Maybe these will help? http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/3778996a-e6c4-4cc0-8d6e-e6480837088d http://blogs.msdn.com/b/ericfitz/archive/2005/08/04/447951.aspx
On Sat, May 26, 2012 at 4:04 PM, Steve Lodin <[email protected]> wrote: > Hello OSSEC gurus! > > I'm looking for a hint. > > I have an administrator that changed a Windows GPO on a critical object at > the domain level, for example, changing min password length from 13 to 8. > I'm trying to find the event and then find the user that did it. I know the > date/time, but don't know the Windows event ID or keyword I can search on. > With approximately 1 million events per hour and the domain controllers > logging the most data, it's needle meet haystack time. We currently send > Level 7+ events to our log management system, and couldn't seem to find > anything interesting there. So I'm headed into the OSSEC alert data. Each > day has about 8 GB of uncompressed alerts. > > Can anyone identify the Windows event ID that corresponds to changing a > domain GPO? Any other hints on how I can find this? > > Thanks, > Steve >
