The customer requested to retrieve an audit log for a previous Group Policy Object (GPO) un-protection action.
Investigation confirmed that at the time of the change, the GPO was not listed under the Protection page, and auditing was not enabled for that GPO in Change Auditor.
Since Change Auditor only records changes while auditing is active, no historical record exists for this event.
Navigate to Administration → Protection in the Change Auditor client and verify that critical GPOs are listed and protected.
Enable auditing for those GPOs to ensure that all future protection/un-protection actions are captured.
Inform the customer that, because auditing was disabled at the time of the change, the event cannot be retrieved.
Recommend configuring alert rules in Change Auditor for “GPO protection removed/un-protection” to proactively monitor similar changes going forward.
