Audit log for admin changes
There needs to be a way to track which admin made a specific change. I would start with the white/black lists and changes to the group/policy linking as this will allow flushing out intentional or accidental changes.
Alexy Fox commented
I'd like to comment a few words as for network auditing.
To be more precise there are no exhausting preparations needed in order to get your PC audit up and running: just install Total Network Inventory 3 on one computer and that's it—you're good to go. Define a list of separate network nodes or IP-ranges or connect the scanner to an Active Directory domain. Next, specify the administrator's password and call it done after clicking Start scan! In a few short minutes you'll own data on all your Windows, Mac OS X, Linux, and FreeBSD computers as well as network devices.
So, be pleased follow the link, I definitely recommend this one: http://www.total-network-inventory.com