Group Policy Event Logs

Location

Description

The Group Policy operational event log records GPO processing events including policy application, CSE (Client-Side Extension) processing, script execution, and Group Policy refresh results with the specific GPO names and their processing status.

Forensic Value

Group Policy logs reveal when and which GPOs were applied to a compromised system, which is critical because attackers who gain domain admin privileges often deploy malicious Group Policy Objects for code execution across the domain. Event IDs 4016 and 5016 show the start and end of each CSE processing cycle, and the GPO display name identifies exactly which policy was applied, helping detect rogue GPOs. Logon script execution triggered by GPO is recorded with the script path, providing evidence of persistence via domain-level scheduled scripts. Failed GPO processing events can indicate network isolation attempts or tampering with domain communication, both relevant to lateral movement containment analysis.

Tools Required

Collection Commands

EvtxECmd.exe -f "C:\Windows\System32\winevt\Logs\Microsoft-Windows-GroupPolicy%4Operational.evtx" --csv C:\output\ --csvf gpo_events.csv

Get-WinEvent -LogName "Microsoft-Windows-GroupPolicy/Operational" -MaxEvents 1000 | Export-Csv C:\output\gpo_operational.csv -NoTypeInformation

gpresult /H C:\output\gpresult_report.html /F

Collection Constraints

• •Availability, retention, and field coverage depend on the Windows release, SKU, per-host audit policy, and user activity. Treat absence as inconclusive unless you verified the feature was enabled.
• •Centralized log copies may normalize, truncate, or drop fields relative to the original on-host artifact. Preserve the local source when scope and access permit.

MITRE ATT&CK Techniques

References