Your network contains an Active Directory domain named adatum.com. You need to audit changes to the files
in the SYSVOL shares on all of the domain controllers. The solution must minimize the amount of SYSVOL
replication traffic caused by the audit. Which two settings should you configure? (Each correct answerpresents
part of the solution. Choose two.)
A.
Audit Policy\Audit system events
B.
Advanced Audit Policy Configuration\DS Access
C.
Advanced Audit Policy Configuration\Global ObjectAccess Auditing
D.
Audit Policy\Audit object access
E.
Audit Policy\Audit directory service access
F.
Advanced Audit Policy Configuration\Object Access
Nope my dear friends. It’s B and F. BTW Advanced auditing and regular auditing cannot be combined.
As always another stupid trivia question from MS. It took me 10 seconds to google “sysvol audit gpo”. Why should anyone memorize this, when googling it is so easy
http://technet.microsoft.com/en-us/library/ff182311(v=ws.10).aspx
http://blogs.msdn.com/b/canberrapfe/archive/2012/05/02/auditing-group-policy-changes.aspx
is there anyone that has passed the exam already and have had this question with D&F or B%F?
Normally SysAdmin is right and when you check out the links you will see he is kinda right. 🙂
“Basic audit policy is !not compatible! with advanced audit policy settings that are applied by using Group Policy in Windows Server 2008 R2 and Windows 7.” – The answer D&F is not possible.
When you read the whole link you will see it should be Advanced Auditing 🙂
For Global Object Audit Access to work, Object Access\Audit File System or Object Access\Audit Registry must also be enabled for success/failure auditing.
https://www.petri.com/configure-global-object-access-auditing-windows-server
Answer B is not relevant, as question is not on AD object access.
The key point is “The solution must minimize the amount of SYSVOL
replication traffic caused by the audit”. Setting SACLs on Sysvol\Domain folder and subfolders and files is not an option, as it touches all files and folders and causes replication traffic. This makes answer C more relevant.
Answer is C,F.
https://social.technet.microsoft.com/Forums/exchange/en-US/6cfbd7c1-56ad-4fe8-9677-a25f2b74b13b/global-object-access-auditing-test-question?forum=winserver8gen
I tend to agree that the correct answers are C & F. To me the key to this question is:
“You need to audit changes to the files in the SYSVOL shares on all of the domain controllers.”
So they are asking specifically about the shares found in SYSVOL, which is something completely separate from DS information.
For file system auditing, I found this:
https://technet.microsoft.com/en-us/library/dd772726(v=ws.10).aspx
Correct, and there is a big clue in the question! Why would you need to select two auditing categories for a file audit?
The only reason can be to enable Global Object Access (to tag file SACLs in memory and avoid replication by modifying the file SACL on disk) AND Advanced Object Access for the file system audit.
I think we all agree that F will audit changes to SYSVOL shares, so F is one half of the answer. The other half should satisfy the other requirement: “minimize the amount of SYSVOL replication traffic caused by the audit.” None of the proposed answers seems to apply.