory.

      When a report finishes, GPG creates a subnode under the Domain Configuration Check node with the results of the configuration check.

    3. If the report shows correct configuration, verify that the GPG service account (under which the GPG Collector runs) has correct permissions: to remotely read the Security Logs on the domain controllers.  This requires Domain Admin privileges.

    4. If 56x events do appear, check GPG Configuration (see step 5).

  • Ensure that events with the ID 8888 are being recorded in the GPG Log on the GPG Server machine.

    • If the 8888 events exist, then the problem is within the GPG Connector module.
    • If the 8888 events do not exist, it may take a minute or two due to operating system delay/buffering?try initiating a second change to see if the first 8888 event appears. If problems persist, contact NetIQ Technical Support.
  • If the all of the above items have been checked and alerts are not being generated, perform the following before calling Technical Support:

    1. Ensure that all domain controllers are assigned to a GPG Collector.
    2. Ensure that the GPG Collectors and GPG Server services are all running.
    3. Restart the GPG Control service on the GPG Server machine to ensure that any domain controller assignments are assigned to a GPG Collector.
    4. Ensure that Audit Object Access is enabled for Success and Failure under Computer Configuration/Windows Settings/Security Settings/Local Policies/Audit Policies on all monitored domain controllers.


Group Policy Guardian or the operating system may be misconfigured.

Additional Information

Formerly known as NETIQKB33397