Follow these steps to alert when the "Operating System" value changes to a specified version for any Computer object in Active Directory:
- Configure Change Auditor to monitor the "Operating System" value for Active Directory Computer objects:
- Go to "Administration tab", Click "Auditing" on the bottom left-hand corner, and then click "Attributes" under "Active Directory" on the upper left-hand corner
- Highlight "computer" and a list of "Unmonitored Attributes" will be populated in the list below
- Locate and highlight the "operatingsystem" attribute and click the Add button
- Create a Search to locate Changes in operatingsystem
Go to the Searches tab and create a new Search
On the What tab of the Search, click the drop-arrow next to the Add button and select "Event Class"
Locate the "computer operatingSystem changed" event in the list and highlight it
A "Restriction" box will then appear, put a check mark in "Where the new value contains the following text"
In the corresponding field, enter the operating system name as it would appear in Active Directory. For example, the following would be entered to capture any version starting with Windows 10: Windows 10
Click the Add button
Save the Search
Test the Search to ensure expected results are returned