Your network contains and active Directory domain named contoso.com. The doman contains a server named
Server1 that runs Windows Server 2012. A local account named Admin1 is a member of the Administrators
group on Server1. You need to generate an audit event whenever Admin1 is denied access to a file or folder.
What should you run?
A.
auditpol.exe /set /user:admin1 /category:”detailed tracking” /failure:enable
B.
auditpol.exe /se t/user:admin1 /failure:enable
C.
auditpol.exe /resourcesacl /set /type:keyauditpol.exe /resourcesacl /set /type: /access:ga
D.
auditpol.exe /resourcesacl /set /type:file /user:admin1 /failure
http://technet.microsoft.com/en-us/library/ff625687.aspx
Syntax: auditpol.exe /resourcesacl
Parameter: /set
Argument: /type /user /failure
Answer is D.
I am not sure, but I guess D is correct.
http://technet.microsoft.com/de-de/library/cc755264(v=ws.10).aspx
http://technet.microsoft.com/de-de/library/ff625687(v=ws.10).aspx
With [auditpol.exe /resourcesacl] you can audit only files & folders, and regkeys
>>
/type
The resource for which object access auditing is being configured. The supported argument values are File (for directories and files) and Key (for registry keys).
<<<
With [Auditpol /set … /category:”detailed tracking”] you would audit much more events (Answer A).
Answer B is the syntax incorrect. [/category] is missing.
Answer C is the [/type] incorrect. Only "File" and "Key" are accepted.
Answer D makes exactly what we want.
https://technet.microsoft.com/en-us/library/ff625687.aspx
There’s a note to the link Researcher posted that says Auditpol resourceSACL only applies to Windows 7 and Windows Server 2008 R2. Server 1 is WinServer2012…
With Answer A, the category chosen is an interesting choice. under Detailed Tracking in GPM Editor for Adv Audit Policy Config, there are are 4 subcategories, and none directly imply that when enabled, they will audit all files and folders, which is what we need to Audit with Admin1.
With B, category is missing as XXX pointed out.
Answer is D
From this link: https://technet.microsoft.com/en-us/library/ff625687.aspx,
we can see this example:
Set a global resource SACL to audit successful access attempts by a user on a registry key:
auditpol /resourceSACL /set /type:Key /user:MYDOMAIN\myuser /success
in our case, type is file
and option is /failure
auditpol /resourceSACL works on Server 2012R2 .. just tried it.
Answer is D
D is incorrect.
https://technet.microsoft.com/en-ca/library/cc755264.aspx
the above link shows that /set has no parameter as /type
/set has the following parameters
Auditpol /set
[/user[:|][/include][/exclude]]
[/category:|[,:<name|…]]
[/success:|][/failure:|]
[/subcategory:|[,:<name|…]]
[/success:|][/failure:|]
[/option: /value: |]
Realized the mistake. D is correct.
auditpol
/resourceSACL
[/set /type: [/success] [/failure] /user: [/access:]]
[/remove /type: /user: [/type:]]
[/clear [/type:]]
[/view [/user:] [/type:]]
I think instead of
auditpol.exe /resourcesacl /set /type:file /user:admin1 /failure
it should be like
auditpol.exe /resourcesacl /set /type:file /failure /user:admin1
/failure should come after /set/type and before /user for proper use.
No the syntax used in the answwer C is correct as you can see in this example used by Microsoft:
auditpol /resourceSACL /set /type:File /user:MYDOMAIN\myuser /success /failure /access:FRFW
Reference:
https://technet.microsoft.com/en-us/library/ff625687.aspx
lol none of the answers are correct.
/type value arguments are case sensitive. So /type:file will not work but /type:File will
http://blogs.technet.com/b/askds/archive/2011/03/10/global-object-access-auditing-is-magic.aspx
but yes D is the most correct
D Correct!