If you are looking for group policy changes and need to know by who and when and to what then you can use a simple script like the ones below, first we need to know what we are looking for, here we can see the target event and data:
This is Event ID 5136 with the class as "GroupPolicyContainer" you can also see the GPO GUID right there in the Eventlog as well, you will get a couple of entries as below:
Note : For a change operation, you'll typically see two 5136 events for one action, with different Operation\Type fields: “Value Deleted” and then “Value Added”. “Value Deleted” event typically contains previous value and “Value Added” event contains new value.
Note : Event ID you need will need to be adapted to the scripts below, for these examples I will focus on 5136 events
Search for a certain "day after"
Set the date (the bit in bold) and then run the script remotely on the ADDS server for a list of updates that have been made on the day specified:
$Date = [datetime]”02/14/2024"
Get-Eventlog -Log Security -After $Date -Message "*groupPolicyContainer*"| Where {$_.EventID -eq 5136}
Search for a certain "day after" with detail
Set the date (the bit in bold) and then run the script remotely on the ADDS server for a list of updates that have been made on the day specified with the details that have been updated, all with a | fl
$Date = [datetime]”02/14/2024"
Get-Eventlog -Log Security -After $Date -Message "*groupPolicyContainer*"| Where {$_.EventID -eq 5136}
All GPO updates in the eventlog
If you wish to get all the changes from the whole event log then you can run this, this will find all the updates that are linked to group policy and give you a value:
(Get-Eventlog -Log Security -Message "*groupPolicyContainer*"| Where {$_.EventID -eq 5136}).count
Export in a CSV file
If you wish to get all the changes outputted to a CSV file you can run this:
Get-EventLog -LogName Security -ComputerName <servername> -After (Get-Date).AddHours(-24) -Message "*groupPolicyContainer*"| Where {$_.EventID -eq 5136} | fl | Out-File -FilePath C:\temp\GPOAudit.txt