use GPMC (Group Policy Management Console)
http://www.petri.co.il/download_gpmc.htmTo monitor policy changes you can change your GPO (Default Domain Controller Policy) to audit policy changes. The setting is here:
MACHINE Config
Windows Settings\Security Settings\Local Policies\Audit Policy Audit policy change
I recommend auditing success and failure.
The event will appear in various DCs security logs according to which ever one the GP edit tool attaches to (I think it defaults to the infrastructure master)
The users will get an SCECLI event in their local application event log which tells you of success or failure of a policy application
Also you might look at RsOP and Tripwire
