Hey all,
a bit Microsoft question....
We do want to monitor windows Group Policy changes in our Domain. We have installed Splunk Add-On and App for exchange and Active directory, and also the relevant content-packs containing some reports about this.
We do get event 😊😊
But.....
we have also an installed and configured AGPM (Advanced group Policy management, Microsoft Software).Under the terms of that software,
Microsoft Advanced Group Policy Management (AGPM) is a client/server application.
The AGPM Server stores Group Policy Objects (GPOs) offline in the archive that AGPM creates on the server's file system. Group Policy administrators use the AGPM snap-in for the Group Policy Management Console (GPMC) to work with GPOs on the server that hosts the archive.
and also a Few terms:
Controlled GPO: A GPO that is being managed by AGPM. AGPM manages the history and permissions of controlled GPOs, which it stores in the archive.
Uncontrolled GPO: A GPO in the production environment for a domain and not managed by AGPM.
When you edit a GPO using the AGPM system, you work on a copy of the original GPO. As a result, the Windows Event logs in the Domain Controllers are reporting on a different Object. Thus, the Splunk reports and event types of group policy change can't figure out which GPO is being changed (since the AGPM renames it and create a "new" one)
So, after all these words....Is someone can help us find a proper application to monitor and view GPO changes via AGPM in splunk? did someone encountered this before? Is such product exists? and if there is no other choice - help us to write new searches to catch up GPO changes in AGPM?
Thankx
Auto Team
