We are trying to monitor when someone who is not a Domain Admin creates a GPO whose name starts with a particular keyword (or when someone renames an existing GPO to start with this keyword.) All of our Domain Admins' user names begin with a common prefix, for example let's say DA-.
I have created a Rule as seen below, but it will generate an alert even if the keyword appears anywhere in the name of the GPO, despite the configuration for Parameter 14 matches wildcard keyword*. According to everything I can find, this should work as I intend, and alert only when the GPO's name begins with the keyword, not when they keyword appears anywhere in the name. It is acting like I have set matches wildcard *keyword* when that is not what I have specified. "Matches wildcard - The string specified in Value matches the string including wildcard. The wildcard character is * and represents any number of characters." (Source: https://technet.microsoft.com/en-us/library/hh457585.aspx) Does anyone see anything wrong with the configuration as seen below? (I have verified that the parameters numbers are correct.) [cid:[email protected]] ------------------------------------------------ Geoff Nelson Lead Systems Administrator ITS - Systems Enterprise Systems Management
