Introducing ADAudit Plus' Attack Surface Analyzer—Detect 25+ AD attacks and identify risky Azure configurations. Learn more×
 
Support
 
Phone Get Quote
 
Support
 
US: +1 888 720 9500
US: +1 888 791 1189
Intl: +1 925 924 9500
Aus: +1 800 631 268
UK: 0800 028 6590
CN: +86 400 660 8680

Direct Inward Dialing: +1 408 916 9892

 

How to detect who deleted a
Group Policy Object

Start your free trial

Group Policy Objects (GPOs) are used to grant granular control over user and computer accounts in Active Directory (AD). When a rogue insider deletes a GPO, all the users and computers that were controlled by this GPO are left ungoverned, which could lead to devastating security breaches and attacks. Deleting a GPO folder from SYSVOL can also corrupt the GPO, making it inaccessible. In order to avoid such security risks caused by the deletion of a GPO, an admin has to persistently monitor these changes to detect any suspicious activity right at its onset. Read on to find out how to detect who deleted a GPO in AD.

Steps to enable auditing using GPMC:

Perform the following actions on the domain controller (DC):

  1. Open the Start menu, then search for and open the Group Policy Management Console. You can also run the command gpmc.msc.
Find who deleted a Group Policy Object
  1. Right-click the domain or Organizational Unit (OU) where you want to audit GPO deletion, and click Create a GPO in this domain, and Link it here.

Note: If you have already created a GPO, click Link an Existing GPO.

Find who deleted a Group Policy Object
  1. Name the GPO.
  2. Right-click the GPO and choose Edit.
Find who deleted a Group Policy Object
  1. In the left pane of the Group Policy Management Editor, navigate to Computer Configuration → Policies → Windows Settings → Security Settings → Advanced Audit Policy Configuration → Audit Policies → DS Access.
Find who deleted a Group Policy Object
  1. In the right pane, you will see a list of policies that are under DS Access. Double-click Active Directory Service Changes and check the boxes labeled Configure the following audit events, Success, and Failure.
Find who deleted a Group Policy Object
  1. Click Apply and then OK.
  2. Navigate to Computer Configuration → Policies → Windows Settings → Security Settings → Advanced Audit Policy Configuration → Audit Policies → Object Access.
Find who deleted a Group Policy Object
  1. In the right pane, you will see a list of policies that are under Object Access. Double-click Audit File System and check the boxes labeled Configure the following audit events, Success, and Failure.
Find who deleted a Group Policy Object
  1. Go back to the Group Policy Management Console. In the left pane, right-click the domain or OU that the GPO was linked to and click Group Policy Update. This step makes sure the new Group Policy settings are applied instantly instead of waiting for the next scheduled refresh.
Find who deleted a Group Policy Object

Once this policy is enabled, events are logged in the DC’s security log whenever a gpo is deleted.

Steps to configure Group Policy Container Objects auditing using ADSI Edit

Perform the following actions on the DC:

  1. Open the Start menu, then search for ADSI Edit. Right-click it and select Run as administrator
Find who deleted a Group Policy Object
  1. In the left pane, right-click ADSI Edit and select Connect to.
Find who deleted a Group Policy Object
  1. In the Connection Settings window, ensure that Name is set to Default naming context, and the domain name mentioned in the Path is the domain you want to audit.
Find who deleted a Group Policy Object
  1. Click OK.
  2. Double-click Default naming context and navigate to DC=domain,DC=com → CN=System → CN=Policies.
Find who deleted a Group Policy Object
  1. Right-click CN=Policies and select Properties
  1. Go to the Security tab and click the Advanced button.
Find who deleted a Group Policy Object
  1. Go to the Auditing tab and click the Add button.
Find who deleted a Group Policy Object
  1. Click Select Principal and search for Everyone. Click OK.
  2. Click the Type drop-down and select Success. Click the Applies to drop-down and select This object and all descendant objects.
Find who deleted a Group Policy Object
  1. Scroll down and check the box labeled Delete groupPolicyContainer objects. Click OK.
Find who deleted a Group Policy Object

Steps to configure SYSVOL folder properties

Perform the following actions on the DC:

  1. Open Windows Explorer and navigate to C: → Windows → SYSVOL → domain.
  2. Right-click the Policies folder and select Properties.
Find who deleted a Group Policy Object
  1. Go to the Security tab and click the Advanced button.
Find who deleted a Group Policy Object
  1. Select the Auditing tab and click the Add button.
Find who deleted a Group Policy Object
  1. Click Select Principal and search for Everyone. Click OK.
  2. Click the Type drop-down and select All. Click the Applies to drop-down and select This folder, subfolders and files.
  3. Click Show advanced permissions and check the boxes labeled Delete subfolders and files and Delete.
Find who deleted a Group Policy Object
  1. Click OK.

Steps to view Group Policy delete events using Event Viewer

Once the above steps are complete, events will be stored in the event log. This can be viewed in the Event Viewer by following the steps below:

  1. Open the Start menu, search for Event Viewer, and click to open it.
  2. In the left pane of the Event Viewer window, navigate to Windows Logs → Security.
  3. Here you will find a list of all the security events that are logged in the system.
Find who deleted a Group Policy Object
  1. In the right pane under Security, click Filter Current Log.
Find who deleted a Group Policy Object
  1. In the pop-up window, enter 5141 in the field labeled <All Event IDs>.
  2. Click OK. This will provide you a list of occurrences of the Event ID you entered.
  3. Double-click the Event ID to view its properties (description).
Find who deleted a Group Policy Object

This event is logged when a GPO is deleted. The following details are logged in the event properties, among others:

  • SID and Account Name of the user that performed the action
  • Distinguished Name and GUID of the GPO that was deleted
  • Time at which the action was performed

The insight provided by Windows' native auditing is insufficient. An administrator would have to search for the Event ID and view each event's properties. This is not just impractical but also almost always impossible, even for small organizations. An organization cannot keep track of each event as it occurs.

ADAudit Plus solves this problem by reporting on changes made to all the objects in your AD environment and alerting you whenever there is a spike in user activity.

Steps to audit Group Policy changes using ManageEngine ADAudit Plus

  1. Open the ADAudit Plus console and log in as an administrator.
  2. Navigate to Reports → Active Directory → GPO Management → Recently Deleted GPOs.
Find who deleted a Group Policy Object

Advantages of using ADAudit Plus over native auditing:

  • Find out who made what changes to your GPO settings and analyze the change, along with the new and old values. ADAudit Plus helps provide granular supervision of your GPOs.
  • Combat insider threats using user behavior analytics. ADAudit Plus creates a baseline of normal user behavior and alerts you when a user deviates from this behavior. Configure alerts for unusual logon activity, user management, or process activity.
  • Monitor modifications made to any AD object or its attributes in real time.

ADAudit Plus Trusted By