I'm using Splunk app for Active Directory, i've installed and configured it to make it run.
I receive data regarding the CPU/RAM monitoring, general info, etc ... in the 3 index msad, perform & winevents.
Unfortunately, i don't receive any information regarding the DC status/helth.
I see it's due to the search "index=msad source=powershell", i'd never indexed data with the field source=powershell in the msad index (only index=msad source=ActiveDirectory).
How could i check where the problem come from ? The script doesn't work ? Isn't executed ? something else ?
The GPO making run the PS script on my DCs is enabled.
I use 1 splunk server with 2 Win 2012 DCs.
Some help would be fine 🙂
A couple of things to check first to make sure Powershell scripts can run –
1. Set the PS execution policy on the UF - Set-ExecutionPolicy remotesigned
2. Make sure that the Powershell script itself is not blocked – Open the script in Windows explorer=>Properties; Go to the security tab and unblock.