Powershell : Get-EventLog for Event Log Query

If you are looking for group policy changes and need to know by who and when and to what then you can use a simple script like the ones below, first we need to know what we are looking for, here we can see the target event and data:


This is Event ID 5136 with the class as "GroupPolicyContainer" you can also see the GPO GUID right there in the Eventlog as well, you will get a couple of entries as below:

Note : For a change operation, you'll typically see two 5136 events for one action, with different Operation\Type fields: “Value Deleted” and then “Value Added”. “Value Deleted” event typically contains previous value and “Value Added” event contains new value.



Know the relevant Event ID options

5136 – Group Policy changes, value changes, links, unlinks.
5137 – Group Policy creations.
5141 – Group Policy deletions.

Note : Event ID you need will need to be adapted to the scripts below, for these examples I will focus on 5136 events 

Search for a certain "day after"

Set the date (the bit in bold) and then run the script remotely on the ADDS server for a list of updates that have been made on the day specified:

$Date = [datetime]”02/14/2024"
Get-Eventlog -Log Security -After $Date -Message "*groupPolicyContainer*"| Where {$_.EventID -eq 5136} 

Search for a certain "day after" with detail

Set the date (the bit in bold) and then run the script remotely on the ADDS server for a list of updates that have been made on the day specified with the details that have been updated, all with a | fl

$Date = [datetime]”02/14/2024"
Get-Eventlog -Log Security -After $Date -Message "*groupPolicyContainer*"| Where {$_.EventID -eq 5136} 

All GPO updates in the eventlog

If you wish to get all the changes from the whole event log then you can run this, this will find all the updates that are linked to group policy and give you a value:

(Get-Eventlog -Log Security -Message "*groupPolicyContainer*"| Where {$_.EventID -eq 5136}).count

Export in a CSV file

If you wish to get all the changes outputted to a CSV file you can run this:

Get-EventLog -LogName Security -ComputerName <servername> -After (Get-Date).AddHours(-24) -Message "*groupPolicyContainer*"| Where {$_.EventID -eq 5136} | fl |  Out-File -FilePath C:\temp\GPOAudit.txt

Previous Post Next Post

نموذج الاتصال