Re: Query for Checking GPO Changes

tbarry138 · ‎11-14-2018

Hi All,

I've been looking for help on a query for a dashboard that can show me when changes are made for my environments GPOs.

I just want it to show who made it(User), What GPO was changed, and when.

Currently mine shows when PC's are getting the updates so it goes off all the time. Does anyone have any queries they can share with me?

Thank You

adonio · ‎11-14-2018

I believe you are in need for AD group policies change search
there are many examples in this portal:

https://answers.splunk.com/answers/507943/what-is-the-best-way-to-monitor-active-directory-g-1.html
https://answers.splunk.com/answers/443278/monitor-active-directory.html
https://answers.splunk.com/answers/43780/active-directory-monitoring.html

in docs:
http://docs.splunk.com/Documentation/Splunk/7.2.0/Data/MonitorActiveDirectoryctory

another discussion:
https://answers.splunk.com/answers/619281/how-can-i-monitor-active-directory-gpo-changes-on.html

hope it helps

rahulkumarfgf · ‎08-18-2020

Hi,

I understand that this thread is a bit old but I have searched for an answer everywhere and haven't found any. So, I was wondering if someone could actually help with this as I have a similar query. I am able to get which group policy changed and by whom, but I also need to know what exactly changed in a GPO. Can someone please tell me how can we do that? I am using Splunk app for Windows Infrastructure and it's set up correctly.

Thanks,

Query for Checking GPO Changes

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life