Your network contains an Active Directory domain named contoso.com. All servers run
Windows Server 2012 R2.
The network contains several group Managed Service Accounts that are used by four
member servers.
You need to ensure that if a group Managed Service Account resets a password of a domain
user account, an audit entry is created.
You create a Group Policy object (GPO) named GPO1.
What should you do next?
A.
In GPO1, configure the Advanced Audit Policy Configuration settings for Audit User
Account Management. Link GPO1 to the Domain Controllers organizational unit (OU).
B.
In GPO1, configure the Advanced Audit Policy Configuration settings for Audit User
Account Management. Move the member servers to a new organizational unit (OU). Link
GPO1 to the new OU.
C.
In GPO1, configure the Advanced Audit Policy Configuration settings for Audit Sensitive
Privilege Use. Link GPO1 to the Domain Controllers organizational unit (OU).
D.
In GPO1, configure the Advanced Audit Policy Configuration settings for Audit Sensitive
Privilege Use. Move the member servers to a new organizational unit (OU). Link GPO1 to
the new OU.
Explanation:
Audit User Account Management
This security policy setting determines whether the operating system generates audit events
when the following user account management tasks are performed:
A user account is created, changed, deleted, renamed, disabled, enabled, locked out, or
unlocked.
A user account password is set or changed.
Security identifier (SID) history is added to a user account.
The Directory Services Restore Mode password is set.
Permissions on accounts that are members of administrators groups are changed.
Credential Manager credentials are backed up or restored.
This policy setting is essential for tracking events that involve provisioning and managing
user accounts.
Why its can’t be B?
we need to Audit only four member servers not the entire Domain controllers.
It’s always a bad idea to move existing members to a new OU, especially so with privileged access accounts like Managed Service Accounts.
*almost always. Sometimes you have to, but do all you can to avoid moving them. 🙂
It’s not auditing the member servers. It’s auditing the account the member servers use. All accounts are stored in AD which are stored on the DCs.
In my opinion. The GPO is applied to the Domain Controllers OU because you are auditing domain user account management (not local accounts on member servers). As domain user accounts reside on all DC’s and not member servers any management of the accounts will take place at the DC’s, regardless of where the action was instigated, therefore answer A is correct.
agreed. The account who changes the user accounts it unimportant. It’s just about auditing password change of domain users, so user auditing at DC’s.
Agreed – makes the most sense from the answers given
A