Security

Audit windows group policy change

omershira
Explorer

Hey all,

a bit Microsoft question....

We do want to monitor windows Group Policy changes in our Domain. We have installed Splunk  Add-On and App for exchange and Active directory, and also the relevant content-packs containing some reports about this.

We do get event 😊😊

But.....

we have also an installed and configured AGPM (Advanced group Policy management, Microsoft Software).Under the terms of that software,

Microsoft Advanced Group Policy Management (AGPM) is a client/server application.
The AGPM Server stores Group Policy Objects (GPOs) offline in the archive that AGPM creates on the server's file system. Group Policy administrators use the AGPM snap-in for the Group Policy Management Console (GPMC) to work with GPOs on the server that hosts the archive.

and also a Few terms:

  • Controlled GPO: A GPO that is being managed by AGPM. AGPM manages the history and permissions of controlled GPOs, which it stores in the archive.
  • Uncontrolled GPO: A GPO in the production environment for a domain and not managed by AGPM.

 

When you edit a GPO using the AGPM system, you work on a copy of the original GPO. As a result, the Windows Event logs in the Domain Controllers are reporting on a different Object. Thus, the Splunk reports and event types of group policy change can't figure out which GPO is being changed (since the AGPM renames it and create a "new" one)

So, after all these words....Is someone can help us find a proper application to monitor and view GPO changes via AGPM in splunk?  did someone encountered this before? Is such product exists? and if there is no other choice - help us to write new searches to catch up GPO changes in AGPM?

 Thankx

Auto Team

Labels (1)
0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!