Your network contains an Active Directory domain named contoso.com. The domain
contains a file server named Server1 that runs Windows Server 2012 R2.
You view the effective policy settings of Server1 as shown in the exhibit. (Click the Exhibit button.)
You need to ensure that an entry is added to the event log whenever a local user account is
created or deleted on Server1.
What should you do?
A.
In Servers GPO, modify the Advanced Audit Configuration settings.
B.
On Server1, attach a task to the security log.
C.
In Servers GPO, modify the Audit Policy settings.
D.
On Server1, attach a task to the system log.
Explanation:
When you use Advanced Audit Policy Configuration settings, you need to confirm that these
settings are not overwritten by basic audit policy settings. The following procedure shows
how to prevent conflicts by blocking the application of any basic audit policy settings.
Enabling Advanced Audit Policy Configuration
Basic and advanced audit policy configurations should not be mixed. As such, it’s best
practice to enable Audit: Force audit policy subcategory settings (Windows Vista or later) to
override audit policy category settings in Group Policy to make sure that basic auditing is
disabled. The setting can be found under Computer Configuration\Policies\Security
Settings\Local Policies\Security Options, and sets the SCENoApplyLegacyAuditPolicy
registry key to prevent basic auditing being applied using Group Policy and the Local
Security Policy MMC snap-in.
In Windows 7 and Windows Server 2008 R2, the number of audit settings for which success
and failure can be tracked has increased to 53. Previously, there were nine basic auditing
settings under Computer Configuration\Policies\Windows Settings\Security Settings\Local
Policies\Audit Policy. These 53 new settings allow you to select only the behaviors that you
want to monitor and exclude audit results for behaviors that are of little or no concern to you,
or behaviors that create an excessive number of log entries. In addition, because Windows 7
and Windows Server 2008 R2 security audit policy can be applied by using domain Group
Policy, audit policy settings can be modified, tested, and deployed to selected users and
groups with relative simplicity.
Audit Policy settings
Any changes to user account and resource permissions.
Any failed attempts for user logon.
Any failed attempts for resource access.
Any modification to the system files.
Advanced Audit Configuration Settings
Audit compliance with important business-related and security-related rules by tracking
precisely defined activities, such as:
A group administrator has modified settings or data on servers that contain finance
information.
An employee within a defined group has accessed an important file.
The correct system access control list (SACL) is applied to every file and folder or registry
key on a computer or file share as a verifiable safeguard against undetected access.
In Servers GPO, modify the Audit Policy settings – enabling audit account management
setting will generate events about account creation, deletion and so on.
Advanced Audit Configuration Settings
Advanced Audit Configuration Settings ->Audit Policy
-> Account Management -> Audit User Account ManagementIn Servers GPO, modify the Audit Policy settings – enabling audit account management
setting will generate events about account creation, deletion and so on.http: //blogs. technet. com/b/abizerh/archive/2010/05/27/tracing-down-user-and-computeraccount-deletion-in-active-directory.aspx
http: //technet. microsoft. com/en-us/library/dd772623%28v=ws. 10%29. aspx
http: //technet. microsoft. com/en-us/library/jj852202(v=ws. 10). aspx
http: //www. petri. co. il/enable-advanced-audit-policy-configuration-windows-server. htm
http: //technet. microsoft. com/en-us/library/dd408940%28v=ws. 10%29. aspx
http: //technet. microsoft. com/en-us/library/dd408940%28v=ws. 10%29. aspx#BKMK_step2
the answer is C
The correct answer is A
“Audit User Account Management” under: Advanced Security Audit policy
http://technet.microsoft.com/en-us/library/dn319091.aspx
True
Remember: We are talking about a Local User account.
Why is the answer A? Surely enabling “Success” under “Audit Account Management” under standard Audit Policy would log account creation events?
https://technet.microsoft.com/en-us/library/dn319091.aspx
Answer is A
C is correct. Advanced Auditing is not enabled and not working. “Basic and advanced audit policy configurations should not be mixed. As such, it’s best practice to enable Audit: Force audit policy subcategory settings (Windows
Vista or later) to override audit policy category settings in Group Policy to make sure that basic auditing is disabled. The setting can be found under Computer
Configuration\Policies\Security Settings\Local Policies\Security Options, and sets the SCENoApplyLegacyAuditPolicy registry key to prevent basic auditing being
applied using Group Policy and the Local Security Policy MMC snap-in.”
Registry key SCEoApplyLegacyAuditPolicy is not set. On the screen we can see Basic Audit settings result.
you are wrong because the default setting is “enabled”, you do not have to set it up:
https://technet.microsoft.com/en-us/library/jj852246.aspx
Further as soon as you use Advanced Auditing, all the basic setting will be overrided. Even “not configured” settings, so Basic settings be be reset to “not configured”!
I tested in lab…
Tested and appears to be A.
I tested this on:
– one dc, one member server in OU1
– created GPO, linked to OU1, modified audit policy (not advanced)
– ran gpupdate on member server, created a local account on member server, no event id
– changed GPO from acct mangement in audit policy to acct management under advanced audit policy
– ran gpupdate, deleted the local account and the event id showed up
test
test
All those in favor of “Basic Audit”, think(!) again:
“The following procedure shows how to prevent conflicts by blocking the application of any basic audit policy settings.”
In Servers GPO, modify the Audit Policy settings – enabling audit account management
setting will generate events about account creation, deletion and so on.
Advanced Audit Configuration Settings
Advanced Audit Configuration Settings ->Audit Policy
-> Account Management -> Audit User Account Management
It is correctly explained…. The answer is A.
Agreed, the show answer pretty much provides the perfect answer.
we see 9 policies instead of the 53 advanced ones, so they show us the basic auditing.
pro C: because you’ve already enabled “failure” logging on the basic part and you shouldn’t mix basic and advanced audit policies. There’s no mention that basic auditing is blocked.
A. would offer more granularity, so you wouldn’t enable logging of all accounting stuff, just the user part.
I go for C with the given information.
I don’t understand why it would be A based on the info we are given.
A
I also tested it and found out:
once you start using Advanced Audit Configuration then it will override the Audit Policy configuration. At first it also looked OK for me just modifying the Audit Policy. But after using the Advanced thing I was not able to get the Audit Policy settings back working.
Advanced will even override the basic stuff if all settings there are set to “not configured”! And it is also not possible to revert that, so take care with this p.o.s…
therefore as they are showing that Advanced config is already being used: provided answer is correct
Sites of interest we have a link to.
that will be the finish of this write-up. Here you will find some web pages that we believe youll value, just click the hyperlinks over
we prefer to honor several other web web pages on the web, even if they arent linked to us, by linking to them. Underneath are some webpages worth checking out
one of our visitors not long ago encouraged the following website
always a massive fan of linking to bloggers that I really like but do not get quite a bit of link like from
Here are a number of the sites we advise for our visitors
below you will discover the link to some web-sites that we believe you ought to visit
we prefer to honor a lot of other online websites around the web, even if they arent linked to us, by linking to them. Beneath are some webpages really worth checking out
Shut up.
always a huge fan of linking to bloggers that I like but really don’t get lots of link really like from
I am going “C”
https://technet.microsoft.com/en-us/library/dd408940(v=ws.10).aspx#BKMK_step2
Advanced gets overwritten according to MS. You would think it would be the other way around but not according to MS docs.
Question doesn’t say they took correct steps to disable basic before implementing advanced. If they stated that i would go with “A”
I know it goes against what Den and others see but it is according to MS docs and give you ammo to challenge.