Kaseya Community

Possible to monitor the status of a GPO?

This question is not answered

I'd like to receive an alert if a particular GPO is disabled or un-linked.  Is this possible?

I use a GPO for security purposes which sometimes conflicts with client applications.  Occasionally one of my techs will disable/un-link it instead of adding an exception.  This creates unwanted vulnerability.

All Replies
  • Hello ApexArthur,

    1) Enable Windows Security Audit for Directory Changes by running the below

    auditpol /set /subcategory:"directory service changes" /success:enable

    2) Schedule a Procedure or Monitoring or log parser for Event 5136.

    Check for the following properties from the Security Event Log:

    LDAP Display name must be: gPLink

    and

    Operation Type: Value Deleted or Value Added

    Depending if you want to check whether a GPO has been linked or un-linked)

    If you go the Procedure or KNM Powershell way, something like below would give you the events related to GPO unlink

    looking up events up to 1 day behind.

    Get-EventLog -Logname "Security" | where {$_.EventID -eq 5136 -and $_.Message -like "*gPLink" -and $_.TimeGenerated -gt ((Get-Date).AddDays(-1))} | where {($_.Message.Substring($_.Messsage.IndexOf("Operation:"), $_Message.length - $_.Message.IndexOf("Operation:"))) -like "*14675*"} | format-list

    You could get the "Count of the day" if you wanted an alert based on finding more than one

    that you could use either in the alert threshold or in a Kaseya Procedure (up to you)

    (Get-EventLog -Logname "Security" | where {$_.EventID -eq 5136 -and $_.Message -like "*gPLink" -and $_.TimeGenerated -gt ((Get-Date).AddDays(-1))} | where {($_.Message.Substring($_.Messsage.IndexOf("Operation:"), $_Message.length - $_.Message.IndexOf("Operation:"))) -like "*14675*"}).Count

    I checked the event on a Windows Server 2012 box.

    Regards

  • Thank you Alessandro.  Unfortunately I was not able to generate these specific events.  But even if I could, Kaseya event log monitoring doesn't have the ability to filter by LDAP Display Name... and even if it did... I couldn't filter by the specific GPO name.  Is that about right?  Sounds like I can potentially get in the right direction but the results may not be very specific.

  • Hello ApexArthur,
    Well, you have to start to get the events in Windows cause without those we don't have the data.
    Have you changed your policies as I mentioned in my message?

    This needs to be executed (one time only) on the Server you want to monitor GPO changes.
    auditpol /set /subcategory:"directory service changes" /success:enable

    And this enables Audit of Directory Object changes (that includes GPO changes).

    Did you do that? (it is needed)

    Once you have done that, try simulating linking and un-linking a GPO in an empty Organizational Unit (so you don't affect users) and see which event number you get in the Event Viewer -> Security.

    Once that's successful, you will see what you want to Trap. If you spot differences from what I sent you we can change the Powershell to match your output.

    Regarding parsing the log, the above Powershell can be Scheduled using a Kaseya Agent procedure that runs say.. every day.
    The Powershell code I posted does the parsing job for you and it already filters the event by the LDAP Display name.
    To be cleared, this part of the Powershell script filters Event Logs for Event number 5136 and where the "Event Message" contains gPLink.

    where {$_.EventID -eq 5136 -and $_.Message -like "*gPLink"

    Of course I added few more things to understand whether the Operation is add or delete.

    You may try first to execute manually the code by opening a Powershell session and using the code above to see what it gives you:

    Get-EventLog -ComputerName "YOURSERVERNAME" -Logname "Security" | where {$_.EventID -eq 5136 -and $_.Message -like "*gPLink" -and $_.TimeGenerated -gt ((Get-Date).AddDays(-1))} | where {($_.Message.Substring($_.Messsage.IndexOf("Operation:"), $_Message.length - $_.Message.IndexOf("Operation:"))) -like "*14675*"} | format-list

    Once you are good to go, you want to use schedule something that tells you if the event is there or not (just to send you an alert) and you could do the following (just an idea):

    The full powershell is what I sent previously (that returns a COUNT of events of "link / unlink" in the last day)

    (Get-EventLog -Logname "Security" | where {$_.EventID -eq 5136 -and $_.Message -like "*gPLink" -and $_.TimeGenerated -gt ((Get-Date).AddDays(-1))} | where {($_.Message.Substring($_.Messsage.IndexOf("Operation:"), $_Message.length - $_.Message.IndexOf("Operation:"))) -like "*14675*"}).Count

    In the above sample procedure you get an Email every time someone mess with the GPO but you could raise an alert or do anything you like.

    Let me know if you need some more info.


    Best Regards

  • Thank you for taking the time to help with this and I'm sorry for the late replies - I've been swamped.

    I am running into challenges with the very first step.  I am able to submit the command successfully from an elevated command prompt, but for reasons I do not yet understand, the change is being reversed.  

    This is logged when I run your command:

    Audit Policy Change:

    Category: DS Access

    Subcategory: Directory Service Changes

    Subcategory GUID: {0cce923c-69ae-11d9-bed3-505054503030}

    Changes: Success Added

    and this occurs shortly afterwards:

    Audit Policy Change:

    Category: DS Access

    Subcategory: Directory Service Changes

    Subcategory GUID: {0cce923c-69ae-11d9-bed3-505054503030}

    Changes: Success removed

  • Hello ApexArthur,

    What you are looking at should be normal.

    When Audit is Enabled you will always find the "before" and "after" in separate events.

    and that is one of the reasons why in the Powershell script I am filtering for 14675 (I needed to eliminate the "Before")

    I forgot to ask you which version of Windows you are using cause events are different depending from the O.S.

    In any case, a good read is inside this link:

    www.ldap389.info/.../monitor-gpo-links-modifications

    Which has a quite extensive article for GPO links monitoring.

    Remember that when it refers to EventID 566 we are talking about Windows 2003 server while 5136 is for 2008 and ahead (which is what the scripts I sent are based off from).

    Be careful with ADSIEdit as you can cause massive damage to your DC unless you know what you are touching.

    In doubt, test on a Dummy Test DC before you do anything in production (but you probably already know that :-) ).

    Hope it helps.