All Apps and Add-ons

Show policy name when deleting GPO

eirika
Engager

Hi,

I seem to have a hard time to figure out the following:

I want to be able to monitor deletion of GPO's and which person who did this. For now i'm able to get the event id's ok (5141), the problem is i only get the DN of the policy.

Is there a way for AD to show me display name of the policy instead of only the DN when deleting a GPO?

Kind regards,

Eirik

0 Karma

kabobb
Explorer

I had a similar issue, where the AD logs only showed the GUID of the GPO so I decided to leverage Splunk's LDAP filtering/searching pull the GPO's Display Name attribtue

index=os EventCode=5137 OR EventCode=5136 OR EventCode=5141 Class=groupPolicyContainer
|rex field=DN "(?i)CN\=(?<gpo_guid>.*?)\,"
|eval action=case(EventCode=5137, "CREATED", EventCode=5136, "MODIFIED", EventCode=5141, "DELETED")
|ldapfilter domain=DOM search="(&(objectclass=groupPolicyContainer)(|(cn=$gpo_guid$)(displayName=*{*}*)))" attrs="displayName"  
|convert ctime(_time) as Time 
|table _time Security_ID EventCodeDescription action gpo_guid displayName
  • where DOM = your domain name.
0 Karma

cgisplunk
Path Finder

Same question here. Also, how do you track the user/account name who created/changed/deleted a GPO?

0 Karma
Take the 2021 Splunk Career Survey

Help us learn about how Splunk has
impacted your career by taking the 2021 Splunk Career Survey.

Earn $50 in Amazon cash!