diff --git a/Terraform/main.tf b/Terraform/main.tf
index 1e2dcb6..dc30ae6 100644
--- a/Terraform/main.tf
+++ b/Terraform/main.tf
@@ -189,6 +189,17 @@ resource "aws_instance" "logger" {
 resource "aws_instance" "dc" {
   instance_type = "t2.medium"
 
+  provisioner "remote-exec" {
+    inline = ["choco install -force -y winpcap"]
+
+    connection {
+      type     = "winrm"
+      user     = "vagrant"
+      password = "vagrant"
+      host     = coalesce(self.public_ip, self.private_ip)
+    }
+  }
+
   # Uses the local variable if external data source resolution fails
   ami = coalesce(var.dc_ami, data.aws_ami.dc_ami.image_id)
 
@@ -208,6 +219,17 @@ resource "aws_instance" "dc" {
 resource "aws_instance" "wef" {
   instance_type = "t2.medium"
 
+  provisioner "remote-exec" {
+    inline = ["choco install -force -y winpcap"]
+
+    connection {
+      type     = "winrm"
+      user     = "vagrant"
+      password = "vagrant"
+      host     = coalesce(self.public_ip, self.private_ip)
+    }
+  }
+
   # Uses the local variable if external data source resolution fails
   ami = coalesce(var.wef_ami, data.aws_ami.wef_ami.image_id)
 
@@ -227,6 +249,17 @@ resource "aws_instance" "wef" {
 resource "aws_instance" "win10" {
   instance_type = "t2.medium"
 
+  provisioner "remote-exec" {
+    inline = ["choco install -force -y winpcap"]
+
+    connection {
+      type     = "winrm"
+      user     = "vagrant"
+      password = "vagrant"
+      host     = coalesce(self.public_ip, self.private_ip)
+    }
+  }
+
   # Uses the local variable if external data source resolution fails
   ami = coalesce(var.win10_ami, data.aws_ami.win10_ami.image_id)
 
diff --git a/Vagrant/Vagrantfile_Minimum b/Vagrant/Vagrantfile_Minimum
deleted file mode 100644
index 404791f..0000000
--- a/Vagrant/Vagrantfile_Minimum
+++ /dev/null
@@ -1,174 +0,0 @@
-Vagrant.configure("2") do |config|
-
-  config.vm.define "logger" do |cfg|
-    cfg.vm.box = "bento/ubuntu-16.04"
-    cfg.vm.hostname = "logger"
-    config.vm.provision :shell, path: "bootstrap.sh"
-    cfg.vm.network :private_network, ip: "192.168.38.105", gateway: "192.168.38.1", dns: "8.8.8.8"
-
-    cfg.vm.provider "vmware_desktop" do |v, override|
-      v.vmx["displayname"] = "logger"
-      v.memory = 4096
-      v.cpus = 2
-      v.gui = true
-    end
-
-    cfg.vm.provider "virtualbox" do |vb, override|
-      vb.gui = true
-      vb.name = "logger"
-      vb.customize ["modifyvm", :id, "--memory", 4096]
-      vb.customize ["modifyvm", :id, "--cpus", 2]
-      vb.customize ["modifyvm", :id, "--vram", "32"]
-      vb.customize ["modifyvm", :id, "--nicpromisc2", "allow-all"]
-      vb.customize ["modifyvm", :id, "--clipboard", "bidirectional"]
-      vb.customize ["setextradata", "global", "GUI/SuppressMessages", "all" ]
-    end
-  end
-
-  config.vm.define "dc" do |cfg|
-    cfg.vm.box = "detectionlab/win2016"
-    cfg.vm.hostname = "dc"
-    cfg.vm.boot_timeout = 600
-    cfg.winrm.transport = :plaintext
-    cfg.vm.communicator = "winrm"
-    cfg.winrm.basic_auth_only = true
-    cfg.winrm.timeout = 300
-    cfg.winrm.retry_limit = 20
-    cfg.vm.network :private_network, ip: "192.168.38.102", gateway: "192.168.38.1"
-
-    cfg.vm.provision "shell", path: "scripts/fix-second-network.ps1", privileged: false, args: "192.168.38.102"
-    cfg.vm.provision "shell", path: "scripts/provision.ps1", privileged: false
-    cfg.vm.provision "reload"
-    cfg.vm.provision "shell", path: "scripts/provision.ps1", privileged: false
-    cfg.vm.provision "shell", path: "scripts/download_palantir_wef.ps1", privileged: false
-    cfg.vm.provision "shell", path: "scripts/download_palantir_osquery.ps1", privileged: false
-    cfg.vm.provision "shell", path: "scripts/install-splunkuf.ps1", privileged: false
-    cfg.vm.provision "shell", path: "scripts/install-inputsconf.ps1", privileged: false
-    cfg.vm.provision "shell", path: "scripts/install-utilities.ps1", privileged: false
-    cfg.vm.provision "shell", path: "scripts/install-osquery.ps1", privileged: false
-    cfg.vm.provision "shell", path: "scripts/install-sysinternals.ps1", privileged: false
-    cfg.vm.provision "shell", path: "scripts/configure-ou.ps1", privileged: false
-    cfg.vm.provision "shell", path: "scripts/configure-wef-gpo.ps1", privileged: false
-    cfg.vm.provision "shell", path: "scripts/configure-powershelllogging.ps1", privileged: false
-    cfg.vm.provision "shell", path: "scripts/configure-AuditingPolicyGPOs.ps1", privileged: false
-    cfg.vm.provision "shell", path: "scripts/configure-rdp-user-gpo.ps1", privileged: false
-    cfg.vm.provision "shell", path: "scripts/configure-disable-windows-defender-gpo.ps1", privileged: false
-    cfg.vm.provision "shell", path: "scripts/install-autorunstowineventlog.ps1", privileged: false
-    cfg.vm.provision "shell", inline: 'wevtutil el | Select-String -notmatch "Microsoft-Windows-LiveId" | Foreach-Object {wevtutil cl "$_"}', privileged: false
-    cfg.vm.provision "shell", inline: "Set-SmbServerConfiguration -AuditSmb1Access $true -Force", privileged: false
-
-    cfg.vm.provider "vmware_desktop" do |v, override|
-      v.vmx["displayname"] = "dc.windomain.local"
-      v.memory = 3072
-      v.cpus = 2
-      v.gui = true
-      v.enable_vmrun_ip_lookup = false
-    end
-
-    cfg.vm.provider "virtualbox" do |vb, override|
-      vb.gui = true
-      vb.name = "dc.windomain.local"
-      vb.default_nic_type = "82545EM"
-      vb.customize ["modifyvm", :id, "--memory", 3072]
-      vb.customize ["modifyvm", :id, "--cpus", 2]
-      vb.customize ["modifyvm", :id, "--vram", "32"]
-      vb.customize ["modifyvm", :id, "--clipboard", "bidirectional"]
-      vb.customize ["setextradata", "global", "GUI/SuppressMessages", "all" ]
-    end
-  end
-
-  config.vm.define "wef" do |cfg|
-    cfg.vm.box = "detectionlab/win2016"
-    cfg.vm.hostname = "wef"
-    cfg.vm.boot_timeout = 600
-    cfg.vm.communicator = "winrm"
-    cfg.winrm.basic_auth_only = true
-    cfg.winrm.timeout = 300
-    cfg.winrm.retry_limit = 20
-    cfg.vm.network :private_network, ip: "192.168.38.103", gateway: "192.168.38.1", dns: "192.168.38.102"
-
-    cfg.vm.provision "shell", path: "scripts/fix-second-network.ps1", privileged: false, args: "-ip 192.168.38.103 -dns 192.168.38.102"
-    cfg.vm.provision "shell", path: "scripts/provision.ps1", privileged: false
-    cfg.vm.provision "reload"
-    cfg.vm.provision "shell", path: "scripts/provision.ps1", privileged: false
-    cfg.vm.provision "shell", path: "scripts/download_palantir_wef.ps1", privileged: false
-    cfg.vm.provision "shell", path: "scripts/download_palantir_osquery.ps1", privileged: false
-    cfg.vm.provision "shell", inline: 'wevtutil el | Select-String -notmatch "Microsoft-Windows-LiveId" | Foreach-Object {wevtutil cl "$_"}', privileged: false
-    cfg.vm.provision "shell", path: "scripts/install-wefsubscriptions.ps1", privileged: false
-    cfg.vm.provision "shell", path: "scripts/install-splunkuf.ps1", privileged: false
-    cfg.vm.provision "shell", path: "scripts/install-windows_ta.ps1", privileged: false
-    cfg.vm.provision "shell", path: "scripts/install-inputsconf.ps1", privileged: false
-    cfg.vm.provision "shell", path: "scripts/install-utilities.ps1", privileged: false
-    cfg.vm.provision "shell", path: "scripts/install-osquery.ps1", privileged: false
-    cfg.vm.provision "shell", path: "scripts/install-sysinternals.ps1", privileged: false
-    cfg.vm.provision "shell", path: "scripts/configure-pslogstranscriptsshare.ps1", privileged: false
-    cfg.vm.provision "shell", path: "scripts/install-autorunstowineventlog.ps1", privileged: false
-    cfg.vm.provision "shell", inline: "Set-SmbServerConfiguration -AuditSmb1Access $true -Force", privileged: false
-
-    cfg.vm.provider "vmware_desktop" do |v, override|
-      v.vmx["displayname"] = "wef.windomain.local"
-      v.memory = 2048
-      v.cpus = 2
-      v.gui = true
-      v.enable_vmrun_ip_lookup = false
-    end
-
-    cfg.vm.provider "virtualbox" do |vb, override|
-      vb.gui = true
-      vb.name = "wef.windomain.local"
-      vb.default_nic_type = "82545EM"
-      vb.customize ["modifyvm", :id, "--memory", 2048]
-      vb.customize ["modifyvm", :id, "--cpus", 2]
-      vb.customize ["modifyvm", :id, "--vram", "32"]
-      vb.customize ["modifyvm", :id, "--clipboard", "bidirectional"]
-      vb.customize ["setextradata", "global", "GUI/SuppressMessages", "all" ]
-    end
-  end
-
-  config.vm.define "win10" do |cfg|
-    cfg.vm.box = "detectionlab/win10"
-    cfg.vm.hostname = "win10"
-    cfg.vm.boot_timeout = 600
-    cfg.vm.communicator = "winrm"
-    cfg.winrm.basic_auth_only = true
-    cfg.winrm.timeout = 300
-    cfg.winrm.retry_limit = 20
-    cfg.vm.network :private_network, ip: "192.168.38.104", gateway: "192.168.38.1", dns: "192.168.38.102"
-
-    cfg.vm.provision "shell", path: "scripts/fix-second-network.ps1", privileged: false, args: "-ip 192.168.38.104 -dns 192.168.38.102"
-    cfg.vm.provision "shell", path: "scripts/MakeWindows10GreatAgain.ps1", privileged: false
-    cfg.vm.provision "shell", path: "scripts/provision.ps1", privileged: false
-    cfg.vm.provision "reload"
-    cfg.vm.provision "shell", path: "scripts/provision.ps1", privileged: false
-    cfg.vm.provision "shell", path: "scripts/download_palantir_wef.ps1", privileged: false
-    cfg.vm.provision "shell", path: "scripts/download_palantir_osquery.ps1", privileged: false
-    cfg.vm.provision "shell", inline: 'wevtutil el | Select-String -notmatch "Microsoft-Windows-LiveId" | Foreach-Object {wevtutil cl "$_"}', privileged: false
-    cfg.vm.provision "shell", path: "scripts/install-splunkuf.ps1", privileged: false
-    cfg.vm.provision "shell", path: "scripts/install-utilities.ps1", privileged: false
-    cfg.vm.provision "shell", path: "scripts/install-osquery.ps1", privileged: false
-    cfg.vm.provision "shell", path: "scripts/install-inputsconf.ps1", privileged: false
-    cfg.vm.provision "shell", path: "scripts/install-sysinternals.ps1", privileged: false
-    cfg.vm.provision "shell", path: "scripts/install-autorunstowineventlog.ps1", privileged: false
-
-    cfg.vm.provider "vmware_desktop" do |v, override|
-      v.vmx["displayname"] = "win10.windomain.local"
-      v.vmx["gui.fullscreenatpoweron"] = "FALSE"
-      v.vmx["gui.viewModeAtPowerOn"] = "windowed"
-      v.memory = 2048
-      v.cpus = 1
-      v.gui = true
-      v.enable_vmrun_ip_lookup = false
-    end
-
-    cfg.vm.provider "virtualbox" do |vb, override|
-      vb.gui = true
-      vb.name = "win10.windomain.local"
-      vb.default_nic_type = "82545EM"
-      vb.customize ["modifyvm", :id, "--memory", 2048]
-      vb.customize ["modifyvm", :id, "--cpus", 1]
-      vb.customize ["modifyvm", :id, "--vram", "32"]
-      vb.customize ["modifyvm", :id, "--clipboard", "bidirectional"]
-      vb.customize ["setextradata", "global", "GUI/SuppressMessages", "all" ]
-    end
-  end
-end
diff --git a/Vagrant/bootstrap.sh b/Vagrant/bootstrap.sh
index c01d798..1e1279f 100644
--- a/Vagrant/bootstrap.sh
+++ b/Vagrant/bootstrap.sh
@@ -108,7 +108,8 @@ install_splunk() {
     /opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/force-directed-app-for-splunk_200.tgz  -auth 'admin:changeme'
     /opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/punchcard-custom-visualization_130.tgz  -auth 'admin:changeme'
     /opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/sankey-diagram-custom-visualization_130.tgz  -auth 'admin:changeme'
-    /opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/threathunting_134.tgz  -auth 'admin:changeme'
+    /opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/link-analysis-app-for-splunk_161.tgz -auth 'admin:changeme'
+    /opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/threathunting_141.tgz  -auth 'admin:changeme'
 
     # Uncomment the following block to install BOTSv2 
     # Thanks to @MHaggis for this addition!
diff --git a/Vagrant/resources/GPO/Domain_Controllers_Enhanced_Auditing_Policy/manifest.xml b/Vagrant/resources/GPO/Domain_Controllers_Enhanced_Auditing_Policy/manifest.xml
old mode 100644
new mode 100755
index 9b40820..b4f25f3
--- a/Vagrant/resources/GPO/Domain_Controllers_Enhanced_Auditing_Policy/manifest.xml
+++ b/Vagrant/resources/GPO/Domain_Controllers_Enhanced_Auditing_Policy/manifest.xml
@@ -1 +1 @@
-<Backups xmlns="http://www.microsoft.com/GroupPolicy/GPOOperations/Manifest" xmlns:mfst="http://www.microsoft.com/GroupPolicy/GPOOperations/Manifest" mfst:version="1.0"><BackupInst xmlns="http://www.microsoft.com/GroupPolicy/GPOOperations/Manifest"><GPOGuid><![CDATA[{83A705FC-7072-4EC3-A9BA-4AA571570D31}]]></GPOGuid><GPODomain><![CDATA[windomain.local]]></GPODomain><GPODomainGuid><![CDATA[{39471c5e-04d5-4275-bf10-47653a177887}]]></GPODomainGuid><GPODomainController><![CDATA[dc.windomain.local]]></GPODomainController><BackupTime><![CDATA[2017-07-26T19:39:58]]></BackupTime><ID><![CDATA[{3F2B9314-2D8F-452F-91CE-F9F13B04BA2C}]]></ID><Comment><![CDATA[]]></Comment><GPODisplayName><![CDATA[Domain Controllers Enhanced Auditing Policy]]></GPODisplayName></BackupInst></Backups>
\ No newline at end of file
+<Backups xmlns="http://www.microsoft.com/GroupPolicy/GPOOperations/Manifest" xmlns:mfst="http://www.microsoft.com/GroupPolicy/GPOOperations/Manifest" mfst:version="1.0"><BackupInst xmlns="http://www.microsoft.com/GroupPolicy/GPOOperations/Manifest"><GPOGuid><![CDATA[{DFA9C351-32A5-4F64-8F39-2F8100135C1F}]]></GPOGuid><GPODomain><![CDATA[windomain.local]]></GPODomain><GPODomainGuid><![CDATA[{bb63303b-70b8-46e7-9f35-76fc60e44c8d}]]></GPODomainGuid><GPODomainController><![CDATA[dc.windomain.local]]></GPODomainController><BackupTime><![CDATA[2019-11-12T06:13:24]]></BackupTime><ID><![CDATA[{5CCBF08F-6806-4F18-BF5E-AF470F4A6EA3}]]></ID><Comment><![CDATA[]]></Comment><GPODisplayName><![CDATA[Domain Controllers Enhanced Auditing Policy]]></GPODisplayName></BackupInst></Backups>
\ No newline at end of file
diff --git a/Vagrant/resources/GPO/Domain_Controllers_Enhanced_Auditing_Policy/{3F2B9314-2D8F-452F-91CE-F9F13B04BA2C}/Backup.xml b/Vagrant/resources/GPO/Domain_Controllers_Enhanced_Auditing_Policy/{3F2B9314-2D8F-452F-91CE-F9F13B04BA2C}/Backup.xml
deleted file mode 100644
index 42ad845..0000000
--- a/Vagrant/resources/GPO/Domain_Controllers_Enhanced_Auditing_Policy/{3F2B9314-2D8F-452F-91CE-F9F13B04BA2C}/Backup.xml
+++ /dev/null
@@ -1,20 +0,0 @@
-<?xml version="1.0" encoding="utf-8"?><!-- Copyright (c) Microsoft Corporation.  All rights reserved. --><GroupPolicyBackupScheme bkp:version="2.0" bkp:type="GroupPolicyBackupTemplate" xmlns:bkp="http://www.microsoft.com/GroupPolicy/GPOOperations" xmlns="http://www.microsoft.com/GroupPolicy/GPOOperations">
-    <GroupPolicyObject><SecurityGroups><Group><Sid/><SamAccountName><![CDATA[Event Log Readers]]></SamAccountName><Type><![CDATA[Unknown]]></Type><NetBIOSDomainName/><DnsDomainName/><UPN/></Group><Group><Sid/><SamAccountName><![CDATA[NETWORK SERVICE]]></SamAccountName><Type><![CDATA[Unknown]]></Type><NetBIOSDomainName/><DnsDomainName/><UPN/></Group><Group><Sid><![CDATA[S-1-5-21-2099590610-328841986-2664697228-11659]]></Sid><SamAccountName/><Type><![CDATA[Unknown]]></Type><NetBIOSDomainName/><DnsDomainName/><UPN/></Group><Group bkp:Source="FromDACL"><Sid><![CDATA[S-1-5-21-3516590555-2060695796-1367554519-1000]]></Sid><SamAccountName><![CDATA[vagrant]]></SamAccountName><Type><![CDATA[User]]></Type><NetBIOSDomainName><![CDATA[WINDOMAIN]]></NetBIOSDomainName><DnsDomainName><![CDATA[windomain.local]]></DnsDomainName><UPN><![CDATA[vagrant@windomain.local]]></UPN></Group><Group bkp:Source="FromDACL"><Sid><![CDATA[S-1-5-21-3516590555-2060695796-1367554519-519]]></Sid><SamAccountName><![CDATA[Enterprise Admins]]></SamAccountName><Type><![CDATA[UniversalGroup]]></Type><NetBIOSDomainName><![CDATA[WINDOMAIN]]></NetBIOSDomainName><DnsDomainName><![CDATA[windomain.local]]></DnsDomainName><UPN><![CDATA[Enterprise Admins@windomain.local]]></UPN></Group><Group bkp:Source="FromDACL"><Sid><![CDATA[S-1-5-21-3516590555-2060695796-1367554519-512]]></Sid><SamAccountName><![CDATA[Domain Admins]]></SamAccountName><Type><![CDATA[GlobalGroup]]></Type><NetBIOSDomainName><![CDATA[WINDOMAIN]]></NetBIOSDomainName><DnsDomainName><![CDATA[windomain.local]]></DnsDomainName><UPN><![CDATA[Domain Admins@windomain.local]]></UPN></Group></SecurityGroups><FilePaths/><GroupPolicyCoreSettings><ID><![CDATA[{83A705FC-7072-4EC3-A9BA-4AA571570D31}]]></ID><Domain><![CDATA[windomain.local]]></Domain><SecurityDescriptor>01 00 04 9c 00 00 00 00 00 00 00 00 00 00 00 00 14 00 00 00 04 00 ec 00 08 00 00 00 05 02 28 00 00 01 00 00 01 00 00 00 8f fd ac ed b3 ff d1 11 b4 1d 00 a0 c9 68 f9 39 01 01 00 00 00 00 00 05 0b 00 00 00 00 00 24 00 ff 00 0f 00 01 05 00 00 00 00 00 05 15 00 00 00 db e9 9a d1 f4 b8 d3 7a d7 39 83 51 e8 03 00 00 00 02 24 00 ff 00 0f 00 01 05 00 00 00 00 00 05 15 00 00 00 db e9 9a d1 f4 b8 d3 7a d7 39 83 51 00 02 00 00 00 02 24 00 ff 00 0f 00 01 05 00 00 00 00 00 05 15 00 00 00 db e9 9a d1 f4 b8 d3 7a d7 39 83 51 07 02 00 00 00 02 14 00 94 00 02 00 01 01 00 00 00 00 00 05 09 00 00 00 00 02 14 00 94 00 02 00 01 01 00 00 00 00 00 05 0b 00 00 00 00 02 14 00 ff 00 0f 00 01 01 00 00 00 00 00 05 12 00 00 00 00 0a 14 00 ff 00 0f 00 01 01 00 00 00 00 00 03 00 00 00 00</SecurityDescriptor><DisplayName><![CDATA[Domain Controllers Enhanced Auditing Policy]]></DisplayName><Options><![CDATA[1]]></Options><UserVersionNumber><![CDATA[65537]]></UserVersionNumber><MachineVersionNumber><![CDATA[1703962]]></MachineVersionNumber><MachineExtensionGuids><![CDATA[[{00000000-0000-0000-0000-000000000000}{BEE07A6A-EC9F-4659-B8C9-0B1937907C83}][{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{B05566AC-FE9C-4368-BE01-7A4CBB6CBA11}{D02B1F72-3407-48AE-BA88-E8213C6761F1}][{827D319E-6EAC-11D2-A4EA-00C04F79F83A}{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}][{B087BE9D-ED37-454F-AF9C-04291E351182}{BEE07A6A-EC9F-4659-B8C9-0B1937907C83}]]]></MachineExtensionGuids><UserExtensionGuids/><WMIFilter/></GroupPolicyCoreSettings> 
-        <GroupPolicyExtension bkp:ID="{35378EAC-683F-11D2-A89A-00C04FBBCFA2}" bkp:DescName="Registry">
-            <FSObjectFile bkp:Path="%GPO_MACH_FSPATH%\registry.pol" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{83A705FC-7072-4EC3-A9BA-4AA571570D31}\Machine\registry.pol" bkp:Location="DomainSysvol\GPO\Machine\registry.pol"/>
-            
-            <FSObjectFile bkp:Path="%GPO_FSPATH%\Adm\*.*" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{83A705FC-7072-4EC3-A9BA-4AA571570D31}\Adm\*.*"/>
-        </GroupPolicyExtension>
-        
-        
-        
-        
-        <GroupPolicyExtension bkp:ID="{827D319E-6EAC-11D2-A4EA-00C04F79F83A}" bkp:DescName="Security">
-            <FSObjectFile bkp:Path="%GPO_MACH_FSPATH%\microsoft\windows nt\SecEdit\GptTmpl.inf" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{83A705FC-7072-4EC3-A9BA-4AA571570D31}\Machine\microsoft\windows nt\SecEdit\GptTmpl.inf" bkp:ReEvaluateFunction="SecurityValidateSettings" bkp:Location="DomainSysvol\GPO\Machine\microsoft\windows nt\SecEdit\GptTmpl.inf"/>
-        </GroupPolicyExtension>
-        
-        
-        
-        
-    <GroupPolicyExtension bkp:ID="{F15C46CD-82A0-4C2D-A210-5D0D3182A418}" bkp:DescName="Unknown Extension"><FSObjectDir bkp:Path="%GPO_MACH_FSPATH%\Applications" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{83A705FC-7072-4EC3-A9BA-4AA571570D31}\Machine\Applications" bkp:Location="DomainSysvol\GPO\Machine\Applications"/><FSObjectFile bkp:Path="%GPO_MACH_FSPATH%\comment.cmtx" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{83A705FC-7072-4EC3-A9BA-4AA571570D31}\Machine\comment.cmtx" bkp:Location="DomainSysvol\GPO\Machine\comment.cmtx"/><FSObjectDir bkp:Path="%GPO_MACH_FSPATH%\microsoft" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{83A705FC-7072-4EC3-A9BA-4AA571570D31}\Machine\microsoft" bkp:Location="DomainSysvol\GPO\Machine\microsoft"/><FSObjectDir bkp:Path="%GPO_MACH_FSPATH%\microsoft\windows nt" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{83A705FC-7072-4EC3-A9BA-4AA571570D31}\Machine\microsoft\windows nt" bkp:Location="DomainSysvol\GPO\Machine\microsoft\windows nt"/><FSObjectDir bkp:Path="%GPO_MACH_FSPATH%\microsoft\windows nt\Audit" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{83A705FC-7072-4EC3-A9BA-4AA571570D31}\Machine\microsoft\windows nt\Audit" bkp:Location="DomainSysvol\GPO\Machine\microsoft\windows nt\Audit"/><FSObjectFile bkp:Path="%GPO_MACH_FSPATH%\microsoft\windows nt\Audit\audit.csv" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{83A705FC-7072-4EC3-A9BA-4AA571570D31}\Machine\microsoft\windows nt\Audit\audit.csv" bkp:Location="DomainSysvol\GPO\Machine\microsoft\windows nt\Audit\audit.csv"/><FSObjectDir bkp:Path="%GPO_MACH_FSPATH%\microsoft\windows nt\SecEdit" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{83A705FC-7072-4EC3-A9BA-4AA571570D31}\Machine\microsoft\windows nt\SecEdit" bkp:Location="DomainSysvol\GPO\Machine\microsoft\windows nt\SecEdit"/><FSObjectDir bkp:Path="%GPO_MACH_FSPATH%\Preferences" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{83A705FC-7072-4EC3-A9BA-4AA571570D31}\Machine\Preferences" bkp:Location="DomainSysvol\GPO\Machine\Preferences"/><FSObjectDir bkp:Path="%GPO_MACH_FSPATH%\Preferences\Registry" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{83A705FC-7072-4EC3-A9BA-4AA571570D31}\Machine\Preferences\Registry" bkp:Location="DomainSysvol\GPO\Machine\Preferences\Registry"/><FSObjectFile bkp:Path="%GPO_MACH_FSPATH%\Preferences\Registry\Registry.xml" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{83A705FC-7072-4EC3-A9BA-4AA571570D31}\Machine\Preferences\Registry\Registry.xml" bkp:Location="DomainSysvol\GPO\Machine\Preferences\Registry\Registry.xml"/><FSObjectDir bkp:Path="%GPO_MACH_FSPATH%\Scripts" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{83A705FC-7072-4EC3-A9BA-4AA571570D31}\Machine\Scripts" bkp:Location="DomainSysvol\GPO\Machine\Scripts"/><FSObjectDir bkp:Path="%GPO_MACH_FSPATH%\Scripts\Shutdown" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{83A705FC-7072-4EC3-A9BA-4AA571570D31}\Machine\Scripts\Shutdown" bkp:Location="DomainSysvol\GPO\Machine\Scripts\Shutdown"/><FSObjectDir bkp:Path="%GPO_MACH_FSPATH%\Scripts\Startup" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{83A705FC-7072-4EC3-A9BA-4AA571570D31}\Machine\Scripts\Startup" bkp:Location="DomainSysvol\GPO\Machine\Scripts\Startup"/></GroupPolicyExtension></GroupPolicyObject>
-</GroupPolicyBackupScheme>
\ No newline at end of file
diff --git a/Vagrant/resources/GPO/Domain_Controllers_Enhanced_Auditing_Policy/{3F2B9314-2D8F-452F-91CE-F9F13B04BA2C}/bkupInfo.xml b/Vagrant/resources/GPO/Domain_Controllers_Enhanced_Auditing_Policy/{3F2B9314-2D8F-452F-91CE-F9F13B04BA2C}/bkupInfo.xml
deleted file mode 100644
index 3418a56..0000000
--- a/Vagrant/resources/GPO/Domain_Controllers_Enhanced_Auditing_Policy/{3F2B9314-2D8F-452F-91CE-F9F13B04BA2C}/bkupInfo.xml
+++ /dev/null
@@ -1 +0,0 @@
-<BackupInst xmlns="http://www.microsoft.com/GroupPolicy/GPOOperations/Manifest"><GPOGuid><![CDATA[{83A705FC-7072-4EC3-A9BA-4AA571570D31}]]></GPOGuid><GPODomain><![CDATA[windomain.local]]></GPODomain><GPODomainGuid><![CDATA[{39471c5e-04d5-4275-bf10-47653a177887}]]></GPODomainGuid><GPODomainController><![CDATA[dc.windomain.local]]></GPODomainController><BackupTime><![CDATA[2017-07-26T19:39:58]]></BackupTime><ID><![CDATA[{3F2B9314-2D8F-452F-91CE-F9F13B04BA2C}]]></ID><Comment><![CDATA[]]></Comment><GPODisplayName><![CDATA[Domain Controllers Enhanced Auditing Policy]]></GPODisplayName></BackupInst>
diff --git a/Vagrant/resources/GPO/Domain_Controllers_Enhanced_Auditing_Policy/{3F2B9314-2D8F-452F-91CE-F9F13B04BA2C}/gpreport.xml b/Vagrant/resources/GPO/Domain_Controllers_Enhanced_Auditing_Policy/{3F2B9314-2D8F-452F-91CE-F9F13B04BA2C}/gpreport.xml
deleted file mode 100644
index e187877..0000000
Binary files a/Vagrant/resources/GPO/Domain_Controllers_Enhanced_Auditing_Policy/{3F2B9314-2D8F-452F-91CE-F9F13B04BA2C}/gpreport.xml and /dev/null differ
diff --git a/Vagrant/resources/GPO/Domain_Controllers_Enhanced_Auditing_Policy/{5CCBF08F-6806-4F18-BF5E-AF470F4A6EA3}/Backup.xml b/Vagrant/resources/GPO/Domain_Controllers_Enhanced_Auditing_Policy/{5CCBF08F-6806-4F18-BF5E-AF470F4A6EA3}/Backup.xml
new file mode 100644
index 0000000..d35589a
--- /dev/null
+++ b/Vagrant/resources/GPO/Domain_Controllers_Enhanced_Auditing_Policy/{5CCBF08F-6806-4F18-BF5E-AF470F4A6EA3}/Backup.xml
@@ -0,0 +1,20 @@
+<?xml version="1.0" encoding="utf-8"?><!-- Copyright (c) Microsoft Corporation.  All rights reserved. --><GroupPolicyBackupScheme bkp:version="2.0" bkp:type="GroupPolicyBackupTemplate" xmlns:bkp="http://www.microsoft.com/GroupPolicy/GPOOperations" xmlns="http://www.microsoft.com/GroupPolicy/GPOOperations">
+    <GroupPolicyObject><SecurityGroups><Group><Sid/><SamAccountName><![CDATA[Event Log Readers]]></SamAccountName><Type><![CDATA[Unknown]]></Type><NetBIOSDomainName/><DnsDomainName/><UPN/></Group><Group><Sid><![CDATA[S-1-5-21-2099590610-328841986-2664697228-11659]]></Sid><SamAccountName/><Type><![CDATA[Unknown]]></Type><NetBIOSDomainName/><DnsDomainName/><UPN/></Group><Group><Sid/><SamAccountName><![CDATA[NETWORK SERVICE]]></SamAccountName><Type><![CDATA[Unknown]]></Type><NetBIOSDomainName/><DnsDomainName/><UPN/></Group><Group bkp:Source="FromDACL"><Sid><![CDATA[S-1-5-21-53361171-1213565763-3980624709-1000]]></Sid><SamAccountName><![CDATA[vagrant]]></SamAccountName><Type><![CDATA[User]]></Type><NetBIOSDomainName><![CDATA[WINDOMAIN]]></NetBIOSDomainName><DnsDomainName><![CDATA[windomain.local]]></DnsDomainName><UPN><![CDATA[vagrant@windomain.local]]></UPN></Group><Group bkp:Source="FromDACL"><Sid><![CDATA[S-1-5-21-53361171-1213565763-3980624709-519]]></Sid><SamAccountName><![CDATA[Enterprise Admins]]></SamAccountName><Type><![CDATA[UniversalGroup]]></Type><NetBIOSDomainName><![CDATA[WINDOMAIN]]></NetBIOSDomainName><DnsDomainName><![CDATA[windomain.local]]></DnsDomainName><UPN><![CDATA[Enterprise Admins@windomain.local]]></UPN></Group><Group bkp:Source="FromDACL"><Sid><![CDATA[S-1-5-21-53361171-1213565763-3980624709-512]]></Sid><SamAccountName><![CDATA[Domain Admins]]></SamAccountName><Type><![CDATA[GlobalGroup]]></Type><NetBIOSDomainName><![CDATA[WINDOMAIN]]></NetBIOSDomainName><DnsDomainName><![CDATA[windomain.local]]></DnsDomainName><UPN><![CDATA[Domain Admins@windomain.local]]></UPN></Group></SecurityGroups><FilePaths/><GroupPolicyCoreSettings><ID><![CDATA[{DFA9C351-32A5-4F64-8F39-2F8100135C1F}]]></ID><Domain><![CDATA[windomain.local]]></Domain><SecurityDescriptor>01 00 04 9c 00 00 00 00 00 00 00 00 00 00 00 00 14 00 00 00 04 00 ec 00 08 00 00 00 05 02 28 00 00 01 00 00 01 00 00 00 8f fd ac ed b3 ff d1 11 b4 1d 00 a0 c9 68 f9 39 01 01 00 00 00 00 00 05 0b 00 00 00 00 00 24 00 ff 00 0f 00 01 05 00 00 00 00 00 05 15 00 00 00 13 3a 2e 03 43 8b 55 48 45 83 43 ed e8 03 00 00 00 02 24 00 ff 00 0f 00 01 05 00 00 00 00 00 05 15 00 00 00 13 3a 2e 03 43 8b 55 48 45 83 43 ed 00 02 00 00 00 02 24 00 ff 00 0f 00 01 05 00 00 00 00 00 05 15 00 00 00 13 3a 2e 03 43 8b 55 48 45 83 43 ed 07 02 00 00 00 02 14 00 94 00 02 00 01 01 00 00 00 00 00 05 09 00 00 00 00 02 14 00 94 00 02 00 01 01 00 00 00 00 00 05 0b 00 00 00 00 02 14 00 ff 00 0f 00 01 01 00 00 00 00 00 05 12 00 00 00 00 0a 14 00 ff 00 0f 00 01 01 00 00 00 00 00 03 00 00 00 00</SecurityDescriptor><DisplayName><![CDATA[Domain Controllers Enhanced Auditing Policy]]></DisplayName><Options><![CDATA[0]]></Options><UserVersionNumber><![CDATA[65537]]></UserVersionNumber><MachineVersionNumber><![CDATA[196611]]></MachineVersionNumber><MachineExtensionGuids><![CDATA[[{00000000-0000-0000-0000-000000000000}{BEE07A6A-EC9F-4659-B8C9-0B1937907C83}][{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{B05566AC-FE9C-4368-BE01-7A4CBB6CBA11}{D02B1F72-3407-48AE-BA88-E8213C6761F1}][{827D319E-6EAC-11D2-A4EA-00C04F79F83A}{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}][{B087BE9D-ED37-454F-AF9C-04291E351182}{BEE07A6A-EC9F-4659-B8C9-0B1937907C83}][{F3CCC681-B74C-4060-9F26-CD84525DCA2A}{0F3F3735-573D-9804-99E4-AB2A69BA5FD4}]]]></MachineExtensionGuids><UserExtensionGuids/><WMIFilter/></GroupPolicyCoreSettings> 
+        <GroupPolicyExtension bkp:ID="{35378EAC-683F-11D2-A89A-00C04FBBCFA2}" bkp:DescName="Registry">
+            <FSObjectFile bkp:Path="%GPO_MACH_FSPATH%\registry.pol" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{DFA9C351-32A5-4F64-8F39-2F8100135C1F}\Machine\registry.pol" bkp:Location="DomainSysvol\GPO\Machine\registry.pol"/>
+            
+            <FSObjectFile bkp:Path="%GPO_FSPATH%\Adm\*.*" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{DFA9C351-32A5-4F64-8F39-2F8100135C1F}\Adm\*.*"/>
+        </GroupPolicyExtension>
+        
+        
+        
+        
+        <GroupPolicyExtension bkp:ID="{827D319E-6EAC-11D2-A4EA-00C04F79F83A}" bkp:DescName="Security">
+            <FSObjectFile bkp:Path="%GPO_MACH_FSPATH%\microsoft\windows nt\SecEdit\GptTmpl.inf" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{DFA9C351-32A5-4F64-8F39-2F8100135C1F}\Machine\microsoft\windows nt\SecEdit\GptTmpl.inf" bkp:ReEvaluateFunction="SecurityValidateSettings" bkp:Location="DomainSysvol\GPO\Machine\microsoft\windows nt\SecEdit\GptTmpl.inf"/>
+        </GroupPolicyExtension>
+        
+        
+        
+        
+    <GroupPolicyExtension bkp:ID="{F15C46CD-82A0-4C2D-A210-5D0D3182A418}" bkp:DescName="Unknown Extension"><FSObjectDir bkp:Path="%GPO_MACH_FSPATH%\Applications" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{DFA9C351-32A5-4F64-8F39-2F8100135C1F}\Machine\Applications" bkp:Location="DomainSysvol\GPO\Machine\Applications"/><FSObjectFile bkp:Path="%GPO_MACH_FSPATH%\comment.cmtx" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{DFA9C351-32A5-4F64-8F39-2F8100135C1F}\Machine\comment.cmtx" bkp:Location="DomainSysvol\GPO\Machine\comment.cmtx"/><FSObjectDir bkp:Path="%GPO_MACH_FSPATH%\microsoft" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{DFA9C351-32A5-4F64-8F39-2F8100135C1F}\Machine\microsoft" bkp:Location="DomainSysvol\GPO\Machine\microsoft"/><FSObjectDir bkp:Path="%GPO_MACH_FSPATH%\microsoft\windows nt" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{DFA9C351-32A5-4F64-8F39-2F8100135C1F}\Machine\microsoft\windows nt" bkp:Location="DomainSysvol\GPO\Machine\microsoft\windows nt"/><FSObjectDir bkp:Path="%GPO_MACH_FSPATH%\microsoft\windows nt\Audit" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{DFA9C351-32A5-4F64-8F39-2F8100135C1F}\Machine\microsoft\windows nt\Audit" bkp:Location="DomainSysvol\GPO\Machine\microsoft\windows nt\Audit"/><FSObjectFile bkp:Path="%GPO_MACH_FSPATH%\microsoft\windows nt\Audit\audit.csv" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{DFA9C351-32A5-4F64-8F39-2F8100135C1F}\Machine\microsoft\windows nt\Audit\audit.csv" bkp:Location="DomainSysvol\GPO\Machine\microsoft\windows nt\Audit\audit.csv"/><FSObjectDir bkp:Path="%GPO_MACH_FSPATH%\microsoft\windows nt\SecEdit" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{DFA9C351-32A5-4F64-8F39-2F8100135C1F}\Machine\microsoft\windows nt\SecEdit" bkp:Location="DomainSysvol\GPO\Machine\microsoft\windows nt\SecEdit"/><FSObjectDir bkp:Path="%GPO_MACH_FSPATH%\Preferences" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{DFA9C351-32A5-4F64-8F39-2F8100135C1F}\Machine\Preferences" bkp:Location="DomainSysvol\GPO\Machine\Preferences"/><FSObjectDir bkp:Path="%GPO_MACH_FSPATH%\Preferences\Registry" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{DFA9C351-32A5-4F64-8F39-2F8100135C1F}\Machine\Preferences\Registry" bkp:Location="DomainSysvol\GPO\Machine\Preferences\Registry"/><FSObjectFile bkp:Path="%GPO_MACH_FSPATH%\Preferences\Registry\Registry.xml" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{DFA9C351-32A5-4F64-8F39-2F8100135C1F}\Machine\Preferences\Registry\Registry.xml" bkp:Location="DomainSysvol\GPO\Machine\Preferences\Registry\Registry.xml"/><FSObjectDir bkp:Path="%GPO_MACH_FSPATH%\Scripts" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{DFA9C351-32A5-4F64-8F39-2F8100135C1F}\Machine\Scripts" bkp:Location="DomainSysvol\GPO\Machine\Scripts"/><FSObjectDir bkp:Path="%GPO_MACH_FSPATH%\Scripts\Shutdown" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{DFA9C351-32A5-4F64-8F39-2F8100135C1F}\Machine\Scripts\Shutdown" bkp:Location="DomainSysvol\GPO\Machine\Scripts\Shutdown"/><FSObjectDir bkp:Path="%GPO_MACH_FSPATH%\Scripts\Startup" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{DFA9C351-32A5-4F64-8F39-2F8100135C1F}\Machine\Scripts\Startup" bkp:Location="DomainSysvol\GPO\Machine\Scripts\Startup"/></GroupPolicyExtension></GroupPolicyObject>
+</GroupPolicyBackupScheme>
\ No newline at end of file
diff --git a/Vagrant/resources/GPO/Domain_Controllers_Enhanced_Auditing_Policy/{3F2B9314-2D8F-452F-91CE-F9F13B04BA2C}/DomainSysvol/GPO/Machine/Preferences/Registry/Registry.xml b/Vagrant/resources/GPO/Domain_Controllers_Enhanced_Auditing_Policy/{5CCBF08F-6806-4F18-BF5E-AF470F4A6EA3}/DomainSysvol/GPO/Machine/Preferences/Registry/Registry.xml
similarity index 100%
rename from Vagrant/resources/GPO/Domain_Controllers_Enhanced_Auditing_Policy/{3F2B9314-2D8F-452F-91CE-F9F13B04BA2C}/DomainSysvol/GPO/Machine/Preferences/Registry/Registry.xml
rename to Vagrant/resources/GPO/Domain_Controllers_Enhanced_Auditing_Policy/{5CCBF08F-6806-4F18-BF5E-AF470F4A6EA3}/DomainSysvol/GPO/Machine/Preferences/Registry/Registry.xml
diff --git a/Vagrant/resources/GPO/Domain_Controllers_Enhanced_Auditing_Policy/{3F2B9314-2D8F-452F-91CE-F9F13B04BA2C}/DomainSysvol/GPO/Machine/comment.cmtx b/Vagrant/resources/GPO/Domain_Controllers_Enhanced_Auditing_Policy/{5CCBF08F-6806-4F18-BF5E-AF470F4A6EA3}/DomainSysvol/GPO/Machine/comment.cmtx
similarity index 100%
rename from Vagrant/resources/GPO/Domain_Controllers_Enhanced_Auditing_Policy/{3F2B9314-2D8F-452F-91CE-F9F13B04BA2C}/DomainSysvol/GPO/Machine/comment.cmtx
rename to Vagrant/resources/GPO/Domain_Controllers_Enhanced_Auditing_Policy/{5CCBF08F-6806-4F18-BF5E-AF470F4A6EA3}/DomainSysvol/GPO/Machine/comment.cmtx
diff --git a/Vagrant/resources/GPO/Domain_Controllers_Enhanced_Auditing_Policy/{3F2B9314-2D8F-452F-91CE-F9F13B04BA2C}/DomainSysvol/GPO/Machine/microsoft/windows nt/Audit/audit.csv b/Vagrant/resources/GPO/Domain_Controllers_Enhanced_Auditing_Policy/{5CCBF08F-6806-4F18-BF5E-AF470F4A6EA3}/DomainSysvol/GPO/Machine/microsoft/windows nt/Audit/audit.csv
similarity index 100%
rename from Vagrant/resources/GPO/Domain_Controllers_Enhanced_Auditing_Policy/{3F2B9314-2D8F-452F-91CE-F9F13B04BA2C}/DomainSysvol/GPO/Machine/microsoft/windows nt/Audit/audit.csv
rename to Vagrant/resources/GPO/Domain_Controllers_Enhanced_Auditing_Policy/{5CCBF08F-6806-4F18-BF5E-AF470F4A6EA3}/DomainSysvol/GPO/Machine/microsoft/windows nt/Audit/audit.csv
diff --git a/Vagrant/resources/GPO/Domain_Controllers_Enhanced_Auditing_Policy/{3F2B9314-2D8F-452F-91CE-F9F13B04BA2C}/DomainSysvol/GPO/Machine/microsoft/windows nt/SecEdit/GptTmpl.inf b/Vagrant/resources/GPO/Domain_Controllers_Enhanced_Auditing_Policy/{5CCBF08F-6806-4F18-BF5E-AF470F4A6EA3}/DomainSysvol/GPO/Machine/microsoft/windows nt/SecEdit/GptTmpl.inf
similarity index 91%
rename from Vagrant/resources/GPO/Domain_Controllers_Enhanced_Auditing_Policy/{3F2B9314-2D8F-452F-91CE-F9F13B04BA2C}/DomainSysvol/GPO/Machine/microsoft/windows nt/SecEdit/GptTmpl.inf
rename to Vagrant/resources/GPO/Domain_Controllers_Enhanced_Auditing_Policy/{5CCBF08F-6806-4F18-BF5E-AF470F4A6EA3}/DomainSysvol/GPO/Machine/microsoft/windows nt/SecEdit/GptTmpl.inf
index f44ee35..30730f1 100644
Binary files a/Vagrant/resources/GPO/Domain_Controllers_Enhanced_Auditing_Policy/{3F2B9314-2D8F-452F-91CE-F9F13B04BA2C}/DomainSysvol/GPO/Machine/microsoft/windows nt/SecEdit/GptTmpl.inf and b/Vagrant/resources/GPO/Domain_Controllers_Enhanced_Auditing_Policy/{5CCBF08F-6806-4F18-BF5E-AF470F4A6EA3}/DomainSysvol/GPO/Machine/microsoft/windows nt/SecEdit/GptTmpl.inf differ
diff --git a/Vagrant/resources/GPO/Domain_Controllers_Enhanced_Auditing_Policy/{3F2B9314-2D8F-452F-91CE-F9F13B04BA2C}/DomainSysvol/GPO/Machine/registry.pol b/Vagrant/resources/GPO/Domain_Controllers_Enhanced_Auditing_Policy/{5CCBF08F-6806-4F18-BF5E-AF470F4A6EA3}/DomainSysvol/GPO/Machine/registry.pol
similarity index 100%
rename from Vagrant/resources/GPO/Domain_Controllers_Enhanced_Auditing_Policy/{3F2B9314-2D8F-452F-91CE-F9F13B04BA2C}/DomainSysvol/GPO/Machine/registry.pol
rename to Vagrant/resources/GPO/Domain_Controllers_Enhanced_Auditing_Policy/{5CCBF08F-6806-4F18-BF5E-AF470F4A6EA3}/DomainSysvol/GPO/Machine/registry.pol
diff --git a/Vagrant/resources/GPO/Domain_Controllers_Enhanced_Auditing_Policy/{5CCBF08F-6806-4F18-BF5E-AF470F4A6EA3}/bkupInfo.xml b/Vagrant/resources/GPO/Domain_Controllers_Enhanced_Auditing_Policy/{5CCBF08F-6806-4F18-BF5E-AF470F4A6EA3}/bkupInfo.xml
new file mode 100644
index 0000000..7e2d87c
--- /dev/null
+++ b/Vagrant/resources/GPO/Domain_Controllers_Enhanced_Auditing_Policy/{5CCBF08F-6806-4F18-BF5E-AF470F4A6EA3}/bkupInfo.xml
@@ -0,0 +1 @@
+<BackupInst xmlns="http://www.microsoft.com/GroupPolicy/GPOOperations/Manifest"><GPOGuid><![CDATA[{DFA9C351-32A5-4F64-8F39-2F8100135C1F}]]></GPOGuid><GPODomain><![CDATA[windomain.local]]></GPODomain><GPODomainGuid><![CDATA[{bb63303b-70b8-46e7-9f35-76fc60e44c8d}]]></GPODomainGuid><GPODomainController><![CDATA[dc.windomain.local]]></GPODomainController><BackupTime><![CDATA[2019-11-12T06:13:24]]></BackupTime><ID><![CDATA[{5CCBF08F-6806-4F18-BF5E-AF470F4A6EA3}]]></ID><Comment><![CDATA[]]></Comment><GPODisplayName><![CDATA[Domain Controllers Enhanced Auditing Policy]]></GPODisplayName></BackupInst>
diff --git a/Vagrant/resources/GPO/Domain_Controllers_Enhanced_Auditing_Policy/{5CCBF08F-6806-4F18-BF5E-AF470F4A6EA3}/gpreport.xml b/Vagrant/resources/GPO/Domain_Controllers_Enhanced_Auditing_Policy/{5CCBF08F-6806-4F18-BF5E-AF470F4A6EA3}/gpreport.xml
new file mode 100644
index 0000000..00be37a
Binary files /dev/null and b/Vagrant/resources/GPO/Domain_Controllers_Enhanced_Auditing_Policy/{5CCBF08F-6806-4F18-BF5E-AF470F4A6EA3}/gpreport.xml differ
diff --git a/Vagrant/resources/GPO/disable_windows_defender/manifest.xml b/Vagrant/resources/GPO/disable_windows_defender/manifest.xml
index b7030ee..2382df2 100755
--- a/Vagrant/resources/GPO/disable_windows_defender/manifest.xml
+++ b/Vagrant/resources/GPO/disable_windows_defender/manifest.xml
@@ -1 +1 @@
-<Backups xmlns="http://www.microsoft.com/GroupPolicy/GPOOperations/Manifest" xmlns:mfst="http://www.microsoft.com/GroupPolicy/GPOOperations/Manifest" mfst:version="1.0"><BackupInst><GPOGuid><![CDATA[{288D6F79-F949-4C97-BE07-8997DBE821BC}]]></GPOGuid><GPODomain><![CDATA[windomain.local]]></GPODomain><GPODomainGuid><![CDATA[{d2ef48b7-bc16-4377-a67f-dbaab78aa80f}]]></GPODomainGuid><GPODomainController><![CDATA[dc.windomain.local]]></GPODomainController><BackupTime><![CDATA[2019-07-02T05:30:50]]></BackupTime><ID><![CDATA[{A1B5F23F-DC23-4225-98D0-22FD4EAF312C}]]></ID><Comment><![CDATA[]]></Comment><GPODisplayName><![CDATA[Disable Windows Defender]]></GPODisplayName></BackupInst><BackupInst><GPOGuid><![CDATA[{288D6F79-F949-4C97-BE07-8997DBE821BC}]]></GPOGuid><GPODomain><![CDATA[windomain.local]]></GPODomain><GPODomainGuid><![CDATA[{d2ef48b7-bc16-4377-a67f-dbaab78aa80f}]]></GPODomainGuid><GPODomainController><![CDATA[dc.windomain.local]]></GPODomainController><BackupTime><![CDATA[2019-07-02T03:55:32]]></BackupTime><ID><![CDATA[{1E7FB85D-6EA1-4B41-A58D-EE7A938D28C8}]]></ID><Comment><![CDATA[Disable Windows Defender]]></Comment><GPODisplayName><![CDATA[Disable Windows Defender]]></GPODisplayName></BackupInst></Backups>
\ No newline at end of file
+<Backups xmlns="http://www.microsoft.com/GroupPolicy/GPOOperations/Manifest" xmlns:mfst="http://www.microsoft.com/GroupPolicy/GPOOperations/Manifest" mfst:version="1.0"><BackupInst><GPOGuid><![CDATA[{288D6F79-F949-4C97-BE07-8997DBE821BC}]]></GPOGuid><GPODomain><![CDATA[windomain.local]]></GPODomain><GPODomainGuid><![CDATA[{d2ef48b7-bc16-4377-a67f-dbaab78aa80f}]]></GPODomainGuid><GPODomainController><![CDATA[dc.windomain.local]]></GPODomainController><BackupTime><![CDATA[2019-07-02T05:30:50]]></BackupTime><ID><![CDATA[{A1B5F23F-DC23-4225-98D0-22FD4EAF312C}]]></ID><Comment><![CDATA[]]></Comment><GPODisplayName><![CDATA[Disable Windows Defender]]></GPODisplayName></BackupInst></Backups>
\ No newline at end of file
diff --git a/Vagrant/resources/splunk_server/link-analysis-app-for-splunk_161.tgz b/Vagrant/resources/splunk_server/link-analysis-app-for-splunk_161.tgz
new file mode 100644
index 0000000..b714760
Binary files /dev/null and b/Vagrant/resources/splunk_server/link-analysis-app-for-splunk_161.tgz differ
diff --git a/Vagrant/resources/splunk_server/threathunting_134.tgz b/Vagrant/resources/splunk_server/threathunting_134.tgz
deleted file mode 100644
index 6474a9d..0000000
Binary files a/Vagrant/resources/splunk_server/threathunting_134.tgz and /dev/null differ
diff --git a/Vagrant/resources/splunk_server/threathunting_141.tgz b/Vagrant/resources/splunk_server/threathunting_141.tgz
new file mode 100644
index 0000000..53343e3
Binary files /dev/null and b/Vagrant/resources/splunk_server/threathunting_141.tgz differ