The Script is currently installed on the following servers:
- SVRCYP08
- SVRBAMA07
- SVRCYH01
The script can be found on each server in the folder "c:\scripts\GPO Tracking"
There is an associated Scheduled task called "GPO Audit Report (Weekly)".
The sheduled task runs every Saturday at 8:00am.
An export for this task can be found in : "c:\scripts\GPO Tracking\Scheduled task export"
Prerequisites:
- Powershell 7 (not 5)
- powershell run as admin for the task.
- GPO and AD Tracking Enabled (guide below)
Wokflow
The script will obtain events from the event log in the"security" category under Windows logs.
Events captured are :
- 5141 = "Active Directory object deleted"
- 5137 = "Active Directory object created"
- 5136 = "Active Directory object modified"
- 4720 = "User account was created"
- 4726 = "User account was deleted"
These events are captured, and exported into csv files. Files are exported to "c:\logs\GPOLogs"
A folder is created for the weekly data this folder is timestamped under "c:\logs\GPOLogs"
Also a "Master" Folder is also created in "c:\logs\GPOLogs\Master" This is a primary database where all records are amended to the master version.
A HTML file is generated in the weekly extracts, this is the preferred way to browse the events. however csv files are available for other purposes.