Event Details
User Activity->Policy Changes->InTrust Plug-in for Active Directory->Protected Change Attempts->EventID 12 - Prevention of Group Policy Object deletion.
EventID 12 - Prevention of Group Policy Object deletion.
 Sample: 
Event Type:     Warning
Event Source:   ITAD GPO Changes
Event Category: None
Event ID:       12
Date:           10/29/2009
Time:           10:10:53
User:           RESEARCH\DKrane
Computer:       DC1
Description:    
ChangeAuditor for Active Directory prevented deletion of Group Policy Object.
	Client Computer : 10.0.0.2
	GPO Name : Employees
	GPO GUID : {693C5182-0240-4289-9F7F-CF41AFC48C4D}
	Request ID : {130E8DEE-75E4-43AC-A208-C8A1DF13E89E}
===========================
Description template:
===========================
ChangeAuditor for Active Directory prevented deletion of Group Policy Object.
   Client Computer : %4
   GPO Name : %1
   GPO GUID : %2
   Request ID : %3
Log Type: Windows Event Log
 Uniquely Identified By:
Log Name: InTrust for AD
Filtering Field Equals to Value
Source ITAD GPO Changes
EventId 12
Field Matching
FieldDescriptionStored inSample Value
When At what date and time a user activity originated in the system. DateTime 10.10.2000 19:00:00
Who Account or user name under which the activity occured. User RESEARCH\Alebovsky
What The type of activity occurred (e.g. Logon, Password Changed, etc.) "Attempt to delete Group Policy Object" Attempt to delete Group Policy Object
Where The name of the workstation/server where the activity was logged. Computer DC1
Where From The name of the workstation/server where the activity was initiated from. Client Computer 10.0.0.1
Severity Specify the seriousness of the event. "Medium" Medium
WhoDomain -
WhereDomain -
Policy Name The name of the affected policy. -
GPO Name The name of GPO where some policy was changed GPO Name Employees
Value Before The policy value before the change -
Value After The policy value after the change -
Result Successful or Failed "Protected" Protected
Comments
You must be logged in to comment