/ Active Directory

Audit AD GPO changes

Assuming you've already got AD object auditing turned on, the following XML XPath filter can filter the Security log of a DC to only return the events related to AD GPO changes

<QueryList>
  <Query Id="0" Path="Security">
    <Select Path="Security">
    *[
        System[(EventID=5130 or EventID=5136 or EventID=5137 or EventID=5138 or EventID=4662)]
        and
        (
        EventData[Data[@Name='ObjectClass'] and (Data="groupPolicyContainer")]
        or
        EventData[Data[@Name='ObjectType'] and (Data="%{f30e3bc2-9ff0-11d1-b603-0000f80367c1}")]
        )
    ]
    </Select>
  </Query>
</QueryList>

You I use this in Event Viewer on a custom view to quickly identify when and who made GPO changes

I made a custom view file for you download and import into Windows Event Viewer

Audit AD GPO changes
Share this