This article explains how to configure event sources for multiple Windows devices using Group Policy and a PowerShell script. This helps with enabling the Event Source file individually for each machine.
User permissions:
Domain administrator or equivalent privileges to create and edit Group Policy Objects.
Dependencies:
PowerShell script (event_source_add.ps1) with appropriate event sources defined.
Script execution policy must be enabled on client machines. Refer to Set-ExecutionPolicy and about_Group_Policy_Settings for more details.
Poweshell script:
Download the PowerShell script file from Zoho Workdrive: https://workdrive.zohoexternal.com/file/4p2s5484ea211168f4fad822da643066e45b9
You can also paste the following script in a text file and reformat it as a PS1 document.
Script:
$key = (get-item HKLM:\).OpenSubKey("SYSTEM\CurrentControlSet\Services\EventLog", $true)
$key.CreateSubKey('Microsoft-Windows-GroupPolicy/Operational')
$key.CreateSubKey('Microsoft-Windows-Application-Experience/Program-Inventory')
$key.CreateSubKey('Microsoft-IIS-Configuration/Operational')
$key.CreateSubKey('Microsoft-Windows-PrintService/Operational')
$key.CreateSubKey('Microsoft-Windows-TerminalServices-Gateway/Operational')
Step 1: Create a Group Policy Object:
On a domain controller or an admin machine with the Group Policy Management Console (GPMC) installed, Press Windows + R, type gpmc.msc in the search bar, and press Enter. This opens the GPMC.
Or, from the domain controller, open Server Manager > Tool > Group Policy Management.
Sample screenshot of PowerShell script for adding event log source:
Copy the name of the event source from Event Viewer and the entries in the script accordingly.
Step 5: Update the Group Policy by executing the below command in a Command Prompt to apply the Group Policy:
gpupdate /force
To verify if Group Policy has been updated, execute the command gpresult /r and check if your Group Policy changes were mentioned.
To verify the policy is added in the client system, go to the registry path HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog and check if the event log sources added in script is successfully added.
Always test your Group Policy Object on a small group before large-scale deployment.
Keep the script versioned and documented for future updates.