Hey all, a bit Microsoft question.... We do want to monitor windows Group Policy changes in our Domain. We have installed Splunk Add-On and App for exchange and Active directory, and also the relevant content-packs containing some reports about this. We do get event 😊😊 But..... we have also an installed and configured AGPM (Advanced group Policy management, Microsoft Software).Under the terms of that software, Microsoft Advanced Group Policy Management (AGPM) is a client/server application. The AGPM Server stores Group Policy Objects (GPOs) offline in the archive that AGPM creates on the server's file system. Group Policy administrators use the AGPM snap-in for the Group Policy Management Console (GPMC) to work with GPOs on the server that hosts the archive. and also a Few terms: Controlled GPO: A GPO that is being managed by AGPM. AGPM manages the history and permissions of controlled GPOs, which it stores in the archive. Uncontrolled GPO: A GPO in the production environment for a domain and not managed by AGPM. When you edit a GPO using the AGPM system, you work on a copy of the original GPO. As a result, the Windows Event logs in the Domain Controllers are reporting on a different Object. Thus, the Splunk reports and event types of group policy change can't figure out which GPO is being changed (since the AGPM renames it and create a "new" one) So, after all these words....Is someone can help us find a proper application to monitor and view GPO changes via AGPM in splunk? did someone encountered this before? Is such product exists? and if there is no other choice - help us to write new searches to catch up GPO changes in AGPM? Thankx Auto Team
... View more