You have a Group Policy object (GPO) named Server Audit Policy.

HOTSPOT
You have a Group Policy object (GPO) named Server Audit Policy. The settings of the GPO are shown
in the Settings exhibit. (Click the Exhibit button.)

The scope of the GPO is shown in the Scope exhibit. (Click the Exhibit button.)

The domain contains a group named Group1. The membership of Group1 is shown in the Group1
exhibit. (Click the Exhibit button.)

Select Yes if the statement can be shown to be true based on the available information; otherwise
select No. Each correct selection is worth one point.

HOTSPOT
You have a Group Policy object (GPO) named Server Audit Policy. The settings of the GPO are shown
in the Settings exhibit. (Click the Exhibit button.)

The scope of the GPO is shown in the Scope exhibit. (Click the Exhibit button.)

The domain contains a group named Group1. The membership of Group1 is shown in the Group1
exhibit. (Click the Exhibit button.)

Select Yes if the statement can be shown to be true based on the available information; otherwise
select No. Each correct selection is worth one point.

Answer:

Show Hint

← Previous question

Next question →

Leave a Reply 20

flitter

Not all answers have been provided?

Nikita

Maybe YNNN?

chaserZX

I thought the same too

UncleJap

I’ve tried on a lab, you’re right!

Nelson

GPO is disabled so NNNN

https://technet.microsoft.com/en-us/library/cc776004%28v=ws.10%29.aspx

Tom

I think you may be looking at the wrong GPO?

Andreas

I think YYNN ?

Dev7

Answer should be YNYN. Look at the GPO, security filtering is enabled which means the GPO is only applied to Server28. Even though User 2 isn’t in Group 1, Server28 will still be audited since the GPO only applies to server 28

Calin

the correct answer is
YNNN
The “(GPO) named Server Audit Policy” audits only Success
and user2 is not in the group1

You’re right! Tested on a lab.

shawn

Audit File System: Success, Failure
Audit Group1: Success
Security Filtering: Server28
Answer: YYYY

mist74

Shawn is right. Think of this as about TWO separate rules invoking auditing.
First rule “Object Access” dosn’t differ WHO is accesing, it does audit when acces results end with success or failure. So it works with any user.
The second criteria is more stricts, it audits only attempts made by Group1 and only successfull ones. But anyway, it does not matter much, first criteria does its job. Result: YYYY

Jason

I believe Nelson is correct, NNNN. Why? Because all of you are overlooking the fact that the answers are in regards to Users…not Computers. And if you look at the GPO for User Configurations, it is disabled. Am I wrong?

BenSolo

Yes you are wrong.
This is a computer policy applied to a server.

The answer is: YNNN

The reason is that the questions asks if ALL succesful and failed attempts are logged.
Since NOT ALL files have a SACL the answer is NO by default.

However the “Global Object Access Auditing” policy is being applied to ALL files.
Since we only enabled “Success” it means the first question is Yes since User1 is member of Group1 which this policy is being applied to.

Short version of this article:
http://blogs.technet.com/b/askds/archive/2011/03/10/global-object-access-auditing-is-magic.aspx

Object Access\Audit File System:
If you configure this policy setting, an audit event is generated each time an account accesses a file system object with a matching SACL.

You can check if a file\folder has this setting enabled by going to it’s properties and then the Security Tab followed by the Advanced option and there is the “Auditing Tab”.

Global Object Access Auditing:
This policy setting allows you to apply a comprehensive object access audit policy to every file and folder on the file system for a computer.

LSASS.EXE is the process that handles Windows security auditing.
When the file is opened using GOAA, LSASS also adds to the SACL in memory, then reads it like it had been assigned on the resource directly.