Hi,
I seem to have a hard time to figure out the following:
I want to be able to monitor deletion of GPO's and which person who did this. For now i'm able to get the event id's ok (5141), the problem is i only get the DN of the policy.
Is there a way for AD to show me display name of the policy instead of only the DN when deleting a GPO?
Kind regards,
Eirik
I had a similar issue, where the AD logs only showed the GUID of the GPO so I decided to leverage Splunk's LDAP filtering/searching pull the GPO's Display Name attribtue
index=os EventCode=5137 OR EventCode=5136 OR EventCode=5141 Class=groupPolicyContainer
|rex field=DN "(?i)CN\=(?<gpo_guid>.*?)\,"
|eval action=case(EventCode=5137, "CREATED", EventCode=5136, "MODIFIED", EventCode=5141, "DELETED")
|ldapfilter domain=DOM search="(&(objectclass=groupPolicyContainer)(|(cn=$gpo_guid$)(displayName=*{*}*)))" attrs="displayName"
|convert ctime(_time) as Time
|table _time Security_ID EventCodeDescription action gpo_guid displayName
Same question here. Also, how do you track the user/account name who created/changed/deleted a GPO?