All Apps and Add-ons

What is the best way to build reports about GPO inventory from Active Directory Windows Infrastructure?

chrbar01
Explorer

Hello,

We use Splunk Enterprise 6.5.
We'd like to create a GPO inventory from AD Windows Infrastructure: current GPO used/set and changes.

Do you know the best practices to build reports about GPO?

We saw the Splunkbase "Splunk App for Windows Infrastructure" ( http://docs.splunk.com/Documentation/MSApp/1.4.0/ ) running with "Splunk Add-on for Microsoft Active Directory" ( https://splunkbase.splunk.com/app/3207/) .

There are some pre-build reports about GPO Audit/Changes ( http://docs.splunk.com/Documentation/MSApp/1.4.0/Reference/GroupPolicyAudit ).

Do one of you have already use it?
Do you think that is the best way to run reports about GPO?

Regards,
Chris

0 Karma

shogan_splunk
Splunk Employee
Splunk Employee

You have several options for getting GPO details.

First, as you mentioned, you can leverage the Splunk App for Windows Infrastructure, that has several dashboards/reports available. This application requires installation the following supporting applications:
- Splunk Add-On for Active Directory (Installed on Splunk Search Head and AD DC Splunk Forwarder)
- Splunk Add-On for Microsoft DNS (Installed on Splunk Search Head and AD DC Splunk Forwarder)
- Splunk Add-On for Microsoft Windows (Installed on Splunk Search Head and AD DC Splunk Forwarder - *With atleast Security Eventlog Data input for GPO changes)
- Splunk Support Add-On for Active Directory (Installed on the Splunk Search Head Only)

Second option would be to use the MS Windows AD Objects (https://splunkbase.splunk.com/app/3177/) application which has numerous GPO dashboards/reports available. This app requires the following supporting add-ons:
- Splunk Add-On for Active Directory (Installed on Splunk Search Head and AD DC Splunk Forwarder)
- Splunk Add-On for Microsoft DNS (Installed on Splunk Search Head and AD DC Splunk Forwarder)
- Splunk Add-On for Microsoft Windows (Installed on Splunk Search Head and AD DC Splunk Forwarder - With atleast Security Eventlog Data input for GPO changes)
**Note:
* The MS Windows AD Objects can also be integrated with the Splunk App for Windows Infrastructure app by replacing the Splunk Support Add-On for Active Directory (Remote LDAP Search) with local lookups. Documentation for doing this is located within the MS Windows AD Objects application UI menu.

Hope this helps.

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!