Steps to enable auditing using GPMC:

Perform the following actions on the domain controller (DC):

1. Open the Start menu, then search for and open the Group Policy Management Console. You can also run the command gpmc.msc.

2. Right-click the domain or Organizational Unit (OU) where you want to audit GPO deletion, and click Create a GPO in this domain, and Link it here.

Note: If you have already created a GPO, click Link an Existing GPO.

3. Name the GPO.
4. Right-click the GPO and choose Edit.

5. In the left pane of the Group Policy Management Editor, navigate to Computer Configuration → Policies → Windows Settings → Security Settings → Advanced Audit Policy Configuration → Audit Policies → DS Access.

6. In the right pane, you will see a list of policies that are under DS Access. Double-click Active Directory Service Changes and check the boxes labeled Configure the following audit events, Success, and Failure.

7. Click Apply and then OK.
8. Navigate to Computer Configuration → Policies → Windows Settings → Security Settings → Advanced Audit Policy Configuration → Audit Policies → Object Access.

9. In the right pane, you will see a list of policies that are under Object Access. Double-click Audit File System and check the boxes labeled Configure the following audit events, Success, and Failure.

10. Go back to the Group Policy Management Console. In the left pane, right-click the domain or OU that the GPO was linked to and click Group Policy Update. This step makes sure the new Group Policy settings are applied instantly instead of waiting for the next scheduled refresh.

Once this policy is enabled, events are logged in the DC’s security log whenever a gpo is deleted.

Steps to configure Group Policy Container Objects auditing using ADSI Edit

Perform the following actions on the DC:

1. Open the Start menu, then search for ADSI Edit. Right-click it and select Run as administrator

2. In the left pane, right-click ADSI Edit and select Connect to.

3. In the Connection Settings window, ensure that Name is set to Default naming context, and the domain name mentioned in the Path is the domain you want to audit.

4. Click OK.
5. Double-click Default naming context and navigate to DC=domain,DC=com → CN=System → CN=Policies.

6. Right-click CN=Policies and select Properties

7. Go to the Security tab and click the Advanced button.

8. Go to the Auditing tab and click the Add button.

9. Click Select Principal and search for Everyone. Click OK.
10. Click the Type drop-down and select Success. Click the Applies to drop-down and select This object and all descendant objects.

11. Scroll down and check the box labeled Delete groupPolicyContainer objects. Click OK.

Steps to configure SYSVOL folder properties

Perform the following actions on the DC:

1. Open Windows Explorer and navigate to C: → Windows → SYSVOL → domain.
2. Right-click the Policies folder and select Properties.

3. Go to the Security tab and click the Advanced button.

3. Select the Auditing tab and click the Add button.

4. Click Select Principal and search for Everyone. Click OK.
5. Click the Type drop-down and select All. Click the Applies to drop-down and select This folder, subfolders and files.
6. Click Show advanced permissions and check the boxes labeled Delete subfolders and files and Delete.

8. Click OK.

Steps to view Group Policy delete events using Event Viewer

Once the above steps are complete, events will be stored in the event log. This can be viewed in the Event Viewer by following the steps below:

1. Open the Start menu, search for Event Viewer, and click to open it.
2. In the left pane of the Event Viewer window, navigate to Windows Logs → Security.
3. Here you will find a list of all the security events that are logged in the system.

4. In the right pane under Security, click Filter Current Log.

5. In the pop-up window, enter 5141 in the field labeled <All Event IDs>.
6. Click OK. This will provide you a list of occurrences of the Event ID you entered.
7. Double-click the Event ID to view its properties (description).

This event is logged when a GPO is deleted. The following details are logged in the event properties, among others:

• SID and Account Name of the user that performed the action
• Distinguished Name and GUID of the GPO that was deleted
• Time at which the action was performed

The insight provided by Windows' native auditing is insufficient. An administrator would have to search for the Event ID and view each event's properties. This is not just impractical but also almost always impossible, even for small organizations. An organization cannot keep track of each event as it occurs.

ADAudit Plus solves this problem by reporting on changes made to all the objects in your AD environment and alerting you whenever there is a spike in user activity.