The problem

Using Group Policy, it is very simple to turn on transcript logs for any machine. You simply enable it and provide the path you want to send the logs to.

Group Policy for PowerShell transcripts

My initial thought was just to use a network share as the directory to centralize the logs easily. The issue with this setup is that PowerShell remoting sessions will not work by default due to the double-hop issue. (By default in PowerShell remoting, you cannot delegate credentials to access a network share.) This is something solvable with a workaround, but I didn’t feel it would be worthwhile just for capturing logs.

In addition, local user accounts would not have access to the share without providing permissions I did not feel comfortable applying. Moreover, any network disruption would cause a problem sending logs to a share.

What I ended up doing was creating a local folder on each machine and setting strict permissions so that any user (local or domain) only has write access and cannot read the contents. More importantly, an attacker would not have access to remove them. Then I copy the logs daily to a central folder only an admin can access.

Group Policy configuration

Outside of the PowerShell transcript setting I mentioned earlier, I configured a file system setting for sending local transcripts in Computer Configuration > Windows Settings > Security Settings > File System. I chose the folder C:\Windows\PSLogging and set the “Users” group to have just write permissions. I then added a domain security group—in my case “Security Admin”—to have read access for copying the transcripts.

Read more at 4sysops.com