This is expected as the watcher service will monitor the security on any registered object. Unfortunately it is not possible to modify the security of the OU within GPOADmin so there no way to avoid the non compliance state. Enhancement ID VSTS017460 has been submitted to be able to disable the monitoring of security for OU's.
GPOAdmin cannot show exactly what has changed as Security on Scopes of Management are not used in GPOAdmin. Running a difference report for a Scope of Management will only show changes that are relevant to GPOAdmin, such as a Link change. Security changes will not appear in the difference report for Scopes of Management.
Enabling Debug logging in GPOAdmin will add some additional details about the change. It will show that there was a change, but not what it changed from or to. For that type of information, please use a product such as Change Auditor.
To enable debug logging and view the additional information:
© 2024 Quest Software Inc. ALL RIGHTS RESERVED. Feedback Terms of Use Privacy Cookie Preference Center