Show policy name when deleting GPO

eirika · ‎11-27-2013

Hi,

I seem to have a hard time to figure out the following:

I want to be able to monitor deletion of GPO's and which person who did this. For now i'm able to get the event id's ok (5141), the problem is i only get the DN of the policy.

Is there a way for AD to show me display name of the policy instead of only the DN when deleting a GPO?

Kind regards,

Eirik

kabobb · ‎01-09-2015

I had a similar issue, where the AD logs only showed the GUID of the GPO so I decided to leverage Splunk's LDAP filtering/searching pull the GPO's Display Name attribtue

index=os EventCode=5137 OR EventCode=5136 OR EventCode=5141 Class=groupPolicyContainer
|rex field=DN "(?i)CN\=(?<gpo_guid>.*?)\,"
|eval action=case(EventCode=5137, "CREATED", EventCode=5136, "MODIFIED", EventCode=5141, "DELETED")
|ldapfilter domain=DOM search="(&(objectclass=groupPolicyContainer)(|(cn=$gpo_guid$)(displayName=*{*}*)))" attrs="displayName"  
|convert ctime(_time) as Time 
|table _time Security_ID EventCodeDescription action gpo_guid displayName

where DOM = your domain name.

cgisplunk · ‎10-09-2014

Same question here. Also, how do you track the user/account name who created/changed/deleted a GPO?

Show policy name when deleting GPO

New Case Study: How LSU’s Student-Powered SOCs and Splunk Are Shaping the Future of ...

Splunk and Fraud

Build Your First SPL2 App!