Show policy name when deleting GPO

eirika · ‎11-27-2013

Hi,

I seem to have a hard time to figure out the following:

I want to be able to monitor deletion of GPO's and which person who did this. For now i'm able to get the event id's ok (5141), the problem is i only get the DN of the policy.

Is there a way for AD to show me display name of the policy instead of only the DN when deleting a GPO?

Kind regards,

Eirik

kabobb · ‎01-09-2015

I had a similar issue, where the AD logs only showed the GUID of the GPO so I decided to leverage Splunk's LDAP filtering/searching pull the GPO's Display Name attribtue

index=os EventCode=5137 OR EventCode=5136 OR EventCode=5141 Class=groupPolicyContainer
|rex field=DN "(?i)CN\=(?<gpo_guid>.*?)\,"
|eval action=case(EventCode=5137, "CREATED", EventCode=5136, "MODIFIED", EventCode=5141, "DELETED")
|ldapfilter domain=DOM search="(&(objectclass=groupPolicyContainer)(|(cn=$gpo_guid$)(displayName=*{*}*)))" attrs="displayName"  
|convert ctime(_time) as Time 
|table _time Security_ID EventCodeDescription action gpo_guid displayName

where DOM = your domain name.

cgisplunk · ‎10-09-2014

Same question here. Also, how do you track the user/account name who created/changed/deleted a GPO?

Show policy name when deleting GPO

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!