Identifying who made Group Policy changes

  • 161 Views
  • Last Post 16 September 2016
ahobbs posted this 16 September 2016

Hey all

A couple of our Group Policies in our Windows 2008 R2 domain have changed and I've been asked to find out who made the change.

We have DS auditing enabled in the default domain policy but we suspect the change was made over 7 days ago and the logs don't stretch that far.

Any advice guidance appreciated.

AForum info: http://www.activedir.org
Problems unsubscribing? Email admin@xxxxxxxxxxxxxxxx

Order By: Standard | Newest | Votes
ZJORZ posted this 16 September 2016

Assuming no other changes occurred on those GPOs, you would be able to check
the AD metadata of those objects to find out WHEN and WHERE (which DC) the
changes where processed. With that information you would be able to target
the DC and check its security log to find out WHO

Met vriendelijke groeten / Kind regards,
 
Jorge de Almeida Pinto
J: JorgeDeAlmeidaPinto@xxxxxxxxxxxxxxxx
J: +31 (0)6 26.26.62.80

show

anandh11.v posted this 16 September 2016

Please try the below if it helps
https://blogs.technet.microsoft.com/ashleymcglone/2015/01/26/forensics-audit-group-policy-links-and-changes-with-powershell/
ThanksA
On Friday 16 September 2016, Jorge de Almeida Pinto <jorgedealmeidapinto@xxxxxxxxxxxxxxxx> wrote:
Assuming no other changes occurred on those GPOs, you would be able to check


the AD metadata of those objects to find out WHEN and WHERE (which DC) the


changes where processed. With that information you would be able to target


the DC and check its security log to find out WHO



Met vriendelijke groeten / Kind regards,


 


Jorge de Almeida Pinto


J: JorgeDeAlmeidaPinto@xxxxxxxxxxxxxxxx


J: +31 (0)6 26.26.62.80


 


show

Close