Modifying the security of an Organizational Unit, or other Scope of Management, natively causes a "Noncompliant - Unauthorized Modification" (4309104)

This is expected as the watcher service will monitor the security on any registered object. Unfortunately it is not possible to modify the security of the OU within GPOADmin so there no way to avoid the non compliance state. Enhancement ID VSTS017460 has been submitted to be able to disable the monitoring of security for OU's.

GPOAdmin cannot show exactly what has changed as Security on Scopes of Management are not used in GPOAdmin. Running a difference report for a Scope of Management will only show changes that are relevant to GPOAdmin, such as a Link change. Security changes will not appear in the difference report for Scopes of Management.

Enabling Debug logging in GPOAdmin will add some additional details about the change. It will show that there was a change, but not what it changed from or to. For that type of information, please use a product such as Change Auditor.

To enable debug logging and view the additional information:

1. Open the GPOAdmin console
2. Right click the domain name and select Options
3. Expand Logging and click Configuration
4. Check:
    - Service Actions
    - User Actions
    - Errors
    - Debug Information
5. Click OK
6. When a change occurs to a Scope of Management, an Event will be logged to the GPOAdmin event log with an ID of 1050 and with text similar to following:
   "A change has been made in the live environment to the Scope of Management <DNofSoM>"
7. Select the event and click the Details tab
8. Scroll down to the Bytes section. The words in the column on the far right will show what has changed. For example, a change to the security of a SoM would read as follows:
   distinguishedname:<DN>..ntsecuritydescriptor