You are the Exchange administrator for organisation Fabrikam. The network consists of a single Active Directory domain named fabrikam.com.
The network contains nine Exchange Server 2003 computers running on Microsoft Windows Server 2003 member servers.
All Exchange servers are in a single organizational unit (OU) named Exchange Servers. Only the Exchange server computer objects are contained in the Exchange Servers OU.
Users in a group named Exchange Admins are exclusively responsible for managing the Exchange organization.
No other group, including the Enterprise Admins and Domain Admins groups, has permissions to manage the Exchange organization.
You discover that the Domain Admins group is in the membership list of the Exchange Admins group.
You need to ensure that any changes to group membership that would allow access to manage the Exchange organization are recorded.
What should you do?
A.
Configure the Default Domain Controllers Policy to include auditing successful policy change events.
B.
Create a Group Policy object (GPO) on the Exchange Servers OU to audit successful policy change events.
C.
Create a Group Policy object (GPO) on the Exchange Servers OU to audit successful policy change events.
D.
Create a Group Policy object (GPO) on the Exchange Servers OU to audit successful directory service access events.
Explanation:
Directory Service Access is a very general category. Basically, it refers to any time a user changes an Active
Directory object in this way we can see who add Domain Admins group to membership list of the Exchange
Admins group. This need to be done to domain level access by default is not policy settings audit are not set in
member server, doing this to domain level Exchange OU will inherit this setting The Account Policies security
area receives special treatment in how it takes effect on computers in the domain. All DCs in the domain receive
their account policies from GPOs configured at the domain node regardless of where the computer object for
the DC is. This ensures that consistent account policies are enforced for all domain accounts. All non-DC
computers in the domain follow the normal GPO hierarchy for getting policies for the local accounts on those
computers. By default, member workstations and servers enforce the policy settings configured in the domain
GPO for their local accounts, but if there is another GPO at lower scope that overrides the default settings, then
those settings will take effect. These GPOs, once created, are applied in a standard order: LSDOU, which stands
for (1) Local, (2) Site, (3) Domain, (4) OU