'After modification GPLink dicitonnary
Set GPLinkdict = CreateObject("Scripting.Dictionary")
'Before modification GPLink dicitonnary
Set GPLinkdictLAG = CreateObject("Scripting.Dictionary")

'strGPLinkAfter is the GPLink value after modification, you retrieved it with the event log
'under Windows 2008 and with an LDAP request on the where DC the modification occurred under Windows 2003

if instr(strGPLinkAfter,"]") <> 0 then
OUModifiedGPLINK = split(strGPLinkAfter,"]")
For i = UBound(OUModifiedGPLINK) -1 to LBound(OUModifiedGPLINK) Step -1
GPOLinkstatus = split(OUModifiedGPLINK(i),";")
GPLinkdict.add GPOLinkstatus(0),GPOLinkstatus(1)
Next
End if


'strGPLinkBefore is the GPLink value before modification, you retrieved it with the event log
'under Windows 2008 and with an LDAP request on the LAG DC under Windows 2003


if instr(strGPLinkBefore,"]") <> 0 then
OUModifiedGPLINKLAG = split(strGPLinkBefore,"]")
For j = UBound(OUModifiedGPLINKLAG)-1 to LBound(OUModifiedGPLINKLAG) Step -1
GPOLinkstatusLAG = split(OUModifiedGPLINKLAG(j),";")
GPLinkdictLAG.add GPOLinkstatusLAG(0),GPOLinkstatusLAG(1)
Next
End if
</pre>

Maintenant nous allons parcourir le dictionnaire GPLinkdict contenant les clefs et valeurs après modification et les comparer aux clefs et valeurs de l'autre dictionnaire. Si nous voyons que une des clefs parcourue n'existe pas dans le dictionnaire GPLinkdictLAG alors un lien de GPO vient d'être créé. Si pour une clef identique la valeur a changé alors l'état du lien de GPO à changé, si l'on passe de 0 ou 2 à 1 ou 3 alors la GPO a été désactivée. Avec ce script nous allons pouvoir avoir la création de nouveau lien de GPO et la modification d'état d'un lien:

<pre lang="vb">

'The DC where the modification was recorded, retrieved with eventlog
dcsource = "DCSOURCENAME"

'OU/Site/Domain name where GPO Link was modified, retrieved with eventlog
OUName = "OUName"

'User who made the modication, retrieved with eventlog
Username = "UsernName"

For Each oGPLinkdict in GPLinkdict
	If Not GPLinkdictLAG.Exists(oGPLinkdict) Then

	Set objGPOd = GetObject(split(replace(oGPLinkdict,"LDAP://","LDAP://"&dcsource&"/"),"[")(1))
	DNobjGPOd = objGPOd.Get("DisplayName")
	Msgbox Username&" created a link on this object: "& OUName &"  / GPOName: "&DNobjGPOd & "  / Link Value: "&GPLinkdict.Item(oGPLinkdict)
	
	Else 
		If GPLinkdictLAG.Item(oGPLinkdict) <> GPLinkdict.Item(oGPLinkdict) then

			if (GPLinkdictLAG.Item(oGPLinkdict) = 0 OR GPLinkdictLAG.Item(oGPLinkdict) = 2) AND (GPLinkdict.Item(oGPLinkdict) =1 OR GPLinkdict.Item(oGPLinkdict) = 3) then

			Set objGPOd = GetObject(split(replace(oGPLinkdict,"LDAP://","LDAP://"&dcsource&"/"),"[")(1))
			DNobjGPOd = objGPOd.Get("DisplayName")
			Msgbox Username&" disabled a link on this object: "& OUName &"  / GPOName: "&DNobjGPOd & "  / Link Value Before: "&GPLinkdictLAG.Item(oGPLinkdict)&"  / Link Value After: "&GPLinkdict.Item(oGPLinkdict)
				
			Else

			Set objGPOd = GetObject(split(replace(oGPLinkdict,"LDAP://","LDAP://"&dcsource&"/"),"[")(1))
			DNobjGPOd = objGPOd.Get("DisplayName")
			Msgbox Username&" enabled a link on this object: "& OUName &"  / GPOName: "&DNobjGPOd & "  / Link Value Before: "&GPLinkdictLAG.Item(oGPLinkdict)&"  / Link Value After: "&GPLinkdict.Item(oGPLinkdict)

			End if


		End if 
	End if
Next