How to identify an admin who made a change in GPO



Someone made changes to GPO that negatively impacted devices in our environment. I searched event code 4733, but I haven't been able to link an admin account to the activity. I found this query below on another thread ( but there seems to be an issue with the ldap portion. Would anyone know what the issue is and/or know something better I can use? Thank you.

 index=* EventCode=5137 OR EventCode=5136 OR EventCode=5141 Class=groupPolicyContainer
 |rex field=DN "(?i)CN\=(?<gpo_guid>.*?)\,"
 |eval action=case(EventCode=5137, "CREATED", EventCode=5136, "MODIFIED", EventCode=5141, "DELETED")
 |ldapfilter domain=*DOMAIN* search="(&(objectclass=groupPolicyContainer)(|(cn=$gpo_guid$)(displayName=*{*}*)))" attrs="displayName"  
 |convert ctime(_time) as Time 
 |table _time Security_ID EventCodeDescription action gpo_guid displayName
Tags (3)
0 Karma

Ultra Champion

As @gcusello says you may not have this enabled, specifically the policy you need to enable is:

Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration> Audit Policies/DS Access > Audit Directory Service Changes

One limitation is that it will tell you "Who" changed it, but not "What" was changed.
Following that you should see events for 5136

0 Karma


Hi @rcastello,
what's your problem: have you events with EventCode=5137 OR EventCode=5136 OR EventCode=5141 or not?
if not, did you checked if GPO events are logged (by default this logging is disabled!)?
If instead you have events, check if the problem in in the match with ldapfilter (in other words, see what result you have without ldapfilter).

In addition, for my knoledge, the EventCode for policy changes is 4719.

At least, usually WinEventLog:Security events are in the wineventlog index, so you don't need to search in all indexes (your search is slower!).


0 Karma