Changes to a GPOs settings appear in Auditing as a change in the GPO's Link(s) (SL3704)

Additional auditing functionality is available in Windows Server 2008 and 2012 versions, that was not present in Windows Server 2003 / Windows Server 2000.

Active Administrator is alerting based on what events are available in each OS. In Server 2003, we did not have the granularity in that we now have in Server 2008 and 2012. GPO change events were logged as Event ID 566.

In Windows Server 2008 and 2012, GPO changes are logged under a new event ID 5136 (Directory Service Changes) that provides more info. See also event IDs 5137 (create), 5138 (undelete), 5130 (move).

MORE INFORMATION: 

In Windows 2000 Server and Windows Server 2003, the Audit directory service access policy was the only auditing control available for Active Directory. The events that were generated by this control did not show the old and new values of any modifications. This setting generated audit events in the Security log with the ID number 566. In Windows Server 2008 and 2012, the audit policy subcategory Directory Service Access still generates the same events, but the event ID number is changed to 4662. http://technet.microsoft.com/en-us/library/cc731607(WS.10).aspx

The closest event ID (to 5136) in Windows Server 2003 and Windows Server 2000 is 566 – which provides limited information:

http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5136

http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4662

Related Articles or Solutions:

http://technet.microsoft.com/en-us/library/cc731764(WS.10).aspx

http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5136

http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4662