HOTSPOT
You have a Group Policy object (GPO) named Server Audit Policy. The settings of the GPO are shown in the
Settings exhibit. (Refer to the Exhibit.)
The scope of the GPO is shown in the Scope exhibit.(Refer to the Exhibit.)
The domain contains a group named Group1. The membership of Group1 is shown in the Group1 exhibit.
(Refer to the Exhibit.)
Select Yes if the statement can be shown to be truebased on the available information; otherwise select No.
Each correct selection is worth one point.
Answer:
Explanation:
Based on the setting in object access to audit all success and failures… the answer should be all yes.
TopCoder is correct. Explanation given with the policy Global Object Access Auditing\File system (on a Server 2012R2 DC)
This setting applies a global system access control list (SACL) to every file and folder. If both a file or folder SACL (see Object Access Policy) and a global SACL are configured on a computer, the effective SACL is derived by combining the file or folder SACL and the global SACL. This means that an audit event is generated when an activity matches either the file or folder SACL or the global SACL.
To configure a global object access policy, you must select Define this policy setting and click Configure to add at least one user or group to the global SACL. You must also enable the Audit File System
agree
Can someone verify this, I am sceptical and have my test tomorrow 🙁
who can tell me the right answer? Thank u for your kindless!
I agree with all yes as it is a computer configuration
I would have thought that because user1 is failing to access and they are part of group1 its not loged so answer would be YNYY
I may missunderstand it, but you generally enable the object auditing for success and failure.
But an alert will only be created if a member of the group access an object with full control successfull
http://newsignature.com/blog/2012/09/21/server-2012-auditing-for-security/
So only answer 1 would be right and all other with no
I agree with this, the audit file system policy enables the auditing for either success or failure but no log entries will be created until an SACL is created. The SACL defines Group one success. So only User 1’s successful file access with be logged, nothing else.
I think it the right answer is YYNN, because this applies only to Group1 which User1 is a member of. It’s true a computer configuration but it applies only to group1. I’m not sure.
the right answer is YNNN ! because as you can see in the exhibit, it is only audit the success logons. I’m sure this time 😉
I agree with YNNN
It clearly states in the image that this policy audits both successful and failed attempts. And has nothing to do with the “logon” audit policy, this is a file auditing system policy, there is a different one for logon. I think the answer should be YYNN.
This setting applies a global system access control list (SACL) to every file and folder. If both a file or folder SACL and a global SACL are configured on a computer, the effective SACL is derived by combining the file or folder SACL and the global SACL. This means that an audit event is generated when an activity matches either the file or folder SACL or the global SACL.
To configure a global object access policy, you must select Define this policy setting and click Configure to add at least one user or group to the global SACL. You must also enable the Audit File System setting under Advanced Audit Policy Configuration\System Audit Policies\Object Access.
The correct answer is YNNN because I demonstrate this question in a lab.
Answer: YYNN.
see setting audit
true
They want to audit successful attempt by Group1 and all others will not be audited. So in this case, its YNNN
YYNN
Yes
Yes
No
No
Yes, No, No, No
You cant prove that the “Object Access” audit will generate an audit event (only principles added to an ACL will trigger an audit event).
Only “Global Object Access” can be proved to generate an audit event (since it audits the whole filesystem regardless).
According to this article https://technet.microsoft.com/en-us/library/ff182311(v=ws.10).aspx
specifically this comment
However, in cases where you want audit settings to apply only to specified groups of users, you can accomplish this by configuring SACLs on the relevant objects to enable auditing for a security group that contains only the users you specify. For example, you can configure a SACL on a folder called Payroll Data to enable auditing on attempts by members of the Payroll Processors OU to delete objects from this folder on Accounting Server 1. The Object Access\Audit File System audit policy setting applies to all of Accounting Server 1, but because it requires a corresponding resource SACL, only actions by members of the Payroll Processors OU on the Payroll Data folder generates audit events.
The answer would be Yes, No, No, No.
The policy applies to all of the files (objects) of Server28 but because of the group added to the Global Object Access Auditing it is specifically auditing members of that group.
I think this answer would be YYYY
The Object access – Audit File System Policy is auditing ALL Success and Failures, the Global Object Access auditing is auditing only successful attempts by members of Group1. These 2 policies are combined so all success & failure attempts would be logged. Thus YYYY
Please correct me if I am wrong.
I think it is YNNN
I have tryed it and i do not see any failures for user1 and user2
for user 2 i do not see any thing in the logs…
YNNN
Audit File System: Success, Failure
Audit Group1: Success
Security Filtering: Server28
Answer: YYYY
The answer is: YNNN
The reason is that the questions asks if ALL succesful and failed attempts are logged.
Since NOT ALL files have a SACL the answer is NO by default.
However the “Global Object Access Auditing” policy is being applied to ALL files.
Since we only enabled “Success” it means the first question is Yes since User1 is member of Group1 which this policy is being applied to.
Short version of this article:
http://blogs.technet.com/b/askds/archive/2011/03/10/global-object-access-auditing-is-magic.aspx
Object Access\Audit File System:
If you configure this policy setting, an audit event is generated each time an account accesses a file system object with a matching SACL.
You can check if a file\folder has this setting enabled by going to it’s properties and then the Security Tab followed by the Advanced option and there is the “Auditing Tab”.
Global Object Access Auditing:
This policy setting allows you to apply a comprehensive object access audit policy to every file and folder on the file system for a computer.
LSASS.EXE is the process that handles Windows security auditing.
When the file is opened using GOAA, LSASS also adds to the SACL in memory, then reads it like it had been assigned on the resource directly.
why you people are not looking at security filter option????
according to this , the answer should be YYYY.
any 1 here who have gave the exam and verify the answer here???
The security filter has nothing to do with this. The filter just determines who is allowed to receive the policy.
The question asks what TYPE of policy the users will receive based on the configuration.
Look at the actual group policy in the first exhibit:
Auditing Type: Success is being applied to CONTOSO\GROUP1
There is no mention of “Failure”. From here we can conclude that the policy will only audit success types from users in Group1 that log into SERVER28$
Does this make more sense to you?
an audit event is generated if an activity matches either the file or folder SACL or the Global Object Access Auditing policy.
Audit on success or failure
Applied to Server28 in the security settings
YYYY
That would be the end of this article. Here you will uncover some websites that we assume youll value, just click the hyperlinks.
although internet sites we backlink to beneath are considerably not related to ours, we really feel they are in fact worth a go as a result of, so have a look
always a major fan of linking to bloggers that I enjoy but really don’t get a great deal of link appreciate from
the time to study or pay a visit to the content material or websites we have linked to below the
usually posts some pretty interesting stuff like this. If youre new to this site
here are some links to websites that we link to because we believe they may be really worth visiting
The info mentioned in the report are some of the best offered